January 31, 2003

Keeping up with the Jones

I don't know how much I believe these things... but keeping up with the Jones here is my personality rating:

My personality is rated 33.
What is yours?

Posted by SilverStr at 08:03 PM

January 28, 2003

Getting Slammed with SQL Slammer

Well now, this weekend was interesting. It is sad to say, but with the propagation of the SQL Slammer worm this weekend, my business got a huge boost this afternoon. I can't say much about it right now, but I would love to share a small part of it.

The new company I founded this year has a product which... point blank.... stopped the SQL Slammer worm cold. In my small test environment (mostly VMWARE unfortunately) a vulnerable SQL server gets nailed by the worm, and then quarantines itself and eliminates the propogation. How it does this is by significantly reducing the speed of propagation of network-based viruses and worms, and in many cases preventing the propagation completely. It does this in a few ways.

  1. Firstly, it monitors corporate security policies to ensure compliance and containment. Knowing that a SQL server should never call the operating system function to open a socket and connect in this manner (the actual propogation itself) the access control mechanisms block the call, eliminating the ability to open the socket.
  2. Secondly, if for some odd reason the security policy allowed this operation, the worm would be significantly slowed down since all new unknown connections are qued. Most worms start scanning and finding more vulnerable hosts like the plague. As such, a single host trying to go outbound may have 10s to 100s off concurrent connection attempts (which means 10s to 100s of half open sockets). The security software can detect this, and que the connections and slow down the attempts. In this way... instead of being able to infect 100s of machines in a matter of minutes... in many cases older connections simply time out and die. (gotta love sock opts time outs). By RFC specs TCP can self regulate itself, so valid connections will try again and reque. However the worm moves on to newer targets. Of course by this time, the que triggers an event to alert the admin... who can manually quarantine the infected host or apply other security measures to limit the propogations. And.. it doesn't significantly impact on clean, valid connections.

And to think... this is just a side effect of what the security software does. In other words the software I am writing by default significantly reduces these sort of risks because of its own intelligence in enforcing security policy characterisitics across the network. Even though a vulnerability exists, if the central policy server knows how the network is supposed to act, it can enforce unknown conditions by using a "least priviledge" policy from the get go. Yet I didn't actually go write an anti-virogen system. Man am I pumped.

Top that off with the fact some of the players I have been talking to in the last two weeks called this afternoon to say they are on side for a more technical review as they themselves have now be "slammed", and they can now see where my solution can seriously mitigate their risks.... I am feeling quite happy. So now I am in over drive. I finished the business plan this weekend which means all the corporate documents are complete, hold that to the cash flow model which I just started working on. I will get to that after I finish up on something I have in the debugger right now. With all this talk about the SQL slammer I think I will go write a business case to explain how my software would benefit an organization in a practical example that is fresh in everyone's mind. I bet the CIBC would have loved to have stopped the Slammer... since it killed their ATM systems and Interac completely for the weekend. Hmmmmm that just gave me a thought.... gotta go. TTYL

Posted by SilverStr at 08:01 PM

January 23, 2003

QA Security Testing

In my quest for designing strong QA tools and tests for security testing, I came across a really sweet tool to help out. Cenzic has a product out called HailStorm that is an automating security quality assurance system for complex environments. I know Greg from his old days at Tripwire and didn't realize he did a new start up to do this. Assuming I don't need a second mortgage to get the thing, I am seriously considering putting Hailstorm into my build environment. Only time will tell if that will happen

Even with that tool, I expect to continue to build up an arsenal of security tests in perl to help out. Whenever I get a chance, I will end up putting that online for everyone to use. Can help us all out.

Had a great sushi lunch with Arcterex today. Reminds me of the old days of everyone going together. We will need to make a point of all getting hooked up to do a sushi lunch. If you are interested, let me know.

Right now I am working on my business plan. Should have it done by next week and basically rounds out all the core documentation needed to be done. Next will be following the plan and really get moving on delivering product. Should be fun to get absorbed in development again. I still haven't figured out which tools I am going to use (C# vs. MFC/C++) for the UI. I am wrestling with the familar of C++ for speed and the new security features that C# offers. Not an easy decision. I still need to weight the languages accordingly to determine which will cause more "issues" for expansion in the future. Right now I am still undecided.

MS Word beckons me. Clippy is screaming that he is lonely. I better get back at it. TTYL

Posted by SilverStr at 07:52 PM

January 16, 2003

I beat the trials!

I DID IT! I made it through the course with no faults. But the damn game is doing something weird. Its not showing the score in the scoreboard. I got like 4 5's (1 fault) in a row and then I lucked out (and I do mean lucked out... I left the screen upside down and it still let me win... go figure). I know I got 0, but I want the scoreboard to REMEMBER it. I wonder if there is a bug in there that if you don't hit space it does something funky.

I send my wishes to Solas. Whenever he uses crypto for a message something is up, and its never good. Hopefully the gods of wrath will look well upon their brother Solas and send firebolts up the arse of the offending idiot(s).

I just noticed I kept raskal up. Good! :P You made me sit there for like an hour trying to play that damn thing. We gotta get you up and running on Urban Terror (UT) dude so we can atleast SEE each other (in the cross hairs atleast) when competing. :)

I am almost done the threat modelling stuff. Its hard to take something I just know and expect others to get it when some of the people have never even THOUGHT about security before the seminar. Bright minds coming though, so it shouldn't be TO hard. Trying to find entertaining example(s) is what seems to have bogged me down. I thought about threat modelling a pr0n server, then realized we probably would not get off the subject and quickly scraped the idea. OK, so maybe it was just a passing thought... but it was still funny. (To me atleast)

Watched Starsearch last night on TV. Man some talented people out there. The funniest part though wasn't the comedians... it was the look of disgust on the contestants faces as they got ridiculed from the judges. I wonder if they REALIZE that the camera is pointed at them. Especially the models who lose. Oh how funny that is.

Speaking of funny, I just noticed that my print outs are looking kinda funny. Looks like I need to get some more paper and redo the print job. On that note, I now need to run to Staples and pick up some office supplies. TTYL

Posted by SilverStr at 07:45 PM


Ok, I can't let raskal beat me. I have been averaging around 20 for the Motorcycle trials game that Solas introduced to us. I FINALLY got it done with 5 points (1 fault) with only one wipe out on the stupid first ramp on the second pass. Damn that is an addicting game.

Spent the morning in meetings today. I am setting up a technical advisory board for my company and had a great opportunity today to meet with some of the experts in the Vancouver area that may be helping me out. Should be fun. I love the stress of being grilled about things I may or may not have thought of. Makes it that more fun when you CAN'T answer a question. When you believe you thought of everything and someone asks you something that blows you away, you know that was a productive session. Now I gotta go plug that hole with an answer. Of course... 5 minutes after leaving the meeting I had the answer pop into my head *grumble, grumble, grumble*

This weekend I am teaching a threat modelling seminar and I still need to go fin
ish the collaterial for the seminar. I think I will go do that now. Right after I try to get 0 on the trials and make raskal so angry he has to demolish Cuv's wiki in anger. TTYL

Posted by SilverStr at 07:40 PM

January 14, 2003

Dare Devil Trailer

Just noticed that the new Dare Devil trailer is out. I can't wait to go see that movie. I was a DD fan when I was a kid, and hope they do as good of a job as they did with Spiderman.

Last night got together with the linux crew and spent some time playing around. Arcterex did an AWESOME presentation on software RAID, and Curarack did a pretty good one on Postgres. The presentations should end up online soon over at http://arcterex.net/fvlug/ assuming Arc gets it up. (no pun intended.)

Its 2pm and I still haven't eatten anything yet. I should go do that before I raid the fridge in a weird way just before dinner.

Posted by SilverStr at 07:37 PM | Comments (2)

January 13, 2003

Top 10 Vulnerabilities

Saw an interesting report out today on the top 10 vulnerabilities in Web applications. You can read more about it here. Brings up most of the points I have made with previous entries on security. As a refresher, you might recall:

  1. Never trust user input. Validate everything.
  2. Overflows suck. We have had the same stupid errors since the 1980's. When will we ever learn?
  3. Malicious code injection has to be avoided. In SQL this can be done with stored procedures. When spawning an exec() or system() type call ensure the environment is safe, and the command is properly filtered and formating. Rule 1 is required as part of this rule.
  4. Trap all error handling. Hell... almost every function has a return code. Check the damn thing!
  5. Great programmer != great cryptographer. Need I say more?
  6. Access control is only as good as the administrator that set it up. You have to know how to configure and run the system in question.
  7. Security testing needs to be part of the test plan. I once heard an interesting comment on this. If the words "buffer overflow test" are not part of your test plan... you need a new test plan. And I agree with that.

What is funny is that none of these vulnerabilities are new. These are all conditions of development that have been issues for generations. The speed of development causes the quality of software, in relation to security, suffer. It is not acceptable, and we should all learn from this. So start today. Spend one hour and refactor a core piece of your code base. Even that little step can go a long way to building more reliable and secure systems.

Posted by SilverStr at 07:34 PM

BC Politics

Well this weekend was quite interesting for the politics of British Columbia. Seems our Premier enjoyed his holidays a bit much, and in the process of destressing from the job in Maui has received a DUI charge. I typically try to stay out of politics since much like lawyers, I could do without them most of the time. BC politics is really bad as mud slinging is the number one past time, and we get very little done here because of it. Government crawls as scandal after scandal continues to plague anyone who takes office.

Now, I don't want to dilute the gravity of the charge. It was quite STUPID to get behind the wheel of a car after drinking in excess of ATLEAST 10 oz. of alcohol, but it does not deserve the amount of public scrutiny that it seems to be getting right now. He is human. We want to put politicians in a higher standard than ourselves, and fail to see the human side of what is going on when they aren't. Lets be clear about this, alcoholism is a form of addiction. He should be helped... not hindered. I couldn't believe the blasphamy of Moe Sahoda complaining that Gordon should step down just like Gordon demanded members of the NDP to do when the Liberals were in opposition. How pathetic! Gordon didn't LIE about it. Nor did he try to HIDE it. He came out and apologized immediately. I still haven't heard an apology from the NDP for the conflict of interest issues, the lies and the deceit.

Lets face it. People hate our premier right now because he made hard decisions that affect the economy in a negative way... temporarily. After the YEARS the NDP put us in the hole, its going to take time to get out of it. It has to get worse, before it can get better. And with this scandal that is going to make it tougher still.

Should Gordon resign? I don't know. Personally I don't think so. I think he should take some time off and investigate if he is an alcoholic and get some help. His family needs councilling and he needs time to reflect on the stupidity of his actions. I will bet he will be harder on himself than any of us could .... constructively.

But let me be clear. The idiocy of reporting about his father being an alcoholic and killing himself was not something to be brought up. If Gordon wanted to explain it, that is his right. Not the media to blanket it (positively OR negatively) when the real question at hand should be, "Will he still be a good leader?". Problem is that question can't be asked since many people already have a disgust for his leadership before this happened. I am disappointed in his lack of good judgement here, and it has me questioning his judgement as a leader. However this is not a totalitarian regime. It is not Gordon Campbell's government. It is our government, currently ran be the liberals. And for that I do believe it can be lead better than the NDP party can run it. And I think Gordon can recover from this, and be the leader of that party, for my government. So get off his back unless you are willing to contribute.

I met the man and had a chance to have a social drink with him when we were on the Team Canada trip to the USA last year. I have a lot of respect for his position in trying to run the government like a business, and can understand how unpopular that makes him. As a business owner myself I know how hard decisions are easily viewed as wrong when the "employees" don't like the direction. Of course under the same vein these same people are easy to criticize, but don't seem to have reasonable answers to fix the problems. Typical for people not in leadership to do. Back from that tangent though, if this was the CEO of Ballard we wouldn't be chanting for his resignation? No. So why do it to our premier?

All in all, as normal BC politics go this will haunt Gordon for the rest of his term. Chances of him running again will be quite hard, and if he wants to truely turn this government around he will have to step aside at the next election to allow someone else to carry the ball. What will really suck here is if this incident ruins the liberal's chance for re-election and have the NDP come back into power and destroy all the work that is trying to be done right now. The liberals need a chance to complete their work before we will see if the government and our economy can recover in a positive manner. If they lose that chance, god help us all. It will just spiral down to hell in a handbasket. *sigh*

Either way, its not the government that will turn around the economy. It is business. And on that note... I need to get back to work to continue to build mine. TTYL.

Posted by SilverStr at 07:25 PM | Comments (1)

January 11, 2003

What kind of car are you?

Was digging around through Solas's archive trying to find an old thread about the silliness of living in cold Edmonton and not enjoying it (like living in Vancouver and hating rain... I still can't figure
out why I haven't moved) and came across a neat little survey.

I am a sweet little '54 Benz. With the neat gullwing and all.

You are the 1954 Mercedes Benz 300SL.

Take the Which Classic Car Are You? quiz! By JC and Bren.

Oh... and enjoy freezing yer nards off dude. Its a balmy 7 degrees celcius here.
-20 for ya eh. Ouch. :P

Posted by SilverStr at 07:22 PM | Comments (1)

January 08, 2003

Business Plan

You know its going to be an interesting day when you decide you will print up some docs to catch up on some reading. In my case, the Common Criteria Standard (CCS) version 2.1 . Of course... I quickly decided to STOP printing when I notices all in total the pages ended up being over 1200 pages long. Man... it is gonna cost me like $50 to print all this up. *sigh*

Functional Design Spec has been sent to all the parties. Had some great feedback (thanks to all who participated). Working now on the technical specification so I keep in focus and keep my objectives clear. From design to delivery... the technical specification is a living document that should be built to guide through the muddied waters of a project.

Speaking of living documents, I have started the business plan. I found a great template from Neil Stephenson's book "Cryptonomicon. It goes something like:

MISSION: At [name of company] it is our conviction that [to do the stuff we want to do] and to increase shareholder value are not merely complementary activities--they are inextricably linked.

PURPOSE: To increase shareholder value by [doing stuff]

EXTREMELY SERIOUS WARNING (printed on a separate page, in red letters on a yellow background): Unless you are as smart as Johann Karl Friedrich Gauss, savvy as a half-blind Calcutta bootblack, tough as General William Tecumseh Sherman, rich as the Queen of England, emotionally resilient as a Red Sox fan, and as generally able to take care of yourself as the average nuclear missile submarine commander, you should never have been allowed near this document. Please dispose of it as you would any piece of high-level radioactive waste and then arrange with a qualified surgeon to amputate your arms at the elbows and gouge your eyes from their sockets. This warning is necessary because once, a hundred years ago, a little old lady in Kentucky put a hundred dollars into a dry goods company which went belly-up and only returned her ninety-nine dollars. Ever since then the government has been on our asses. If you ignore this warning, read on at your peril-- you are dead certain to lose everything you've got and live out your final decades beating back waves of termites in a Mississippi Delta leper colony. Still reading? Great. Now that we've scared off the lightweights, let's get down to business.

EXECUTIVE SUMMARY: We will raise [some money], then [do some stuff] and increase shareholder value. Want details? Read on.

INTRODUCTION: [This trend], which everyone knows about, and [that trend], which is so incredibly arcane that you probably didn't know about it until just now, and [this other trend over here] which might seem, at first blush, to be completely unrelated, when all taken together, lead us to the (proprietary, secret, heavily patented, trademarked, and NDAed) insight that we could increase shareholder value by [doing stuff]. We will need $ [a large number] and after [not too long] we will be able to realize an increase in value to $ [an even larger number], unless [hell freezes over in midsummer].

DETAILS: Phase 1: After taking vows of celibacy and abstinence and forgoing all
of our material possessions for homespun robes, we (viz, appended resumes) will move into a modest complex of scavenged refrigerator boxes in the central Gobi Desert, where real estate is so cheap that we are actually being paid to occupy it, thereby enhancing shareholder value even before we have actually done anything. On a daily ration consisting of a handful of uncooked rice and a ladleful of water, we will [begin to do stuff]. Phase 2, 3, 4, . . . , n-1: We will [do more stuff, steadily enhancing shareholder value in the process] unless [the earth is struck by an asteroid a thousand miles in diameter, in which case certain assumptions will have to be readjusted; refer to Spreadsheets 397-413]. Phase n: before the ink on our Nobel Prize certificates is dry, we will confiscate the property of our competitors, including anyone foolish enough to have invested in their pathetic companies. We will sell all of these people into slavery. All proceeds will be redistributed among our shareholders, who will hardly notice, since Spreadsheet 265 demonstrates that, by this time, the company will be larger than the British Empire at its zenith.

SPREADSHEETS: [Pages and pages of numbers in tiny print, conveniently summarized by graphs that all seem to be exponential curves screaming heavenward, albeit with enough pseudo-random noise in them to lend plausibility].

RESUMES: Just recall the opening reel of The Magnificent Seven and you won't have to bother with this part; you should crawl to us on hands and knees and beg us for the privilege of paying our salaries.

Of course, that is used without permission (sorry Neil), and should not be taken in complete seriousness (Although I wouldn't say that if it was a 1999-2000 NASDAQ company <g> ). Seriously though... if you haven't had a chance yet you should read this book. It is well worth it. Excellent read.

Posted by SilverStr at 07:19 PM

January 04, 2003

Catch me if you can

Went and saw Catch Me If You Can last night. Was a pretty good flick, nothing like I had expected. I am not much of a DiCaprio fan (I thought Titanic was to predictable *lol*) but I have a new respect for his acting abilities in this one. Favorite scene in the movie.... tonnes of model airplanes in the bathtub. Go see the movie so you know what I mean.

After the movie we headed over to Boston Pizza for a bit. You would think they would have some healthy choices on the menu. Not really. I almost went for the chicken wings as when asked how it was prepared they said "baked". Of course, on further inspection we were told they fry it at the manufacturers. So I opted for some taco chips and salsa and an earl gray tea with sweet and low.

Spent today finishing up the functional design specification. Has now been sent out for the first pass at a review from a few people I can count on to give me an honest evaluation and review, as well as to provide some feedback on the structure etc. Will be interesting to see what the feedback will be. I then spent some time with my daughter playing "Spyro" on the Playstation 2. Thats an addicting game. We really need to buy a memory card so we can save games.

Spent this evening resting a bit and watching Black Hawk Down on the movie channel. My legs feel pretty good today so I did a bit on the treadmill just to stretch out and get a bit of excercise. Tomorrow morning I will tackle another heavy workout... but I think I will skip the squats so that I can play squash Monday or Tuesday.

Right now I am going to go back upstairs and have some tea and listen to alittle jazz. Its getting pretty late and I would like to mellow out for a bit. On that note... TTYL.

Posted by SilverStr at 07:06 PM

January 03, 2003

Yes, your FireCard is still useful

First off, I would like to thank everyone who has dropped me a line via email or their BLOG to wish me well. I really do appreciate all the kind words. I especially liked the couple of neat flash-based sentiment cards that were sent. Thanks again.

A few people asked if my new work is an effort to compete with NetMaster. FAR FROM IT. They are actually two separate technologies that can work well together to provide a more defence in depth posture with multiple levels of protection. You need a good perimeter firewall. And Gateway Guardian is great for that. Imagine a VPN client connecting up to a central policy server that determines which rules the perimeter firewall is supposed to run. Think thats impossible? No way... Gateway Guardian rocks in the ability to easily script a way to apply new rules. What I will be able to do is take that one step further. You can VPN into a network only if you are currently running the latest version of anti-virus, have the latest patched Windows operating system and have the windows based firewall running BEFORE Gateway Guardian will open up the IPSec VPN tunnel. This protects BOTH ends of the connection before they can even be established.

And to stop the rumor mill, I did not leave NetMaster to simply let it die. I am still a part of the company there, just not on the payroll day to day. NetMaster has a lot of irons in the fire and is negotiating some great OEM deals. I am still maintaining the master sources and bug fixes will continue to be released as required. So don't worry, your FireCard is still of use to you. (I still can't believe you asked me that :P )

Did my first real excercise routine on Wednesday night. My legs are STILL killing me from the squats. So much so I had to cancel my squash game today as I can barely walk. Its quite comical watching me walk down stairs. Even I have to laugh at myself on that one.

Arcterex threw me a neat link about weight loss. Actually, the whole site is pretty good. There are some featured articles that go into enough depth about cardio, carbs and protein charging. Arc makes some pretty weird protein shakes and now I really get why he is doing that.

Spent the last couple of days pumping out my first draft of my functional design specification that I will actually let other people read. 30 pages of complete and utter joy to write. I love having down on paper everything that has to be done and how to prioritize it. That was something I really missed when working on the stuff at NetMaster. If someone asked me the greatest thing about functional design specs, it would be the ability to control feature creep by really getting down to what is needed, and by when. Next week I have to forward the design to the CSE and arrange for a meeting with one of the experts at IRAP. I love the pace at which things are already moving!

Tonight I am going to relax and my wife and I are talking about going out with some friends to a movie. I guess I should go upstairs and see if that is still on. TTYL

Posted by SilverStr at 07:02 PM | Comments (2)

January 01, 2003

It was the best of times, it was the worst of ti... *ack*

The New Year is upon us. Happy New Years to all of you out there brave enough to read my blog. 2002 was a pretty challenging year for many of us, and I for one am looking to a better and brighter future in 2003. I wish you all the same success and prosperity in your personal and professional lives that you wish for me.

New Years Eve is always the turning point with new resolutions picked out on the spot, which we typically forget about a few weeks later. This year I truly didn't have any resolutions, as I already knew what was in store for me. And I think it is time to share that with you.

The first thing is that of my health. My doctor says I am in excellent health, except for the obesity. Kind of an oxymoron there if you ask me, but I guess its better than being stressed out with heart problems or cancer. (I send my prayers to you Kevin and James and hope you guys get through this well) My weight has been a challenge since my thyroid gave out, and its about time I quit whining about it and do something about it. Most of my problems are surrounded around the combination of bad eating due to negative stress and not exercising properly. So I have vowed to fix that with some lifestyle changes.

The first lifestyle change is to start exercising more. My wife and I have decided to begin a work out routine together in the evenings, 3 days a week. If anyone cares to know, my routine is as follows:

  1. 15 minute tread mill walk elevating to 3mph on an incline ranging for 2-4. T
    his is to warm up the muscles and get the heart going for me.
  2. 3 sets of 12 - squats
  3. 3 sets of 12 - lat pull downs
  4. 3 sets of 12 - bench press
  5. 3 sets of 12 - bent over row
  6. 3 sets of 12 - shoulder press
  7. 2 sets of 12 - bicep curl
  8. 2 sets of 12 - triceps pushdown
  9. 30 crunches
  10. Cool down

This is kind of tailored to my equipment I have here, and is the "Super 7" muscle blast I used to do when in the military and with my trainer. I may actually start out with 2 sets for items 2 through 6 and then 1 set for items 7 and 8. The reason for one less set is that the arms are already getting the workout from the other exercises and having positive failure won't do me very good if I am not isolating it. I would rather do focused and proper exercises for the muscles than to do it hap-hazardly and exhaust them without getting the proper workout for them. We will see how it goes.

I also plan on trying to play squash at least twice a week, hopefully three times. With Arcterex now coming out here three times a week and later five in Feb I hope to be able to hit him up for a few games a week, as well as Cuvarack. Top that off with a regular lunch game I hope to get started at the YMCA, I hope I can actually get this worked out. I really like squash, and don't really consider
it exercise. But it is. Quite a good one for me actually. The charts say due to my size and the amount of play, I burn around 900 calories per squash session. Thats truly awesome. And I ENJOY it... which makes all the difference. And I feel it... I am always sweating pretty hard and breathing pretty hard. I must be doing something right, since my body sure is telling me that.

The second key lifestyle change is actually a compounded one, or more to the point one that requires the other and ends up being two lifestyle changes. Lately I have been extremely stressed in a negative way, and it has caused me to eat in anger and frustration rather than for nutrition. And the eating has been of comfort food because of this, which has had me gain an extra 40 pounds this fall. Not good. Not good at all. I need to stop this. And the best way is to eliminate the negative stress... which I have now done. (I will get to that in a moment). As for the eating, I have had a chance to work with the hospital dietician and hopefully will now be on the right track. For me, its all about the caloric intake in conjunction with the amount burned. The normal foods I eat aren't the problem, its the frequency and amounts tied to the stress. With any luck I will now have that under control.

Which gets me to the third lifestyle change. I needed to eliminate the negative stress I have been having... which has been focused on my career. The closure of Merilus hit me pretty hard, mostly because of the devastation it caused so many people. Employees, other businesses, customers and even myself. I was left hanging with more money lost/indebted then you can imagine. Hell, it could pay off some peoples mortgages the amount of money I was owed or owe by virtue of the closure. I learned a lot about who were my friends and who were not after the closure. People who I respected highly and trusted ended up trying to take advantage of the situation and did more to damage their credibility in my eyes. I also made a few decisions that in reflection I wish I wouldn't have. I should learn from my past mistakes and found I didn't, making decisions based on friendship rather than business sense. I have been to trusting and that has hurt me both professionally and personally. The rekindling of NetMaster was a fight to make something out of the ashes, but that hasn't done so well. My vision of where the company was to go never took hold and after rebuilding the product and getting it to market, I have felt like a third wheel and can see from a management perspective that I will not be able to move the company forward the way I would like. The problem is not product... it is sales. And being that I am not in control of that, I can see this as a huge problem. There is a lot of value still in that company and I am still a major shareholder. I believe as a multi-branch office deployment system our software is in the right spot at the right time for OEMs. Unfortunately we have to chase them down, not the other way around. On top of that, over the past year my belief that perimeter defenses are not the key mechanisms in the process of digital security has me rethinking the way NetMaster works.

For the past few years I have spoken at security conferences and written in my book and in articles about layered defensive tactics on the network. Security has to have a defence in depth posture with multiple checkpoints to ensure protection of the information. When I designed the security infrastructure for my work at NetMaster I was focusing on opening ways to do this. The invention of the FireCard was my first attempt to move a firewall into a server, providing another level of defence around the critical resource infrastructure past the perimeter firewall. Costs were just to high to properly get this integrated into the network. It was funny, I was taking to a guy I know from the Communications Security Establishment a couple of weeks ago (better known as the CSE, the Canadian version of the NSA) and he told me that they took a really long look at our product. So did the US Navy. They really liked it but it was just too expensive to deploy across thousands of computers. And I get that. The Transmeta driven card was just too expensive. But the StrongArm and Geode versions just didnt have enough power. It was hard to find the right balance.

On top of that, it only was able to provide a peripheral amount of protection, as it could not provide cooperative enforcement with other technologies such as anti-virus, content filtering and biometric authentication. And once you got by the firewall, it was useless. With 70% of the digital intrusions coming from WITHIN the network (a quote from the FBI/CSI Security research report in 2000) the firewall was basically useless on a local network. Now top that off with all the new wireless access points that expose new risk and you can see that the traditional approach to firewalling won't cut it any more.

I have thought hard about this. Especially when I look at the landscape of computers and their users of today. Lets face it. As a Linux/Unix advocate I wish everyone would move to a more secure platform. (Personally, I think OSX would be the right move for many but Apple won't open the OS to other hardware) But it is just not practical for most organizations to move from Windows. Linux is not winning on the desktop. Over 90% of the users are still using Microsoft platforms. And Microsofts latest work with XP and Longhorn has come a long way. I no longer have a Linux desktop as my main system, which I did have for over 5 years. I use XP Pro, cleaned up and secured to my liking. (With a special flavouring of cygwin to get access to all my Unix tools) It took some doing to get my platform secured and that has me thinking.

Defence in depth has to be taken to the end point, which is mostly driven by Windows. But it has to be done in a way to be centrally managed. End users don't want the hassles of having personal desktop firewalls popping up all the time. And most of them are useless once you say "yes, allow access to port 80". What if you only wanted it for that session? Or if the policy changed? Or the application changes?

Personal firewalls suck. I tried them all. They all have some good points but they were not designed to be controlled in an enterprise network. Even more so when you start to expose Extranet remote users with VPN technology. They don't have real mechanisms to handle corporate security policies and push them out in real time without many hiccups. And to top it off it is still to easy for Trojans, worms and other virii to bypass the security measures if allowed just once.

Years ago I started some research on my own time to solve that. I think it is time to turn that research into a business. As such, to remove the negative stress in my life because of work I have decided it is time to leave NetMaster and form a company focused on solving this critical issue. For years I tried to make Linux solutions to solve defence in depth security issues to be used in Windows environments. Now, I am going to take it to the endpoint, and secure the desktop properly. Instead of complaining about the problems with Windows security, I am going to do something about it.

And I am not alone. Both the CSE and IRAP are interested in helping me out. The National Research Council's Industrial Research Assistance Program (NRC-IRAP) is Canada's premier innovation assistance program for small and medium-sized Canadian enterprises. Tapped into their experts as well as the Communications Security Establishment I will be releasing computer security software for the Windows platform that will be of the highest grade of quality and security. And I am doing so in a specific field where there are very few players. Firewalls are not enough anymore. The world needs software solutions at the endpoint to properly enforce corporate security policies in real time. Working with the CSE to build the system around the CCS (Common Criteria Standard) I expect to release security software that can be used at the highest levels in military, government and enterprise applications. And to boot, the design will allow small and medium enterprises to gain the security they need as well. I am going to be breaking the pricing barrier. This will be affordable for all businesses so they can properly secure their Windows environment. And more to the point, the infrastructure is expandable to also encompass Linux, OSX and basically any other kind of networked device that has a TCP/IP stack, including cell phones with data services.

I really am excited about this. Not only is the project removing a huge amount of negative stress I have had in 2002, I am doing something the way it SHOULD be done that is needed and wanted by people out there. One thing I have learned in the past five years is it doesn't matter how good the product is if you can't sell it. Knowing I already have a couple of agencies/companies willing to buy it assures me a good start, and I have the great luck to have a few mentors who are willing to work with me to finally get over the problems of sales and assist me in making this work. And that excites me more. Especially since these mentors have built companies that generate huge revenues and sold them for 10s of millions of dollars. Just after Christmas I had the luxury of meeting with them and I was excited at the people they have interested in helping me out. I already can see how this is the right time for me to refocus myself with people around me who I trust.

2003 looks to be an exciting year for me. It is going to be tough for the next 6 months or so as I build this, but I am sure I will manage with many of the friends around me for support. (You know who you are). The greatest thing is the fact that the stress is induced by me and is controlled by me. And as positive stress, not negative stress. I don't have to fret about others not reaching their milestones, or excuses on why they cant accomplish their goals. If this thing succeeds or fails... I need to look in the mirror... not at others. I no longer will leave my life in the hands of others that don't have the same vision or interest as me. And I have learned a great lesson about trust and professionalism in business in 2001 and 2002. Now that I have spent the last few years gaining that knowledge (along with all the other educational challenges I have had the pleasure of learning from) it is time to apply it and build the successful computer security software company I know is possible.

Wish me well. Today is the dawning of not only a new year, but also that of a new life with huge lifestyle changes.

Posted by SilverStr at 06:47 PM