Register for free to join our community of investors and share your ideas. You will also get access to streaming quotes, interactive charts, trades, portfolio, live options flow and more tools.
Register for free to join our community of investors and share your ideas. You will also get access to streaming quotes, interactive charts, trades, portfolio, live options flow and more tools.
Reach567-Nice Find-General Dynamics touts TCG!
The article is by one Mel Crocker of General Dynamics
Some excerpts below
The Defense Information Assurance Certification and Accreditation Process (DIACAP), still in draft format3, introduces changes that provide a framework for certifying system solutions … to support the paradigm shift from need to know to need to share [5]. The DIACAP is applicable to tactical information sharing and introduces a process that could be used to certify and accredit the high-level security solution proposed in this article.
Technology Advances
Several technologies are creating opportunities for better cross-domain security solutions.
The Trusted Computing Exemplar (TCX) project is creating a framework for rapid high assurance system development, addressing how high assurance software components can be built [6]. With the system solution envisaged in this article, several high assurance components will be required at various places in the system and the TCX project identifies a process prescribing how these types of components can be built. Moreover, there are a number of companies who have significantly matured their software development processes, achieving the Software Engineering Institute’s Capability Maturity Model and Capability Maturity Model Integration Level 5. Beyond mature software development processes, the improvements in verification of software have also been significant and are becoming the focus of intense research [7]. Creating software that predictably and verifiably does what it purports to do and nothing more is becoming achievable within reasonable expense. All these elements are critical to building a system solution.
The Advanced Encryption Standard (AES) was approved in Federal Information Processing Standards Publication 197 dated 26 Nov. 2001 to encrypt unclassified U.S. government traffic. In June 2003, the National Security Agency (NSA) approved AES to protect classified U.S. traffic, an unprecedented action in the world of high-assurance encryption [8]. Because the algorithm is publicly available, coalition partners can independently implement the algorithm and with a common key, they can securely exchange information.
The Trusted Computing Group (TCG)4, an alliance of manufacturers, is in the process of establishing a number of relevant security hardware and system standards, effectively creating a framework for secure system solutions. The TCG recognizes the critical link with hardware, and several manufacturers are beginning to market compliant equipment. Regarding the solution suggested in this article, TCG compliant equipment would create an affordable, stable hardware base for the high assurance software components.
snippage
There have been a number of significant advances recently toward certified components leading toward a certified Multiple Independent Levels of Security (MILS) architecture [10]. A MILS architecture leads toward a degree of confidence in the separation of information within the system, avoiding so much technical complexity that the system cannot practically be built. This creates well-enforced system sandboxes where software can be forced to execute only within approved parameters. The High Assurance Platform (HAP) is a computer that provides MILS capabilities using industry standard commercial hardware, software and applications, and should be available to a narrow community in 2007. It is intended to provide NSA certified separation to multiple operating systems running simultaneously in different security domains5.
snippage
The following functionality must exist at information source points, often personal computers:
Trusted identification and access control measures must be resident in the source data terminals. These measures link user triggered actions to individuals and confirm privileges before allowing actions. Systems and protocols provide the means to manage identities across disparate networks with a high degree of confidence and minimum inconvenience to the user community. Regarding authorization, the use of X.509 based attribute certificates and a Privilege Management Infrastructure offers considerable flexibility to handle role based authority [12] and progress has been made extending Public Key Infrastructures into tactical environments.
Trusted audit measures must be resident on the data terminals to capture all security relevant events. With the establishment of the TCG standards and resulting hardware, the audit logs can be securely protected and with the availability of inexpensive storage, the logs can hold a tremendous amount of information before needing to be rolled over.
Trusted domain separation must exist on the data terminals. There is considerable research into making trusted operating systems more accessible and commercial operating systems more secure, providing sufficient flexibility to strike the right risk exposure and functionality. Moreover, with the establishment of TCG standards and hardware, the increased confidence in the operating systems and software will be strongly based on trusted hardware. This should make domain separation on desktops achievable and affordable in the near term.
Trusted encryption measures with an appropriate algorithm must provide adequate confidentiality and integrity protection for information flows between data terminals. Trusted Network Connect from the TCG offers an assured encryption solution and the digital signature, random number generation and protected storage of the Trusted Platform Module, again from the TCG, offers the other necessary primitives for a secure solution.
snippage
A boundary protection system should contain the following functionalities at the network boundaries-
Identity and access control to ensure the users passing information or drawing information across the domain boundary are authorized to do so.
Conclusion
To support the unity of effort necessary in today’s combat environment, warfighters have a duty to share information widely and quickly in rich exchanges, some of which must cross security domains. This article suggests a holistic high-level solution to securing cross-domain exchanges that will not excessively constrain the exchanges, taking advantage of advances in technology and policy. The solution effectively takes some of the trust and functionality originally resident in traditional CDS and moves it into information sources, system services, and boundary protection devices.
Although the solution suggested here has been applied to the tactical environment, elements of the system solution may lend itself to other environments with similar problem spaces. Instead of tactical domains, one could consider the domains relevant in medical information systems. Patients must securely share private information with family general practitioners, and occasionally general practitioners must share elements of this information with specialists. The exchange between patient, general practitioner, and specialist creates a small community of interest. At the same time, some of this information may be useful to those needing statistics, but the posting agency may not really be aware of the information needs of the authorized consumers and may not be best able to manage the makeup of the authorized consumers. Managing access might be better placed with others whose primary expertise is privacy, access control, and information presentation. Throughout these exchanges, actions must be logged to ensure violations can be handled quickly.
Robert I- a fair appraisal, I think
I believe that CEOs are usually Pollyannas to a certain degree, its just that in our situation, with an emerging market as well as new products/technology, it is exponentially harder to predict what will happen-even for the CEO. That's why I don't base much of my thinking on statements from SKS alone, I look to cross reference with other evidence. I am a long, anyway, I don't plan on selling for years, yet, unless Wave somehow tanks-which I acknowledge could still happen.
Wavxmaster-agreed to all
I recall SKS emphasizing TCG board membership, but I missed the reelection part. Probably too busy concentrating on my typing from a previous statement.
I too am feeling good about Wave's position, and am not worried about last week's SP decline. In fact, I have a bit of extra money coming to me in a few days, and will be increasing my position by about 50%. So, while I sympathize about SP, I am happy to get the cheaper shares. I expect some degree of run up leading into the CC, if Seagate has not cause it already by that time.
SRA Presentation notes:
Kept a few notes as I listened. the biggest news was it looks like another financing is a possibility.
(Somewhat paraphrased)
-Dell, Intel, Gateway, Seagate, ST. Micro mentioned as signed customers
-Few thousand seats sold so far
-’08-’09 TPM on every machine made
-Trusted Computing market not matured yet, but Defense Department is committed to using TCG, just not sure of architecture
-An OEM recently told us they preferred our Vista solutions over the others
-3rd phase of TCG deployment will be end users to application security
(mentioned Boeing as an example)
-1 million copies of software shipped in last 45 days
-Infineon software only runs on Infineon cores, but Wave runs on theirs and all others
-Seagate is on target to launch in first quarter-in next few weeks
-We build one of the solutions for the Seagate drives, along with Secude. We build the OEM version of this software.
-Our administrative server tools allow system admins to deny access to hard drive, other than to log on to use applications.
-Seagate helping us to build relationships with other OEMs
-We are doing transactions every month with new enterprises that are looking to close thousands of seats of software.
-Last year TCG ran a training at RSA, 150 people showed up, this year 550 people showed up-turned people away at the door.
-Secretary of Defense is drafting a memo right now to require TPMs on all machines in DoD
-We see more services contracts with DoD in the future
-A number of very interesting pilots out there right now with very big brands
-Enterprise software is out there and being used right now. A few thousand seat deployments.
-Seagate doubles exposure for Wave when released
-Q-Can we manage the growth without equity financing-A-in the short term, no, but in the long term, yes.
-2-3 other things on the horizon-networking and areas in mobile devices will have equivalent impact to what we are doing with Seagate
-No competition right now in enterprise tools
Ethernet will never work
At least, that's what its inventors were told. The text below is from Wikipedia. Posted because SKS has publicly compared Wave to Ethernet as an emerging industry standard. Like the CDMA story in the previous post, interesting to compare Ethernet's emergence with what we know about Wave
The Wikipedia Article:
Ethernet was originally developed as one of the many pioneering projects at Xerox PARC. Ethernet was invented in the period of 1973–1975. Robert Metcalfe and David Boggs wrote and presented their "Draft Ethernet Overview" some time before March 1974. In March 1974, R. Z. Bachrach wrote a memo to Metcalfe, Boggs, and their management, stating that "technically or conceptually there is nothing new in your proposal" and that "analysis would show that your system would be a failure."[1] In 1975, Xerox filed a patent application listing Metcalfe and Boggs, plus Chuck Thacker and Butler Lampson, as inventors (U.S. Patent 4063220 : Multipoint data communication system with collision detection). In 1976, after the system was deployed at PARC, Metcalfe and Boggs published a paper titled Ethernet: Distributed Packet-Switching For Local Computer Networks.
Metcalfe left Xerox in 1979 to promote the use of personal computers and local area networks (LANs), forming 3Com. He convinced DEC, Intel, and Xerox to work together to promote Ethernet as a standard, the so-called "DIX" standard, for "Digital/Intel/Xerox"; it standardized the 10 megabits/second Ethernet, with 48-bit destination and source addresses and a global 16-bit type field. The standard was first published on September 30, 1980. It competed with two largely proprietary systems, token ring and ARCNET, but those soon found themselves buried under a tidal wave of Ethernet products. In the process, 3Com became a major company.
Metcalfe sometimes jokingly credits Jerome H. Saltzer for 3Com's success. Saltzer co-wrote an influential paper suggesting that token-ring architectures were theoretically superior to Ethernet-style technologies. This result, the story goes, left enough doubt in the minds of computer manufacturers that they decided not to make Ethernet a standard feature, which allowed 3Com to build a business around selling add-in Ethernet network cards. This also led to the saying "Ethernet works better in practice than in theory," which, though a joke, actually makes a valid technical point: the characteristics of typical traffic on actual networks differ from what had been expected before LANs became common in ways that favor the simple design of Ethernet. Add to this the real speed/cost advantage Ethernet products have continually enjoyed over other (token, FDDI, ATM, etc.) LAN implementations and we see why today's result is that "connect the PC to the network" means connect it via Ethernet. Even when the PC is connected by Wi-Fi, nearly all Wi-Fi gear uses Ethernet for connecting to the rest of the network.
What an emerging paradigm looks like
Wave has been compared with Qualcomm. The following is a blog by a former Qualcomm engineer in which he describes the chaos of trying to achieve the widescale adoption of CDMA technology for cell phones. It is interesting to compare this story with what we know of Wave's current position. I think Wave is in a stronger position than CDMA was at a comparable time....
(******* means snippage-I cut some of the more detailed technical explanations-go to the link for them)
http://denbeste.nu/cd_log_entries/2002/10/GSM3G.shtml
Steven Den Beste(2002).
As I think many of my readers know, I used to work for Qualcomm designing cell phones. Qualcomm is the company which invented CDMA, and made it practical, and made it into a market success, and it now dominates the American market, where Verizon and Sprint both use it. There are two other nationwide cellular systems: AT&T currently uses IS-136 TDMA, which is obsolete and has no upgrade path. Cingular uses GSM, a more sophisticated form of TDMA from Europe.
And right now I'm basking in the evil glow of a major case of schadenfreude.
***********
In Europe, various governments decided that they (the Europeans) had designed the ultimate digital cellular system, and they passed laws making it illegal to deploy anything except GSM, whose primary supporters/suppliers were Nokia, Ericsson, Siemens and Alcatel.
Meanwhile, the FCC decided that it would not mandate any industry standard. It granted licenses for spectrum but permitted the licensee to choose whatever equipment and standard it wanted. (Within limits. There were certain certification standards required by the FCC to guarantee safety and to avoid interference between neighboring systems.)
And all through the 90's, me and everyone else in the US cell phone industry put up with constant ragging from Europeans about the evident virtues of GSM and the equally evident virtues of a government mandated standard. While in the US you had what seemed at the time to be utter chaos, with a huge number of small companies using a bewildering array of different standards, in Europe anyone could carry their phone almost anywhere in the continent, and if they couldn't use it they could move their personality module into a local phone and use that.
Of course, that apparent chaos in the US was only a temporary phenomenon, and I think maybe the FCC and the rest of the government knew it would be. There's always shakeout, but in the meantime this kind of government policy of keeping hands off meant that the industry was given broad ability to experiment. And within that environment, early in the 1990's, the founders of my former employer Qualcomm began to work on a radically different way to handle cell phones called Code Division Multiple Access, or CDMA. It's radical in many, many ways but by far the most obvious is that all the phones in the system and all the cells in the system operate simultaneously on the same carrier frequency. They don't "take turns" because they don't need to.
*******************
In fact, CDMA was so revolutionary that when it was first discussed, many thought it couldn't be made to work. Indeed, at least one European company deeply involved with GSM, Ericsson, went through the three classic stages of Not Invented Here syndrome:
1. It's impossible.
2. It's infeasible.
3. Actually, we thought of it first.
When I worked for Qualcomm, I had to soft pedal this. Now I'm no longer associated with the company, and I can vent about those idiots. At first, the most vocal top brains at Ericsson tried to claim that CDMA violated information theory.
*****************
Unfortunately, Qualcomm did a field test in New York City where several prototype phones mounted in vans were able to operate at once on the same frequency talking to multiple cells all of which also operated on the same frequency.
The next argument was that though it seemed technically possible, it would be too expensive. Everyone knew that the electronics required to make CDMA work was a lot more complicated than what TDMA used, and Ericsson's loud voices claimed that it could never be reduced in price enough to make it competitive. And shortly thereafter Qualcomm proved that wrong, too, by beginning to produce both infrastructure and phones at very competitive prices. (Qualcomm did this to bootstrap the industry. It's no longer in either business.)
After which Ericsson suddenly decided that it had applicable patents and took Qualcomm to court. Over the long drawn out process of litigation, every single preliminary court judgment went in favor of Qualcomm, and it became obvious that Ericsson didn't have a case and that Qualcomm wasn't going to be intimidated. Ultimately, the entire case was settled in a massive omnibus agreement where Ericsson became the last of the large companies in the industry to license Qualcomm's patents (on the same royalty terms as everyone else) while taking a large money-losing division off Qualcomm's hands and assuming all the liabilities associated with it, and granting Qualcomm a full license for GSM technology. The industry consensus was that this represented a fullscale surrender by Ericsson.
Nokia wasn't anything like as foolish and had licensed several years before. (Just in passing, the fools at Ericsson are in the front office. Their engineers are as good as anyone else's.)
Still, in the years of apparent chaos in the US, when loud voices in Europe proclaimed the clear advantage of a single continental standard, order began to appear out of the chaos here. Small companies using the same standards set up roaming agreements, and then started merging into larger companies, which merged into yet larger ones. One company (Sprint) started from scratch to build nationwide coverage. Bell Atlantic Mobile acquired GTE Mobile (who had been a joint partner in PrimeCo), and eventually merged with Airtouch to form Verizon, all of which was based on IS-95 CDMA, mostly on 800 MHz. Sprint eventually implemented a reasonable nationwide system also based on CDMA. The last major nationwide system to form was Cingular, after the various GSM carriers in the US realized they were in big trouble competing against Verizon and Sprint and AT&T (which uses IS-136).
Once the existence and commercial feasibility of CDMA were established beyond doubt, other aspects of it began to become clear. At the RF layer, CDMA was obviously drastically superior to any kind of TDMA. For one thing, in any cellular system which had three or more cells, CDMA could carry far more traffic within a given allocation of spectrum than any form of TDMA. (Depending on the physical circumstances, it's usually three times as much but it can be as much as five times.) For another, CDMA was designed from the very beginning to dynamically allocate spectrum.
In TDMA, a given phone in a given voice call is allocated a certain fixed amount of bandwidth whether it needs it or not. In IS-136 that's a bit less than 10 KHz, in GSM it's somewhat less than 25 KHz. (Going each direction; the total is twice that.) But humans don't use bandwidth that way; when you're talking, I'm mostly listening. So your 25 KHz channel to me is carrying your voice, and my 25 KHz channel to you is carrying the sound of me listening to you silently.
*********************
And for the reasons given above, and several others, it was equally clear that it had to use a CDMA air interface. GSM was the very best propeller-driven fighter money could buy, but CDMA was a jet engine, and ultimately TDMA could not compete. The fundamental weakness of TDMA at the RF layer could not be compensated for at any layer higher than that, no matter how well designed it was. GSM/TDMA was a dead end, and to create 3G, Europe's electronics companies were going to have to swallow their pride and admit that Qualcomm had been right all along.
*******************
I confess to a deep feeling of satisfaction about this on a personal level, primarily because of all the horseshit I put up with from GSM fans over the years when they talked about how superior the European approach to this was.
The thing is that if the US had followed the same policy, CDMA would never have been given the chance to prove itself. We now have just as good of nationwide systems and just as much portability as the Europeans do, only our system is fundamentally better. GSM has many features which are marvelous, but they can eventually be grafted onto IS-95 and CDMA2K, because they're all implemented at high protocol levels or don't have anything to do with the RF link. IS-95 and CDMA2K have many cool features, too, but it isn't possible to implement them on a TDMA air interface, so the only way that GSM can have those features is to toss TDMA and switch, which is what they're now trying to do.
So I'm sitting here basking in the warm glow of schadenfreude because nemesis has caught up with European hubris in the cell phone industry.
But there's more to this, because in the microscopic this turns out to be a morality tale which more broadly shows the difference in approaches to most things between the Europeans and the Americans, and I think demonstrates quite clearly why our way is more successful.
Though the adoption of a continent-wide standard for Europe in the 1990's did have certain benefits, it also had some hidden prices. It gave them compatibility, but it was also protectionism, and as is always the case with industries shielded by protectionism, the European cell phone companies became arrogant and complacent, and as a result they fell badly behind. Now they're trying to catch up, and it isn't turning out to be easy. They licensed Qualcomm's patents, but what they're now discovering is that Qualcomm didn't patent everything it knows about making CDMA work, and that it's a really difficult problem. (Damned straight it is. We know a hell of a lot we're not telling. It's pretty straightforward to make it work badly and unreliably, using a lot of battery power. Making it work well on low power is damned tough, and that knowledge is not for sale.)
Part of their problem is that they're trying to run before they've learned to walk. Qualcomm and its partners are moving to CDMA2K after many years of working with IS-95, but the GSM coalition is jumping straight into WCDMA cold.
Like all protected industries, the GSM companies didn't make the investment they should have early enough. Part of why they're way behind is that they started late, and much of that was because of ego, because they didn't want to admit that Qualcomm had been right (or to pay Qualcomm royalties). So they lost two full years in lawsuits and negotiations with Qualcomm before the real design process could begin. And then they discovered that the problem was harder than it looked. As it now stands, it's going to be an interesting question to see whether they can ever get it to work (especially to get interoperability), and more importantly, even if they do to see whether they will be too late and will have missed the market window. I think they will make it work, but I think it will be too late.
Here are some of the lessons I see in this.
First, Europe pulled this decision up to as high a level as it could. When the legal mandate to use GSM was passed, the EU didn't yet exist. Individual nations each passed such laws based on a consensus. In the US, that decision was pushed down as far as possible, and the superiority of CDMA over any TDMA-based system was decided by millions of cell phone users who voted with their wallets.
Second, Europe tried to stop the clock. It decided that it had the final answer with GSM and that no further experimentation was necessary because no further improvement was possible. In the US, the government kept its hands off, and in fact if another newer system comes along which is superior to CDMA, it will have the same opportunity commercially that CDMA had. (Not quite; the market has evolved and we're into the "standardization and shakeout" phase now. But there won't be any government mandate preventing it.)
Europe emphasized cooperation over competition, consensus and agreement over "let's try it and see what happens". It was viewed as important that there be compatibility over the whole continent, and to achieve that they outlawed competition. In the US, we valued competition, and ironically we not only ended up with compatibility over the whole continent but got that compatibility with a superior system which emerged out of competition.
Despite claims to the contrary, Europe passed those laws in part precisely because the standard which was being protected was European and most of the equipment which would be used was homegrown. Part of why those laws were passed was to lock out the US. (Some American companies made GSM equipment, but they never had much market share in Europe.) In the US, everyone was free to compete, and for quite a while the largest seller of handsets here was Nokia. GSM was deployed here and attempted to compete against CDMA on a level playing field, and got handed its ass.
GSM fans will point out that GSM is more broadly deployed elsewhere in the world than IS-95. They'll be careful not to point out the extent to which bribery played a role in that. (Things like "If you choose GSM over CDMA, we'll build a factory there" which is how GSM mostly won in Brazil.)
But that kind of thing is ultimately self-defeating, and TDMA/GSM isn't going to be competitive against CDMA2K, and the Europeans can't make WCDMA work reliably. And as a result of that, a lot of the cellular telecom companies in Europe are in deep financial trouble, not to mention facing legal deadlines for deployment of 3G which cannot possibly be met. MobilCom in Germany is near death, for example, and just announced that it would lay off 40% of its staff. Apparently it would already be dead were it not for a €400 million loan from the German government, which has angered the EU. And because the telecom companies in Europe are all so heavily cross invested, this is a cascading problem. Part of why Mobilcom is in trouble is because France Telecom SA is in trouble and had to renege on an investment commitment. You're eventually going to see a chain-reaction sequence of commercial failures as the money runs out, or more likely you'll see huge government subsidies.
Both these articles say that CDMA2K is "controlled by Qualcomm". That's true and not true. There's an industry standards body, and Qualcomm is probably the most important and influential member of it. It's also true that most of the CDMA2K proposal came out of Qualcomm. But the members of that standards body understand that they're going to get further by cooperation than by competition, and there's very much a "can do" attitude there which helped get a standard approved a long time ago. Qualcomm's proposal wasn't predatory. (By comparison, Sun's Java standards have been predatory, because part of the goal is to keep Sun the largest player in the Java business. Qualcomm is not the largest player in CDMA and probably never will be.) There's also heavy emphasis on interoperability and testing and standards compliance, and there is an independent testing laboratory, which even Qualcomm uses to verify its own products.
Another of the ironies in this is that "cooperative" Europe has turned out not to be cooperating as well as "competitive America". The companies involved in the CDMA2K process are cooperating closely because it's in their own best interest to do so, not because of some sort of fuzzy philosophy of "cooperation and centralization are good things". The companies in the CDMA2K process are cooperating because they know they'll be killed if they don't, not to mention the fact that they smell GSM's blood.
This kind of thing has played out much the same way hundreds of times before between Europe and the US, and nearly always it's had the same result. And as Europe increasingly centralizes and "harmonizes" and moves more and more authority to Brussels, it's going to keep happening. Decisions will be made from the center, and a lot of the time they'll be made wrongly because the "center" is not the infinite repository of all wisdom. The "center" chose GSM/TDMA to be the winner; America decided to let the market figure out the winner, and it didn't turn out to be GSM/TDMA.
European centralization turned out to be a competitive advantage – for the US. And that's going to keep happening. If I was vicious and wanted to wish failure and misery on Europe, I could think of nothing better to inflict it than the process going on now whereby more and more authority will move to Brussels to be used by unelected bureaucrats who answer to no one.
Ispro-exactly! This won't be the last set of software tools or software company that Wave "interferes" with, either. It is simply the first birth pangs of trusted computing. There are quite a few companies that are suddenly obsolete-they just don't realize it yet. The real howling will come when banks and the like begin to require TPM authentication. Then, our friends running Daemon Tools will really have a tough choice to make.
keV- do you own a mirror?
I recommend taking a long look in it any time you are feeling like accusing others of not understanding you. You couldn't even stay on topic in your reply to me. Your previous post had nothing to do with your experience with Wave service. You only commented on the Dell and Daemon Tools user forums posted, calling them "disturbing." Go back and look for yourself-and feel free to point out to me where in your previous post you brought up your own issues with Wave customer service.
In addition, Daemon Tools looks to be a suite of software that allows people to circumvent DRM. This is not likely to be a company that Wave will ever provide much support. This is a company that Wave will put out of business. What a surprise that its users don't like Wave.....
Wave and Macafee connected?
Found the following two references to Embassy being connected to Macafee while reading the Dell support forum:
http://www.dellcommunity.com/supportforums/board/message?board.id=sw_other&message.id=57392&...
Although the specifics of this page addressed a different issue, it discussed the problems created by Embassy Trust Suite on a Dell Precision 390. Since the Embassy Trust Suite appears to only be needed if McAfee if used, we removed it then re-booted. The MS Works database now functions correctly.
******************************************
http://www.mail-archive.com/twsocket@elists.org/msg06642.html
We found that the crash during the splash screen loading in AC10 on a Dell Precision 390 was caused the presence of wxvault.dll. The solution is to remove the EMBASSY software that McAfee depends on.
keV- The real Daemon here is...
Your refusal to follow just a few mouse clicks to the user forum referenced by the poster who claimed "thousands" of people were compaining about Wave. Go check it out for yourself. There are no more than twenty people who have posted on the Daemon forum. Here is a little info about Daemon Tools:
DAEMON Tools is an advanced application for multiprotection emulation. It is further development of Generic Safedisc emulator and incorporates all its features. This program allows running Backup Copies of SafeDisc (C-Dilla), Securom, Laserlock, CDCOPS, StarForce and Protect CD (and many others) protected games. Also included is a Virtual DVDROM drive (Generic DVD-ROM) enabling you to use your CD images as if they were already burned to CD! DAEMON Tools works under Windows9x/ME/NT/2000/XP with all types of CD/DVDROM drives (IDE/SCSI) and supports nearly any CD protection.
I don't know who is worse- the guy who turns twenty people into a mob of thousands, or the guy who reads it, doesn't check it out, and then blathers on about this signal of "doom."
Give it a rest
Why the Army is delayed-per SKS
From today's conference transcript:
We think that the pre-boot environment is going to be a very interesting place. Once you start to encrypt all your drives, you've heard from a dozen companies today about strong authentication. What they don't know is that all their software won't work in a couple of years. And the reason is, once they have a Full Disk Encrypting drive, I have no operating system anymore. All my authentication takes place without an operating system. So, you have to build authentication independent of the OS environment. And so, it's a very interesting constraint that come along with that because clearly in BIOS you have a lot less space. And this is going to be true for anybody who turns on Full Disk Encryption even within the context of what Microsoft has done is a very limited OS that works with Microsoft Vista BitLocker.
****snippage*****
Just a simple fact, that all strong authentications are moving pre-OS. Nobody here is saying that. Your army just discovered this. They just went on and said we are going to put all our machines to have data protection in the machines and then they discovered that in the act of that they are fundamentally breaking all of their strong authentication solutions
-end of transcript-
My comments:
Sounds like there are software conflicts between using TPMs and their previous authentication systems.
It also sounds like once they get them resolved, they are heading to TPMs, and would have adopted use of them already if not for this.
Govt IT employee comments on FDE and developing policy:
From Bruce Scneier's blog, scroll down to bottom
http://www.schneier.com/blog/archives/2007/01/us_government_t.html
I am a GOVie implementing an in-house answer to the whole-disk encryption requirement list. Bear in mind that my opinions posted here are not spoken on behalf of my employer :).
I appreciate your insight into the technical deficiencies of the requirements list.
I guess I should explain our intentions. It's been said that no solution offers 100% coverage. This is especially true where physical access to a machine can be gained by an adversary (as in a laptop's hard disk). What we're trying to do is
minimize the risk.
I think you're running into the classic butting heads of policy versus reality. Policy states that our secure laptops are not to be carried in the same container as our CAC. Policy also states that our CAC PIN is not to be written down (let alone written down and taped onto our CAC).
Reality dictates that there are probably violators out there, true. The risk is minimized through policy, though. The intersection of people that carry their laptops and CACs in the same container is very small. The intersection of that small group with people that write their PIN on their CAC is even smaller. The intersection of this very, very small group with people whose laptops get stolen is hopefully 0, or somewhere very close to it. Further, the intersection of those stolen laptops with thieves that care about the CAC + PIN is even smaller -- they're probably most interested in the value of the machine. This is what I mean by risk minimization. It's still possible for someone to get the laptop + CAC + pin, but the chances of them doing this successfully and know what they've got are very, very, very, (did I mention very?) small, because most .GOV workers follow policy.
It's true that an adversary could print up a fake CAC with a custom applet on it that grabs the user's PIN. The user will know something is up, though: they won't be able to sign in to the laptop, they won't be able to VPN back to home base, etc, because the fake CAC won't have their key in its private memory. They'll call their help desk (hopefully) and their CAC will be determined dead, it will be revoked, and added to the certificate revocation list. A new card will be issued, with a new PIN. It's hard for a laptop's disk encryption scheme to actually obey the CRL, as it has to decrypt the hard disk before OS services are available, so the adversary could still steal the laptop and use the original CAC to decrypt it, I suppose. Of course, the adversary could also rig up a custom laptop with custom ccid reader and custom CAC, and leave the old CAC plugged in somewhere, allowing the new laptop to do a kind of man-in-the-middle...
Still, anyone capable of performing this type of "fake CAC" feat has significant resources behind them. They aren't your common thief, they likely know what they're trying to get (nation-state actor or something like it). Laptop hard disk encryption is not meant to protect against this kind of adversary. Data that must be protected against this kind of adversary should be classified at a sufficient level, as in SECRET or above (technically the classification is a measure of damage that the data could do to the US if it is leaked, but if a resourceful actor is attempting to gain the data, it is highly probable that this is the case). Classified data is not allowed on a laptop used in an unclassified environment (e.g. outside of a classified facility, like your home or starbuck's). In order for such an actor to gain access to such a device, they would have to have a security clearance, would have to get past armed guards, etc...insider threat and armed enemy combatants are also threats that this solution is not meant to protect against.
A different variety of safeguards are put into place on machines with classified data. The protection provided is commensurate with the security classification of the data on the device. Laptop disk encryption is meant for unclassified data, where harm will not cause significant damage to operations of the US government. As such, it does not require the more stringent safeguards, and disk encryption should suffice.
I hope this provides a little more insight into the rationale behind the list, and I hope that it dispels the idea that we're trying for a total solution. We recognize the problems, we're just trying to make it very unlikely for petty theft ala the VA laptop case to put unclassified but for "for official use" data at risk in the future.
Cheers, and thanks for the input,
Reid
BOEING is adopting FDE on all laptops
Found the following on Bruce Schneier's blog:
(Scroll down-fifth post from the bottom)
I work for a major manufacturer of commercial and millitary aircraft. We have had a couple laptop thefts make the news over the last few years and we are switching to whole disk encryption on all of our laptops.
The key is assigned by company security so no token is required. Although the laptop will boot without any need to enter or have a key, you still need a domain or local account to log in. If you use a program like Norton Commander or some Linux boot CD, you cannot use the utilities to change the passwords or view the files on the drive because the drive is encrypted and therefore unreadable without booting from the drive first.
Posted by: Ron at January 7, 2007 10:27 PM
http://www.schneier.com/blog/archives/2007/01/us_government_t.html
*********************************
I followed the link in the post by "Ron" on the Schneier Blog page, and found out that the post was written by Ron Hagerman, and that he is a Boeing employee.
http://www.rons-sandbox.com/?page_id=26
May 17, 2005
About Me
Filed under: Misc Crap — Ron @ 3:06 pm
My name is Ron Hagerman. I was born May 27th, 1968 in Stillwater Minnesota.
I have an Associates degree in Electronics Engineering Technology from ITT Technical Institute in Seattle Washington and a BS degree in Computer Science emphasizing in networking from City University
I am currently a Systems Design and Integration Specialist for The Boeing Company and have been doing that for 8 years. Before that, I fixed in flight phone systems for AT&T. I spend a good portion of my time developing databases in both SQL Server and Oracle. I also write scripts that monitor all aspects of the Boeing Enterprise using the HP OpenView Operations product.
*************************
Boeing has about 155,000 employees
A company profile:
http://en.wikipedia.org/wiki/Boeing
So, out of 155,000 emplyees, how many will have laptops?
Yep, he works for Boeing-Here is his profile:
http://www.rons-sandbox.com/?page_id=26
May 17, 2005
About Me
Filed under: Misc Crap — Ron @ 3:06 pm
My name is Ron Hagerman. I was born May 27th, 1968 in Stillwater Minnesota.
I have an Associates degree in Electronics Engineering Technology from ITT Technical Institute in Seattle Washington and a BS degree in Computer Science emphasizing in networking from City University
I am currently a Systems Design and Integration Specialist for The Boeing Company and have been doing that for 8 years. Before that, I fixed in flight phone systems for AT&T. I spend a good portion of my time developing databases in both SQL Server and Oracle. I also write scripts that monitor all aspects of the Boeing Enterprise using the HP OpenView Operations product.
A Military Aircraft Vendor Switches to FDE...
Found the following on Bruce Schneier's blog:
(Scroll down-Fourth post from the bottom)
I work for a major manufacturer of commercial and millitary aircraft. We have had a couple laptop thefts make the news over the last few years and we are switching to whole disk encryption on all of our laptops.
The key is assigned by company security so no token is required. Although the laptop will boot without any need to enter or have a key, you still need a domain or local account to log in. If you use a program like Norton Commander or some Linux boot CD, you cannot use the utilities to change the passwords or view the files on the drive because the drive is encrypted and therefore unreadable without booting from the drive first.
Posted by: Ron at January 7, 2007 10:27 PM
http://www.schneier.com/blog/archives/2007/01/us_government_t.html
Could it be Boeing???
WOW-another possibly huge statement in rooster1's post
Agencies also can expect more attention to building trust relationships to assure security controls at vendors
So, does this mean that the new governmental policies will be extended to government vendors? Sounds like it...
Cliffdweller- Absolutely!
The best thing about the new FDE drives is not the revenue Wave gets now (although that is a big fat forehead wiping WHEW) As the FDEs get us towards break even, they will be doing an even more valuable thing for Wave's prospects-exposing potential customers to the issues of key management, at which point Wave gets to say "We'll make that problem go away for you..." and the upgrades pour in along with server sales.
What a tantalizing statement in Fullmoon's interview-
One of the biggest challenges is managing the encryption. It is a real a pain to manage passwords and keys. By partnering with the application developers we are bridging this gap.
A link to a debate on FDE in Govt.
Courtesy of Jose Cuervo on Atomic Bob's
http://www.schneier.com/blog/archives/2007/01/us_government_t.html
Note the questions/comments after Scheier's blog. People have no clue about the capabilities of the TPM enabled FDE, or of the use of biometrics with the TPM, or of the benefits of TPMs in general. They also cling to the "nothing is really secure-anything can be hacked given enough time" mindset pretty tightly. Hopefully, Wave and Seagate can provide succinct info that eases these fears. In any case, this supports, IMO, the opinion that the government business may take a bit of time to develop to it's full maturity. There are some attitudes that need changing out there...
Tsunami07- A word of thanks
Thank you for your posts. I appreciate the extra work that you put in to include all of the dots that you think may be related to the DD that you post. I have started a "Tsunami file", and save them for future reference.
I think the show will be a good one.
T-Bone- agreed about 90% as well, with a caveat
The reason that I say "if" is the long history of start followed by delay in the roll-out of trusted computing. It looks good, but I will only celebrate when I see it in writing.(The DoD wide license)
Have a great Christmas, and hopefully join all wavoids in a phenomenal new year.
Nicknamen, consider this:
The DoD is requiring TPMs to be a part of all new computer purchases. They are doing that for a reason-because they intend to make use of them.
Think about the bureaucracy that is present in the Army, who started the TPM requirements. Think of all the fiefdoms that exist, all of the bureaucrats that would guard their budgets and turf jealously, and of the political games that must take place. TPMs and trusted computing had to pass muster at many levels, and have many people sign off on their value and necessity.
The Army, and the DoD were Wave's first big sales job, and it appears that they came up roses. If the DoD goes TPMs and Wave, their vendors will follow, not just by choice, but because the DoD will not let sensitive info that rests with their vendors be exposed. That will start people talking, and put Wave front and center of considerations for computer security.
I guess what I am saying is, if a calcified bureauracracy like the Army passed by software encryption in favor of TPMs, I am very encouraged that enterprises will do the same in large enough numbers for Wave to break even this year.
Even though I know that when logic runs up against reality, sometimes budget limitations trump best practices.
Seagate will require *some* software from Wave
At least, if they want to make their drives interoperable with any manufacturer's TPMs. Right? So, at the very least, we should get ETS lite bundled, with TDM at the very least blue-lited, if not bundled, itself.
If Seagate bundles TDM directly, in contravention of what they normally do, what a powerful signal that will be of Wave's strong position in the trusted computing world, and of the likelyhood that trusted computing is here as a force now.
I am very anxious to see the shape that the Seagate deal will take. It will tell us much about Wave's current position.
Nicknamen, and others-thanks for the discussion
It can only help, even if you don't agree with all expressed here.
Goepling-appears the govt. is still heading our way-Nice Find!
I like this part:
The introduction of the PIV card in the Federal government will inevitably result in a number of cultural and technical evolutions over the coming year.
Here is where we anticipate major changes:
--The Fall of the Flashpass – One of the biggest advantages of FIPS 201 is the ability to use PIV cards across agencies with a low risk of fraud. This is done through electronic authentication (such as certificate checks and biometric matching), as well as a standard topology. However, the reliance on topology (flashpass) will be phased out as these more secure means of authentication are utilized. With the implementation and/or upgrade of sophisticated physical access control systems as well as stand along PIV credential authentication workstations in the coming year, the number of locations where a visual inspection of the card alone will suffice for access will diminish significantly.
--Cross Agency Authentication and Interoperability – The use of the PIV credential in the logical world is setting a new trend as the ability to recognize and interact with card holders from other agencies becomes possible. The capability to protect data in transit and at rest will significantly reduce the liability faced by the government from incidents such as the data loss by Veterans Affairs this year. We can expect the widespread use of local data encryption and encrypted communications facilitated by PIV credentials in the daily processes of Federal agencies by the end of 2007.
--Beyond the Federal Government – Although the Federal government is the only organization required to meet this standard, PIV cards are becoming a defacto standard for other organizations looking to promote interoperability with the federal government and increase security through implementation of standards like FIPS 201. We anticipate that the next year will bring functional pilots and full implementations of PIV card systems in the first responder/state and local community. It will also likely see capability demonstrations of PIV standard or near PIV standard credentialing in state governments, corporations, education, banking, and the IT industry. We see the potential for non-federal organizations issuing their own credentials that meet FIPS-201 requirements, which are recognized and accepted by the Federal government in some circumstances, such as disaster response.
What has started as an upgrade to security is rapidly becoming a major paradigm shift in the operations of the Federal government. Many of the business process changes of the coming years will start to become apparent over the next year as the government raises the bar on trust, assurance, and identity protection.
Nick- again, most excellent and pragmatic comments
I especially liked
Although retired, three plus decades in sales and management in the computer industry leads me to suspect that a client software component has less of a total cost of implementation, maintainence and ownership than a gold standard solution we represent.
Wave management should have armed their sales force with a total cost benefit, ROI analysis for this very issue, like whaT the customer did for Papa Gino's.
On HP, the way management thinks is that their way will force customers to go with an all HP solution even though it won't. When it doesn't work they will fire a few salesman and managers until they accept the truth.
People need to realize that there are still many people related issues that we will need to overcome. Pride and hubris (like HP) are just one of them.
I would suggest to you that the software engineer types that have dominated the discussion here for so long need the sales and customer relations experiences that you bring. I will look forward to your posts.
Zen- I would refer you to this post by xxxcslewis.
http://www.investorshub.com/boards/read_msg.asp?message_id=15396940
It seems the IDC forecast might be a bit too optimistic...
mymoneybegone
Your description of people making decisions based upon the available information made me think of this well documented psychological phenomenon:
http://en.wikipedia.org/wiki/Availability_heuristic
The availability heuristic is a rule of thumb, heuristic, or cognitive bias, where people base their prediction of an outcome on the vividness and emotional impact rather than on actual probability.
An everyday example would be the statement: "Sorry I'm late—I hit every red light on the way here." Here the aggravation of the red lights made them seem more prevalent than they actually were.
This phenomenon was first reported by psychologists Amos Tversky and Daniel Kahneman.
One important corollary finding to this heuristic is that people asked to imagine an outcome tend to immediately view it as more likely than people that were not asked to imagine the specific outcome. If group A was asked to imagine a specific outcome and then asked if it was a likely outcome, and group B was asked whether the same specific outcome was likely without being asked to imagine it first, the members of group A tend to view the outcome as more likely than the members of group B, thereby demonstrating the tendency toward using an availability heuristic as a basis for logic.
In one experiment that occurred before the 1976 US Presidential election, participants were asked simply to imagine Gerald Ford winning the upcoming election. Those who were asked to do this subsequently viewed Ford as being significantly more likely to win the upcoming election, and vice versa for participants that had been asked to imagine Jimmy Carter [Carroll, 1978]. Analogous results were found with vivid versus pallid descriptions of outcomes in other experiments.
Availability effects in lethal events
When asked to rate the probability of a variety of causes of death people tend to rate more "newsworthy" events as more likely. People often rate the chance of death by plane crash higher after plane crashes, and death by natural disaster as too likely only because these events are more reported than more common causes of death. Other rare forms of death are also seen as more common than they really are because of their inherent drama: shark attacks, terrorism, etc.
Denial as a reverse availability heuristic
An opposite effect of this bias, called denial, occurs when an outcome is so upsetting that the very act of thinking about it leads to an increased refusal to believe it might occur. In this case, being asked to imagine the outcome actually made participants view it as less likely.
It’s pretty vivid to think of Wave kabooming. Not so vivid to think of an ongoing process of decision by thousands of companies. Yet, that is where we are now.
That is why Seagate is so important. A cheap, simple solution that uses TPMs. Just what the doctor ordered. IT people will be able to sell their boards of directors and CEOs on that approach a lot more easily.
That’s why I have said we shouldn’t be too concerned whether we get 3, 5, 10, or 15 dollars per drive. Just get them out there, get people using TPM encryption, having to manage keys, and experiencing the gold standard of security. That’ll start a buzz. That will make the Availability Heuristic work in our favor, instead of against us.
Upside- agreed- any TC implementation is good for Wave. I look at the possible illogic of some decision making (per my previous post) more as an issue to watch in terms of the initial deployment of the technology. Since Wave is still not break even, it is very significant just now. After break even, we can wait out the "lets see if we need this stuff" crowd. As long as no VHS comes along to turn us into betamax... (I had a betamax machine, too)
But, so far, so good. We are in every implementation of TC that requires interaction with networks of TPMs from various manufacturers. That's what keeps me invested.
The overall effect of decision makers will be a muffling of the kaboom into a bit more drawn out process.
Nick- A far more pragmatic and interesting view than those who would poke sharp sticks into SKS. Your last paragraph delineates the key challenge that Wave now faces. Will companies and IT managers take the cheap, quick dirty way out of their security issues, or will they go with what should be the gold standard?
It's an all too human tendency to put off facing problems and spending the money it will take to solve them properly. That's why the DoD will be so important, if we can get the contract. It'll force contractors to use TPM security.
It's also why Seagate is so important. It puts us right in front of people, instead of us being just one choice of many. It also gets them using keys, and confronting the necessities of managing them. If Seagate wants to squeeze us a bit, so long as we don't just give it away, I say do the deal. Get people using their TPMs, and we will eventually profit.
These initial bundling deals have never been where Wave has been going, anyway.
Weby-What does this mean?
http://www.reselleradvocate.com/public/ram/issues/ram58/ram58_safety_coverstory02.html
A quote from page two:
This sounds pretty slick in theory, but implementing it in the real world proved more difficult than Seagate had anticipated. A wealth of BIOS compatibility issues had to be overcome, installers needed a more streamlined system configuration process, and users needed more robust, friendlier integration between FDE drives and other security applications. As such, Seagate pulled back on FDE deployment and is targeting a 1Q07 ramp-up—a date that meshes with the proposed Vista launch window. Seagate isn't linking the two events directly, but Joni Clark notes that the new FDE platform software Seagate is preparing will allow for drive unlocking via the Windows logon as well as seamless integration with biometric and other security devices. And while FDE doesn't yet have a single, system-wide authentication wherein the user only needs to enter his password once, this is in the works.
Is this key management/migration? Does this mean that Seagate will be deploying a key management solution? If not, what else might it be?
ZZT-Bone
I too am waiting and wondering what the Seagate deal will look like. I am not, however applying that deal as an absolute litmus test to be used to damn SKS if it is delayed further. As I documented in this post,
http://www.investorshub.com/boards/read_msg.asp?message_id=15344555
a reporter has revealed the reason for the Seagate delay. Note-it is not related to Wave, or SKS. The delay was caused by bios compatability issues.
Your statement "Is his statement misguiding, or will he deliver what he stated?" is a false dilemma. Saying that either the deal gets done by year end, or SKS has lied to me leaves out too much info. In other words, if the Seagate deal does not materialize by year end, there could be any number of reasons why, most of which are not in Wave's control. So, I ask you, if the deal is delayed past Dec. 31st, will you still feel deceived by SKS if the delay was caused by bios difficulties? It's your call, but I for one will not feel deceived. Technical delays are bound to happen at this initial deployment stage. I would, in fact, tell you to expect more of the same. The question is can Wave make enough money in the meantime to last through this initial stop and start phase.
John Galt- If you check any of the yearly reports, and the disclaimers attached to all of them, you will find that you have been warned about the issues that Wave faces as an ongoing business concern. So, I think that you have been told everything that you need to know as to the risky side of your investment in Wave. You and I, and everyone else here has chosen to invest despite those warnings. It is well chronicled on this board that Wave has cash flow problems that have led to dilution. It has also been documented that Wave is experiencing delays in the deployment of it's technology.
Are you really going to try to tell me that you have not heard these things?
The issue then becomes not whether we have been deceived, but instead, a question of how much information is it prudent for a CEO to disclose in a public venue. I would argue that a CEO should portray as much strength as possible, for a number of reasons.
1)In contract negotiations, if your opponent thinks you are desperate for a deal to get done, maybe they can squeeze you for an extra few weeks, till maybe you come down in your demands
2)If a hostile takeover is initiated, we are better served by portraying as much strength as possible, either to avoid the takeover, or to get the best price possible.
3)Companies that may like your software will want to know that you will be around in the next year to provide service/support.
4)It's bad for employee morale, as well to make too many negative statments. How hard will our sales force work if they are unsure Wave will even be around next year? Not very.
5) In our present position, attracting new investors will be harder the more weakness that is portrayed.
IMO CEOs, and other leaders, pick and choose information to release, frame developments in the most positive light possible, and generally craft a message that both represents a companies prospects and protects it's interests. And, I assert that this is the norm, not the exception. I also state that in general, CEOs that are too negative do damage to their companies. I would also acknowledge that CEOs that promise what they cannot deliver will damage their company, as well.
To say that any CEO should answer any old question by "telling the truth," as you demand is hopelessly naive. There is not a CEO alive that will do that in such an absolute fashion.
Should patent falsehoods be stated? Absolutely not. Should crucial information be whitheld, or books be cooked? Again, absolutely not. It is up to you as an individual to judge whether that has occured. That is part of why you do DD. Yet, you must not really think that, or you wouldn't still be here. At least, you must still see enough of the business plan holding true to expectations to stay.
You also do the DD because you realize that a CEO is, by definition, not necessarily the best source for unbiased information on the company.
I personally think that the Spraguespeak problem has been a combination of early overexuberance and inexperience, and lately has been a function of an inability for anyone to accurately predict the uptake of this new paradigm. I do not think that deliberate lies were told. I think that SKS has presented a message of the more positive possiblities that Wave faces. As he should. Has he overpromised? Has damage been done as a result? The only damage that is readily apparent to me is some rankled shareholders. I see Wave's position in the TCG paradigm improving, the company moving to break even this year, and a variety of deals waiting on the horizon. Damage? Nope.
As we start to get multiple quarters of bundling and licensing revenues, projections should get better. Once we have steady, break even income established, things like waiting for the Seagate deal will not be the subject of so much angst. Then, the tempest in this particular teapot will cease.
John Galt- If you check any of the yearly reports, and the disclaimers attched to all of them, you will find that you have been warned about the issues that Wave faces as an ongoing business concern. So, I think that you have been told everything that you need to know as to the nature of your investment in Wave. You and I, and everyone else here has chosen to invest despite those warnings.
Weby
The article that I took the quote from is a summary of all of the current "best of class" options available for security at this time. The number of options and the myriad different approaches can just about make your head swim. This also will work against us in the beginning. We need a buzz to start. Of course, DoD adoption would take care of all of that, but who can say when our government bureaucrats will get around to making that move...
Seagate pricing info
From the Reseller Advocate Article, courtesy of Cliffdweller at Atomic Bob's
http://www.reselleradvocate.com/public/ram/issues/ram58/ram58_safety_coverstory02.html
Again, from page two (bolds mine)
Of all the potential advantages we've seen for whitebooks over tier-one portables, the FDE drive is among the most compelling. The fallout from the May theft of a Veteran's Adminstration laptop containing private data on over 26 million veterans continues. In June, the President issued a directive requiring that all sensitive data on mobile government devices must be encrypted. The California Security Breach Notification Act (Senate Bill No.1386) states that encrypted data loss is not required to be reported as a security breach to customers, and in the last two years 24 states have enacted similar laws relating to data encryption. So any company responsible for maintaining the confidentiality of stored data would be negligent if not downright stupid not to implement encryption, if only to mitigate the potential embarrassment and customer loss entailed with being required to admit security incidents.
"The message we're trying to get out to resellers is that there are lots of people who have to comply with these state or government regulations," says Seagate's Clark. "Banks, health offices, schools—all these institutions have to comply. Everyone's going mobile. They need encryption. They can do it through software, which may be painful, or they can do it the really easy way. And a software encryption package is going to cost anywhere from $99 to $250. Getting one of our drives with FDE may be like only $20 more than a non-FDE drive. That's how little it is."
So, the twenty extra dollars for a FDE drive will be divided up between Wave's cut, Seagate's cut, and who else? Are there other players providing extra parts/software that the extra twenty dollar pie will have to be shared with?
An example of why/how delays take place...
Courtesy of Cliffdweller at Atomic Bob's.
http://www.reselleradvocate.com/public/ram/issues/ram58/ram58_safety_coverstory02.html
An article from Reseller Advocate Magazine. The reporter discusses the Seagate FDE drives, and states why they have been delayed:
From page two
Because FDE technology encrypts the entire disk—master boot record, OS kernel files, and everything else often skipped by software-only solutions—there needs to be integration between the system BIOS and the hard drive. FDE begins with user authentication during the POST, and that password is hashed and stored on the drive. A pre-boot partition of perhaps 10MB serves to handle the authentication process before the user can gain access to the main partition and the rest of the operating system. The end result is that unless the user authenticates, the usable parts of the FDE drive are completely inaccessible.
This sounds pretty slick in theory, but implementing it in the real world proved more difficult than Seagate had anticipated. A wealth of BIOS compatibility issues had to be overcome, installers needed a more streamlined system configuration process, and users needed more robust, friendlier integration between FDE drives and other security applications. As such, Seagate pulled back on FDE deployment and is targeting a 1Q07 ramp-up—a date that meshes with the proposed Vista launch window. Seagate isn't linking the two events directly, but Joni Clark notes that the new FDE platform software Seagate is preparing will allow for drive unlocking via the Windows logon as well as seamless integration with biometric and other security devices. And while FDE doesn't yet have a single, system-wide authentication wherein the user only needs to enter his password once, this is in the works. By first quarter, the Momentus FDE drives will have also transitioned to SATA and adopted 128-bit AES encryption.
Snackman
You wrote to ZZT-Bone to ask SKS for more information. What would that solve? We would then have another prediction from SKS, and we know how the previous ones have gone-regardless of the authors of said predictions. Why ask for more in this way?
I don't intend this as a criticism, instead I would like to point out that saying that we are unhappy with past disclosures and projections-and then asking for more of the same-is like pounding your head into a concrete wall. You get the same result, with ever increasing pain. I realize that you were simply saying quit whining, etc. and ask the questions yourself. I suppose I am more directing this at those who like ZZT-Bone repeatedly ask for these disclosures and projections.
I am a little puzzled as to the tone of the criticism of SKS. Should we note that he has been wrong in the past? Yes. Should we interpret that as lies, deceipt, or incompetence? No. After all, we ASK for the predictions.
What would we have SKS do? Not answer a request for info? No. Instead, he gives his best estimation, given what he knows at that moment, assuming that he is allowed to disclose the info. WE then take that and run with it as if it is gospel.
Would we rather that SKS said something like "I think the Seagate deal could be done by xxx date, but any number of things could interfere until then to delay it-and in fact, the TCG adoption is still so early that all of this could easily be derailed."
Would that serve our interests as investors of Wave? Think back to the one time that SKS made such a statement. Remember? He said that you should not yet "bet the house" on Wave a few years back. What happened to the share price? It tanked.
SKS is trying to do the best that he can for Wave investors. He and his management team choose to make statements that they think will help Wave's interests. Are we really surprised by that?
Should we take it as gospel? No-for two reasons: First, SKS, by the nature of his position, is going to be very positive in his statements about Wave's prospects. It's what a CEO should do. (Up to a point, of course) Second, the market is still embryonic. For example, we don't even know what we are likely to realize from our relationship with Dell because of old product lines phasing out and new ones replacing them.
Bottom line, it is too soon for solid numbers in any phase of Wave's situation. In addition, too much gamesmanship goes on in contract negotiations to assume that a deal is done until it is signed. Ever been bait-and-switched at the car dealer? Who knows what could be happening in deal negotiation? Only those in the room. And often, public statements can be counter productive while negotiations are ongoing.
All we can do is wait. And, unfortunately we can't change that.
Meanwhile, might I suggest the Serenity Prayer?
God, grant me the serenity to accept the things I cannot change, the courage to change the things I can, and the wisdom to know the difference...
Hope you have a peaceful night
Weby
The disappointment that some feel over the recent delays is unfortunate, but I believe that it is the product of errors by the wavoid community just as much as it has been caused by inaccurate predictions by SKS. There has been too much of a “Kaboom!” seeking attitude among some, and when the Kaboom! didn’t materialize, they felt let down. Others unrealistically clung to predictions of sales and adoption rates in an absolutist approach, ("these numbers better be right, or I will be mad") and then were angered when delays appeared. That is not SKS’s fault.
Wavoids need to realize that they have been phenomenally good at predicting a major paradigm change. It is a substantial achievement to see change like this coming down the path from so far away. It’s unusual for anyone in any part of their life to be able to predict things so far in the future. Heck, lots of people will have a tough time telling you what they are going to be doing with their own life years in advance, let alone what paradigm giant companies like Microsoft, IBM, and Intel will be switching to years ahead. For that, wavoids should give themselves a pat on the back. TCG is here, and everyone is implementing it.
Conversely, wavoids, including SKS, have been very bad at predicting the pace of the adoption of the technology. It is highly likely that this pattern of poor performance in predicting adoption rates will continue. Therefore, anyone who is saying things like “I’d better see something soon or…” are setting themselves up for disappointment.
Why? The milieu that swirls around the developing TCG standards and new products is exceedingly complex. It gets more complex every day. There are numerous players that can and do throw up roadblocks at any time. Think about the delays in the Seagate deal. First, a switch between SATA and PATA drives delayed deployment of the FDE drives. There may be other things that happen to cause further delays- it might be that until they get all of their pricing worked out, we can’t know with certainty how much we will make on each drive. Or, if the drives become commoditized quickly, (as Hitachi is starting to do) it will force the price down, and our cut may be less, as well. Or, maybe we are asking Seagate to allow us to get micropayments on the virtual secured parts of their drives, as their CEO said they might attempt. In reality, any number of things could be delaying the deal, and it is impossible to know, unless you have inside info.
Take the possible reasons for delays from Seagate and extrapolate them across all of the OEMs, etc. that Wave hopes to market to, and then also across all of the enterprises Wave hopes to sell to, who might choose to delay adoption for a quarter or two, and you have a Gordian knot that no one could cut. It’s like trying to predict the weather. There are so many variables at play that if you try to predict too far in the future, you are guaranteed to be wrong.
You can demand that numbers be given to you, but, until there have been at least a couple of quarters of documented, proven sales/licensing/bundling, etc., those numbers are just smoke. No one knows for sure.
What do we know? We know that adoption is here, and has happened. We also know that thus far, every TCG application that would require networks of TPMs from multiple manufacturers has used Wave as some part of their product software.
I like our position now, compared with one year ago, another failed round of predictions of the speed of adoption notwithstanding...
Top ten reasons to own WAVX:
#10
You are in on a “ground floor” investment:
This is both a plus for investing in Wave, and one of the biggest crosses to bear, as well. While it is likely that we early investors have purchased our shares at a considerable discount to what those who buy in two years will pay, we also are the ones who must bear the worries, risk and volatility of Wave’s transit through these early, developmental days.
#9
Competition, or lack thereof:
Wave is still the only software maker who can leverage networks of all manufactured TPMs.(For verification of this, see reason number one) GoKite is right to say that for now, other security approaches may take money off the table, but, I think that in the future if TPMs are widely acknowledged the best solution to protect your data and passwords, Wave will be the one claiming most of the money. HP and Infineon only get in the way of one small part of what Wave seeks to accomplish-management of TPM use on an individual computer. Wave still has no competition at what they really seek to do long term-provide the software that will allow companies to leverage networks of TPMs to provide trusted services of numerous varieties. While HP/Infineon block Wave from some computers at the 50 cent ESC lite level, Wave can still sell Esc full version for 20 to 50 dollars to any computer with a TPM, including HP and Infineon. Not a major issue in the long run IMO.
#8
Wave’s industry connections:
This story is not just Wave versus the world. Wave is a member of or otherwise affiliated with a number of groups of companies who are pushing trusted computing (FIXS, the TCG, etc.) These companies will want the TCG approach to succeed, either for their own profits, or for the relief of worries about protecting data at rest, identity theft and the like that the TCG approach will give. I also think that these member companies will be an excellent pool of prospective customers for Wave to sell into soon.
#7
The TCG/TPM approach has been validated at the chip, OEM and individual TPM management software level:
TPMs will soon be in all computers. Cell phones are close behind. Is there any more doubt as to the ubiquity of TPMs? Think of all the companies that have invested money in the TPM approach. They are all telling you with their checkbooks that this is an important new development. Many millions have been invested in TPM development/deployment by the likes of Dell, Intel, Winbond, Seagate, Microsoft, HP, Infineon, and too many others to list completely. They are all shouting at the top of their lungs “TPMs ARE HERE!” It is the time that Wave has been waiting for. Now, the more TPMs are used, the more keys get generated, and the more need there is for Wave.
#6
NTT
The largest integrator in Japan is leveraging Wave’s software in an attempt to bring to fruition some or all of the TPMs promise of trustworthy computing. To see a technologically advanced nation like Japan turn Wave’s direction is heartening. (The 100 million dollars that they could send our way over the next few years is also, er, heartening.)
#5
We are a key part of an emerging paradigm:
How many investments can say that? And how many can say that the use of their key component, TPMs, reaches across the spectrum of technology involving data. Any electronic data that is at risk of being hacked or stolen is a candidate for TPM hardened protection. The potential market is huge, and numerous companies have been hit by data at rest losses recently, so they should be motivated to look for a solution, if only for protection from lawsuits.
#4
The U. S. Department of Defense is pushing TPMs.
Use of all of those TPMs will lead to the need to manage networks for attestation and key management/ migration. Wave is the only company to allow the DoD to manage all of those keys across multiple types of TPM platforms. The Army validated this when they turned to Wave to consult on their apparent recent trials of the technology. Should the DoD adopt Wave, that will serve to introduce Wave into the whole spectrum of DoD contractors. The DoD will certainly demand the same level of data protection for sensitive projects awarded to contractors. That being said, getting the government to do anything is like trying to get cats to march in a parade. This one might take a while. But, once you are in, Cha-Ching! The DoD might force Wave to a substantial discount price, but Wave should do it ASAP so that they can get busy selling to DoD contractors. If the DoD mandates TPM protection by their contractors, it will be Wave in the drivers seat as they negotiate with contractors.
#3
Seagate and Dell are the two major players pulling Wave’s cart:
A pretty good pair of horses to hitch your wagon to, eh? Dell already is pushing Wave’s technology, and once the deployment happens for Seagate’s FDE, it will put Wave in front of millions more customers who WILL be using the TPM on their machine.
#2
The Seagate deal:
Seagate is critical to Wave, but not for the money that they will bring Wave through bundling on the FDE drive. The real value of the Seagate drive to Wave is that all of those FDE drives will be generating keys that will need managing. Hopefully, after a few issues with employees losing/forgetting logins, the need for key management will be apparent to all. This is the point at which Wave is the only solution, and they should be able to cash in, big time. The bundling revs will help in the short term, but the big tamale is the need for Wave’s server applications that the Seagate drives should help create. Some worry that Seagate may be able to twist Wave’s arm to lower the bundling fee per individual drive. I say, the sooner that the FDE drives get out there, the better for Wave, even if that means our arm is a little twisted over bundling. (UNCLE! Just sell them already!)
The Seagate drive will also move TPMs from the realm of the Weitek coprocessor (ala DigSpace-Dig used the Weitek as a possible analogy to the TPM. The coprocessor got added to many computers, but never really used.) The Seagate drive WILL use the TPM, and thus introduce millions to the TPM, TCG concepts and to Wave through the TDM. (Tipping point for Wave follows...)
#1
So far, all new products that are using/leveraging combinations of TPMs from multiple manufacturers are using Wave’s software. This confirms Wave’s place at the center of future trusted computing applications. All roads to the use of TPM networks still go through Wave, and we have seen no evidence of this changing one bit. Seagate, Juniper, and Nortel are early to the party. Lets hope they are the first of many.
**********************************************
I am not trying to be a cheerleader here, but all of the tempest over the 3Q CC got me thinking. I realized that I just wasn’t as bothered by the call as others seemed to be, and began thinking about why. This list is the result of those musings. As far as I am concerned, the 3Q numbers did not change anything of importance related to Wave. All they did was disappoint those who had become invested in either their own, or someone else’s “projections” of what Wave should make in 3Q.
IMO, those who make projections should be appreciated for the time that they take to provide us with an educated guess about Wave’s prospects. Their guesses are interesting, but they should also be taken with a rather large grain of salt. How many projections have crashed and burned over the years? Everyone has failed at accurately predicting both the roll out of trusted computing, and the ramp of revenues to Wave. The list of those failing includes OEMs, service providers, SKS, and assorted board personalities. I would ask those who were disappointed at the failure of the projections; Why are you surprised? The only person to come close the last couple of quarters is DigSpace. Hats off to Dig, (and also please notice that Dig is calling for 2-4 million in Q4.)
Its a new market, with roll out just now occuring, and every little delay or issue will be magnified. We are bound to see other issues cause a few bumps in the road for Wave, as well. The key is to reach break even so small problems are not as critical, and then make steady progress at converting companies from using TPMs only on individual computers to forming trusted networks.
In the meantime, please note that the first real product using TPMs that is guaranteed to both sell and be used in large numbers is the Seagate drive. Throughout 2007, FDE drives will be permeating the market. Let’s hope that the initial bundling revs put us over breakeven in Q2/Q3, and that Wave can capitalize on those new TPM users.