Rootkit revisited: Technology Review

Technology Review: Inside the Spyware Scandal. The MIT journal attempts to reconstruct everything that happened with the Sony BMG rootkit brouhaha (for details, see the Boycott Sony blog).

A reasonable recap of everything that happened, with a few revelations: First 4 Internet was originally hired to protect studio recordings from prerelease leaking, and the broadly disseminated rootkit technology just kind of happened along the way. Second, Sony BMG initially didn’t respond to F-Secure’s questions because the security company contacted the wrong Sony subsidiary. There won’t be any real answers unless the legal proceedings still underway uncover them; both First 4 Internet and Sony BMG declined to comment for the article, which kind of limits the scope of its revelations.

I’m quoted in the article about the Boycott Sony blog and my reaction to it, though I’m morphed inexplicably into a Web developer.

Unfortunately the article comes down on the side of arguing that there has to be some kind of “good DRM,” that all Sony did was err in how heavy-handed and covert its attempts to apply DRM were. I’m not sure I agree any more. I certainly don’t think the answer is going to come in trying to make something “consumer friendly” that limits your rights.

ITXpo: Microsoft Vista and app dev

Spent some time this afternoon looking at Vista and talking to the Microsoft team here (which includes some folks I know from my past life at and my internship—hi Arvind! hi Peg!) about what’s coming down the pipe that our company needs to know about from an application development perspective. The guidance I got from the team there is that the major thing to pay attention to is the change in the privilege model—User Account Protection—and how that affects the installation and running of applications. Other than that, there are plenty of cool new features to take advantage of, of course. And the eye candy is impressive.

I also liked the built in RSS widget on the Sidebar. It does appear to be a little funky though—not in parsing the RSS, which is fine, but in loading it in chronological order rather than reverse-chronological order. I loaded my RSS feed for kicks on one of their Vista test machines and was surprised to see that the top entry was an old one—then surprised again to load the feed source in IE 7 and to see the same thing. Apparently the default XSLT+CSS orders the items oldest first. That kind of detracts from the usefulness for me. Maybe there’s a way to change it. I walked away with a beta CD and will check it out once I can install it on Virtual PC.

ITXpo: “Consumerization”

If you know me, you already know one of my points about a few of the sessions that in a well-intentioned and generally thorough way address the question of “consumer” technologies in the enterprise. That’s the C-word itself. Our employees are not gullets that crap cash, and talking about technology expectations set by “consumer-grade” services like Google, desktop search, and IM that are all actually free brings some real cognitive conflict. How can it be consumer technology if there is no money changing hands?

The Docs (Searls and Weinberger) et al have done us a tremendous service in making us aware of the naming problem that the “consumer” label brings. I’m not sure they’ve done a good job of identifying alternative labels. “Producer” has been floated in the case of bloggers and other user-authored media creators, but it doesn’t generalize well; “human being” and “citizen” have the opposite problem—they’re too general. From a technology perspective, is there a useful way to talk about technologies that stand in opposition to the enterprise central-control model that doesn’t use the C word?

This is, I think, an important question. Anyone who has been around “consumer” driven businesses knows it can be like pulling teeth to get them to acknowledge that consumers are the same people who are inside enterprises, just seen at different times. And some of it has to do with the label. If IT organizations are to take “consumer” technologies seriously, as the Gartner mavericks suggest that they should, maybe finding a different word is a good starting point. The session I just was in, led by David Smith and Tom Austin, indirectly suggested one alternative: open market technologies. But of course this suggests that enterprise technologies are not open market. sideways smiley

The question of what to call it (reluctantly) put aside, the idea that systematically bringing non-enterprise technologies inside the enterprise could drive real benefits—not just to the end user but to the enterprise as a whole—is I think worth taking seriously. The speakers cited a case study of a company (which I think was Ford) which hardened its internal systems, then piloted an approach in which rather than providing a corporate desktop it gave its users a stipend with which they could buy their own—shifting the burden of administering and supporting the desktop to the end user, but also allowing them to take advantage of rapidly shifting consumer technology. They also discuss possible worlds where the base OS on an office machine is a consumer OS, and that the standard corporate desktop runs as an image inside a virtualization environment. How silly it is, they point out, to be a consumer service like Google or Ebay and to say that you can’t do business with me unless you have an approved, hardened browser that I provide and can guarantee is secure.

What I found interesting about all of these scenarios, and what they pointed out toward the end of the discussion, is that these trends could open the door for players like Apple—not iPods but Macs—to be dragged into the enterprise by end users who are comfortable and productive with them and can do most if not all of their jobs on them, once the users are given the leeway to provide their own desktop machine. Now that’s interesting.

ITXpo: Business service management

One of the pitfalls (or blessings, depending on your perspective) of being a small software company is that you get laser-like focus on your core business problem out of necessity. For me as a vendor, one of the real value points about the Gartner show is getting exposed to other market segments that touch ours that I might not run across otherwise. That’s the case with the session I just attended on BSM (Business Service Management).

BSM is essentially a live dependency map, integrated to monitoring tools, that escalates only the monitoring events that have a real impact on the business and presents them in a business-consumable format. This is a goal for a lot of IT organizations—I know the operations team was trying to implement something like this using the Microsoft server product stack plus homegrown tools about five years ago before the BSM market was grown, and knowing them they now have a complete solution. What was interesting to me was how BSM seems to dovetail with the work that my company has done in the last year on the CMDB, which really is about creating and documenting the service dependency map that BSM needs as a starting point.

When you combine a good CMDB with robust change management, and then tie in a good monitoring API and logic about how component status rolls up (or doesn’t) to the status of a service, then all of a sudden the time and effort spent on building that CMDB has paid some unexpected dividends.

Gartner ITXpo 2006

I’m back at Gartner’s ITXpo after liveblogging parts of it last year. I’ve decided this year to pseudo-live-blog—to take notes during the session and post them later. Pulling out a laptop during one of the keynotes last year just felt too weird. Blogger culture hasn’t totally permeated the IT universe, and I drew too many stares.

However, I did notice a blogger’s lounge is available on the show floor alongside all the media lounges. So maybe things are changing… albeit really slowly.

It will be interesting to see if this year’s official conference blog actually writes anything about any of the sessions, rather than the conference events.