Register for free to join our community of investors and share your ideas. You will also get access to streaming quotes, interactive charts, trades, portfolio, live options flow and more tools.
Register for free to join our community of investors and share your ideas. You will also get access to streaming quotes, interactive charts, trades, portfolio, live options flow and more tools.
Hi Weby
The thing that I have been noting over the past few months is that since we discovered and dissected the Presidential Plan to Secure Cyber Space,
http://www.whitehouse.gov/pcipb/
the governmental activities regarding securing their networks have all been following that framework pretty consistently. The activities noted in the articles I posted tonight -the Winter Fox exercise and the report that the DoD expected to have thousands of employees using the CAC cards, show that the plan is moving forward (and quite rapidly-compared to our government's usual speed). Those activities are also interesting places for Wave to have played a consultant's role.(If that is where they did their consulting.) And, as you note-Wave is consulting just at the time that the government is going to decide the machine security authentication requirements.
The best thing that is noted in those two articles is that if a major agency adopts this system, the potential savings would be 32 million dollars per year. Money talks like nothing else can. Even the most narrow minded of federal administrators will see the value.
Then, of course, comes the need for the government vendors to adopt the system for their traveling laptops. One of the articles I posted a couple of months ago speculated that once a trusted network is in place, vendor salesmen who wish to plug into an agency network will have to authenticate just the same as all the agency machines do.
From the federal government, to the states, to the government vendors. This is going to go on for a long time.
Here's to a long hockey stick handle!
Goin Fishn
But rained out this weekend
Helpful- FIPS 200 here- Rather Important
FIPS means Federal Imformation Processing Standard. Standard 200 is linked below, but I think standard 201 is most important to Wave.
http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf
Goin Fishn
OT: More Wave-DoD possibilities:
http://www.gcn.com/print/25_2/38049-1.html?topic=authentication
Scroll down to bolds...
Last November, a revised document from an interagency working group laid out the following scenario, illustrating one of the biggest technical challenges for agencies complying with Homeland Security Presidential Directive-12: A government employee receives a smart card that lets him into his building. Eventually, he’s assigned to a project in another state and needs access to that facility using the same ID. Then his work takes him to a separate agency where, with proper authorization, his card should allow him through that door, too.
But today, that can’t happen. And making it happen will be a significant undertaking, one that will require careful planning, wholesale infrastructure upgrades and changes in the way agencies manage security.
The Physical Access Interagency Interoperability Working Group has prepared Technical Implementation Guidance: Smart Card Enabled Physical Access Control Systems. The document should help agencies integrate what has commonly been the quintessential stovepipe system—building access security—with an overall personal identity verification architecture that bridges physical- and logical-access control within and among disparate agencies.
“PIV is going to do a lot for pushing [smart-card] technology forward and getting the physical-access guys to come on board,” said Mike Butler, chief of smart-card programs in the Defense Department’s Common Access Card Office.
Perhaps the first and most basic challenge facing agencies is the fact that physical-access control systems are islands unto themselves. Physical security usually is handled by a different group—trained in “guns and badges,” as experts describe it—from the people who handle information technology.
Physical-access control systems will have to become network-based if they’re to deliver on the promise of HSPD-12.
“More and more IT departments are getting involved with these systems,” said Michael Regelski, vice president of engineering at Lenel Systems Inter- national Inc. of Rochester, N.Y.
Lenel has worked on physical security for various agencies, including NASA, which Regelski says is furthest along in integrating physical- and logical-access control.
But if it comes down to a turf battle, the need to keep bad guys out of a building could trump smart-card access to network resources.
“Between the physical and the IT organizations, the ones who have the upper hand in many agencies are the physical, because they have the authority to issue badges today,” said Jeremy Grant, vice president for enterprise solutions for Maximus Inc. of Reston, Va. “As a result, a lot of agencies are really looking at logical access only as an application that can be supported on the card.”
Experts say physical-security staffs don’t have a lot of experience with IT and are understandably nervous about putting their systems on a network. When physical-access control systems ride on an IP network, they become vulnerable to hackers, viruses and other security risks.
Authsec Inc., a security consulting company in Columbia, Md., has run vulnerability scans on a variety of physical-access control systems, and every one had vulnerabilities.
“Vendors don’t live in [the network] world and aren’t used to worrying about vulnerabilities in their products,” said senior vice president Dallas Bishoff. “It’s not that the risk can’t be controlled. The door control panels have operating systems and are susceptible to viruses and need to be patched. But most PACS are not treated as IT procurements and are not subject to certification and accreditation.”
In fact, access control cards from one vendor typically work only with that company’s readers, which typically only work with the same company’s control panels.
Moving to IP and the standards developed by the National Institute of Standards and Technology should change that and open physical-access control systems so they can talk to other parts of the security infrastructure, such as an identity management system.
“Four or five years from now, physical-security networks that run off the office network will be common,” Butler said. “Then you can start doing things like make sure a person can’t log onto a network unless you know they came through the door.”
Making exceptions
There will always be situations where, for security reasons, a physical-access control system can’t link to an IP network, but those will be exceptions to the rule.
Once an agency has a strategy for integrating its physical and IT security operations, there’s the matter of actually getting their physical-access control systems to comply with NIST’s Federal Information Standard Publication-201. And because there are so many proprietary systems floating around, the job is big.
“A lot of the physical-access community hasn’t woken up to what HSPD-12 really means and how obsolete a lot of their stuff is going to be,” Grant said.
The crux of the problem, put simply, is that many of the card readers and control panels guarding agency doors can’t read the information that will be contained in future PIV cards.
Under HSPD-12 and FIPS-201, the main identifier on a PIV card will be the Federal Agency Smart Credential Number, which can be up to 32 bits or 25 bytes, based on the encoding technique.
“You can’t shove that much information through the control panels of a lot of legacy access systems,” Grant said.
There has been talk of an interim solution under which systems accept truncated smart-credential data, but it’s an imperfect solution that would effectively reduce the amount of unique information required to access a building. What’s more, according to Regelski, while truncation might be a passable solution within a facility, it would make cross-facility interoperability harder because it could lead to duplication among shortened ID numbers.
Preserve the legacy?
Experts agree that virtually all card readers in operation today for physical security have to be replaced. Whether agencies will have to replace the control panels that handle those readers and the back-end systems that operate the entire PACS, will depend on what’s currently in place.
“You can replace existing readers to accommodate the new card,” Regelski said, “and as long as the systems can interpret the output—and the majority of them can—you should be able to take the PIV credential and use it on your existing infrastructure.”
However, he cautioned, even some legacy back ends can’t handle the data requirements of FIPS-201. In addition, Bishoff warned, today’s physical-access control systems weren’t designed to handle cryptographic keys, nor have they been through FIPS-140-2 testing, which validates cryptographic modules for use in government.
Just as in a large-scale IT infrastructure upgrade or consolidation, the extent of a physical-access overhaul will hinge on an agency’s ability to document all its components. Security systems are often procured on a site-by-site basis, or even building-by-building, making it difficult to get a handle on what’s out there.
“Most agencies do not know how many systems they’ve got, because they were all locally acquired and there’s no central inventory,” Bishoff said. “The most bizarre case we saw was a building with five physical-access control systems. Three of them were within 30 feet of each other, and they were all three independent systems.”
And because we’re talking about large numbers of readers and possibly control panels at many different buildings, agencies will need a strategy for cutting over to a new system while still allowing unfettered access through the old.
Triage needed
“You can’t replace all your existing readers in one shot,” Regelski said. “You need a strategy. It could be multiple cards or new cards with old tokens embedded.”
Integrating physical access control with IT security may be the biggest challenge, but it will have the greatest payoff
“We need to do triage here,” Butler said. “If we’ve got some place up in Maine out in the woods where 300 people work and they’re using a magnetic stripe system today, and maybe they just upgraded it, why would we waste the taxpayers’ money on someplace like that until it really makes sense, business case-wise, to replace a system like that?”
Butler said the Office of the Secretary of Defense just got a new security system that doesn’t support the contactless smart card described in PIV specifications. But when the department gets its new contactless smart cards, it will still encode the contactless side and employees will carry two cards in the same holder during the transition. DOD also plans to have thousands of employees using a PIV card starting in April.
The good news is that despite all the effort that must go into upgrading to meet HSPD-12 mandates, the move to an integrated security infrastructure could save agencies money. Authsec did an analysis for a large agency and found that if the agency had gone with a FIPS-201-type security strategy, it would have saved $32 million in 2005.
“FIPS-201 and HSPD-12 create the opportunity for dollar savings,” Bishoff said, “but it’s going to be real expensive to get there.”
And it won’t happen overnight. Said DOD’s Butler, “We’re going to be doing this six years from now.”
Goin Fishn
OT-A Wave DoD sighting?
A recent article on the Government Computer New website had a report on "Operation Winter Fox," a test of interoperability of the new government common access cards and various state PIV cards. The story has Wave written all over it:
http://www.gcn.com/print/25_8/40411-1.html?topic=authentication
Some interesting excerpts below:
The Defense and Homeland Security departments, along with first responders from Maryland and Virginia, recently showed just how important trust is under Homeland Security Presidential Directive-12.
In a one-day exercise called Winter Fox, employees from the four organizations used their own smart cards and digital certificates—compliant with Federal Information Processing Standard-201—to obtain validation at another’s location...
Later:
Winter Fox focused on first responders because of their need to move and communicate easily across jurisdictions.
Jones said that during the Sept. 11, 2001, attacks, Virginia State Police would not accept DOD’s building pass as identification to get through roadblocks and to the Pentagon.
In the future, officials don’t want first responders to have similar problems. HSPD-12-compliant first-responder cards will be color-coded, and states are following the same scheme, said Ken Wall, deputy director of DHS’ Office of the National Capital Region Coordination.
Further down the cards are described:
All the cards were single-chip, dual-interface 64KB cards with either two-factor or three-factor authentication. The cards met FIPS-201, Personal Identification Verification I standards. The smart cards used different certificate authorities, but they all met federal standards outlined under the Federal Public Key Infrastructure Policy.
And last, most interestingly-the handheld reader
The responders placed their cards into handheld readers and entered their personal identification numbers. The device used the PIN to verify information stored on the card and in the reader.
Could the handheld reader be an E2100?
This may have been a part of what Wave has been doing for that 319,000 dollar contract.
Goin Fishn
An example of delisting extension:
In April of 2005, Netwolves received the following from the Nasdaq:
5-Apr-2005
Notice of Delisting or Transfer
Item 3.01 Notice of Delisting or Failure to Satisfy a Continued Listing Rule or Standard; Transfer of Listing.
By letter dated March 31, 2005, the Company received written notification from Nasdaq that the bid price of its common stock for the last 30 consecutive business days had closed below the minimum $1.00 per share required for continued inclusion under Marketplace Rule 4301(c)(4) (the "Rule"). In accordance with Marketplace Rule 4310(c)(8)(D), the Company has been provided an initial period of 180 calendar days or until September 27, 2005, to regain compliance. If at any time before that date the bid price of the Company's common stock closes at $1.00 per share or more for a minimum of 10 consecutive business days, the Company will be provided written notification that it is in compliance with the Rule.
Further, if the Company is not in compliance with the Rule by September 27, 2005, and the Company meets the Nasdaq SmallCap initial listing criteria except for the bid price requirement, it will be granted an additional 180 calendar days to March 26, 2006 to comply. In this regard, the Company currently meets all of the initial listing criteria except for the bid price requirement.
Nasdaq's notification further provides that in the event the Company were to receive written notification that its securities will be delisted, it maintains its right to appeal such determination to a Listing Qualifications Panel.
Then, in September, as delisting date neared, they got an extension:
Tampa, Fla. - September 28, 2005 - NetWolves Corp. (NASDAQ: WOLV), a global network continuity and security provider, today announced that it has received written notification from Nasdaq that its deadline to regain compliance with the minimum bid price requirement under Marketplace Rule 4310(c)(4) has been extended from September 27, 2005 to March 27, 2006. The extension is based upon NetWolves having met all of the other requirements for continued listing on Nasdaq.
I don't know if this bears on Wave's situation, or not. Perhaps one of our posters with a bit more market savvy than me (which wouldn't take much) will care to comment. It just seemed to be a similar situation-which resulted in an extension for Netwolves form the Nasdaq. If I have read the rules regarding Nasdaq listing corectly, Wave meets all other requirements except for the $1 minimum bid.
Perhaps Wave has gone in front of the board, and knows that they are going to receive an extension- might be a part of what they could have said to the new investors to convince them that putting money in Wave will not be risky. They also must have something else up their sleeve to offset another flat quarterly report (as all expect). I'm cheering for a government deal based on the job posting at Wave for an individual with experience at writing RFPs. An announcement with millions of dollars of real revenue attached to it would launch us nicely right now. IMO
Goin Fishn
Thanks Unclevername for posting nasdaq requirements for listings
It looks like Wave meets all requirements except for share price, so maybe an extension is not out of the question. Here's hoping that Dell advertising, Army Contracts, and another OEM will make it a moot point.
goin fishn
Smithereens
I didn't get a response, but I am reasonably certain that I read either here or over on the Yahoos board that Wave could apply for an extension if they had totaled a million in revenues in the past year. So, I think that we may expect an extension, unless someone knows for a fact that I am wrong, which is why I posted it, just to make sure I had remembered correctly. If I have remembered correctly, the delisting issue is dead IMO.
goin fishn
Question Re: Delisting-
I thought that I had read previously that a 180 day extension could be requested, and that the requirement for this was to have posted 1 million in earings in the previous year. Wouldn't today's earnings put us over 1 million, and make us eligible for the extension?
-or-
At the revenue rates on bundling, we might have enough revenues by the end of the quarter to get the extension, as well.
FWIW, I was very encouraged by today's guidance. Per SKS, we stand to cover half of the burn through bundling, and we get $50 per seat on average when upgraded. At those rates, 200,000 upgrades gets us 10 million dollars, and that, in combination with bundling revs puts us at break even. It may be closer than we think. Wave is consulting with the Army for a reason-that alone might result in enough upgrades to get us close to break even.
goin fishn
Rachelelise/Svenm-Wave compatible with Cisco-Per SKS
From the recent RSA presentation linked above:
Another very important thing to understand is back in 1998 and ’99 there was a big push to add PKI. Everybody remembers Baltimore Technologies and a bunch of other players. That massive rise in market capital around PKI, facilitated building PKI support into all networking equipment and it never has gone away. So every CISCO router supports PKI. Every Juniper router does, Checkpoint firewall… This is the hardware PKI token on the client side. So this provides interoperability with anybody who ever supported the public key standards, which is about 80 to 90% of all networking equipment today. I can configure out of the box to work with Trusted Computing.
Now the challenge for the IT department is the manual doesn’t say trust Trusted Computing any where in the manual, from my CISCO VPN router. One of the things we’ve had to do as a company is publish a series of documents on how you set your Checkpoint router up or your Checkpoint firewall up with Trusted Platform Modules. It works brilliantly. It’s really easy to do. But helping that guy through that sort of first step of associating pieces that aren’t normally associated has been a challenge.
We’ve built a number of networking components to help that. The most important tool we build is a tool for backup and recovery of keys. So if you’re going to encrypt all of the data on the hard disk, then you better have some place to backup your keys, because if you forget or lose your keys you lose all the data. And that’s been a very valuable component for us.
It’s still early in selling the enterprise software because people haven’t really recognized that they have clients yet. And we provide a range of developer tools that others can use.
The way that I read this, it sounds like it is possible to make a few tweaks to Wave and a Cisco router to make them compatible. Of course, I am not a techie, and I certainly could be wrong-and I defer to the judgement of the pros on the board. It would, however, explain the positioning of the Wave-NTT VANADIS-Cisco collaboration in Japan.
goin fishn
OT? New security proposed for do-it-all phones
This is from last September, sorry if already posted
A few hilites below:
http://news.com.com/New+security+proposed+for+do-it-all+phones/2100-1037_3-5883341.html?tag=nl
Hardware-based security is not new to the mobile phone space, said Nokia's Uusilehto, but manufacturers have so far each gone their own way. The Trusted Computing Group aims to provide a standard, which should reduce costs for handset makers and let component suppliers standardize.
"Today we're wasting a lot of resources and inventing the wheel again here and there, instead of doing it together in this open approach," Uusilehto said.
Nokia, the world's biggest handset maker, plans to use the TCG's security specifications, Uusilehto said. However, he could not say which products would include the technology and when those might become available.
It took several years for PCs with TPM chips to appear. Gartner analyst John Pescatore believes it won't be until about 2008 before cell phones with the new security technology hit stores.
----------------------------
"The major problem is not that the technology is so difficult, but that the market is fractured," he said. While the PC market is dominated by Intel and Microsoft, the mobile phone space has many different players who will need more time to coordinate, he said.
Though the industry sees broad use for its security technologies, Pescatore thinks large businesses will be the first to buy devices that have the added security technology. Employees are accessing corporate data on their mobile devices and there is a need for more "trustable" devices, he said.
goin fishn
OT-cell phone due for an antivirus shot? from CNET
Some hilites below:
http://news.com.com/Is+your+cell+phone+due+for+an+antivirus+shot/2100-7349_3-6042745.html
Is your cell phone due for an antivirus shot?
By Joris Evers
Staff Writer, CNET News.com
Published: February 24, 2006, 4:00 AM PST
TalkBack E-mail Print
You can put videos, games, pictures and music on your cell phone. Is antivirus software next?
But makers of security software are eager to get their products onto handsets, a huge potential market. About 812 million mobile terminals--such as cell phones and smart phones--were sold in 2005, according to market researcher Gartner. That compares with an estimated 219 million PCs in the same period. The market research firm expects annual mobile device shipments to exceed 1 billion units for the first time in 2008.
****************************
Cell phone operators have typically focused on their network, rather than phones, as the place to try to thwart mobile virus threats. In moves invisible to users, they scan messages moving from one device to another to filter out malicious programs. Verizon Wireless, which has 51.3 million customers, and T-Mobile USA, which claims 20 million customers, both have scanners in place, representatives said.
***********************
Gartner analysts have backed the scanning approach, saying that installing antivirus software on cell phones would be a mistake. On the PC, antivirus tools became largely ineffective and were reduced to removal tools when e-mail surpassed floppies as the dominant transmission mechanism for viruses, they wrote in a research note last June.
"The mobile world should not repeat the mistakes of the PC world. Malware protection services should be built into the network first, and device-side protection should be the last resort," analysts John Pescatore and John Girard wrote.
**********************
Phones will change to address this problem, Hypponen said. Symbian, maker of the namesake mobile phone operating system, and handset makers are altering their software, he said. Other changes that have been proposed to secure phones include new, hardware-based security standards for the devices.
**********************
Threats to mobile devices are expected to rise as more smart phones are sold. In the third quarter of 2005, worldwide shipments of smart phones totaled 12.6 million units, up 210 percent year over year, according to Gartner. As a proportion of all mobile shipments, smart phone shipments increased to 6.1 percent from 2.4 percent, Gartner said.
For a widespread worm or virus attack, several conditions must be met, Gartner analysts Girard and Pescatore. Smart phones have to be widely adopted, wireless messaging needs to be ubiquitous and one operating system should be dominant, the analysts said. For antivirus makers and cellular network operators grappling over what approach to take to protect customers, time might be running out.
"Gartner believes these factors will converge by the end of 2007," Girard and Pescatore wrote.
goin fishn
keV- A Question-
I think your statement attempting to isolate the Army's technology decisions from the rest of the DoD begs a question: Why would the Army need more security than the Navy, Air Force, Marines, etc...?
I would tend to think that the Army specs are a tip off as to where the whole DoD will be going. They will all need/want the technology. JMHO
goin fishn
OT- Govt. PIV II card specs published
Sorry if already posted
http://csrc.nist.gov/publications/nistpubs/800-73/SP800-73-Final.pdf
Interfaces for Personal Identity Verification
Reports on Computer Systems Technology
The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology
(NIST) promotes the U.S. economy and public welfare by providing technical leadership for the Nation’s
measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of
concept implementations, and technical analyses to advance the development and productive use of
information technology. ITL’s responsibilities include the development of management, administrative,
technical, and physical standards and guidelines for the cost-effective security and privacy of non-national
security-related information in Federal information systems. This special publication 800-series reports
on ITL’s research, guidelines, and outreach efforts in information system security, and its collaborative
activities with industry, government, and academic organizations.
goin fishn
OT-GSA details how HSPD-12 interoperability labs will work
http://www.gcn.com/vol1_no1/authentication/38319-1.html?topic=authentication
By Jason Miller
GCN Staff
The General Services Administration outlined the final step vendors must take to get products and services on an approved list for Homeland Security Presidential Directive-12.
GSA is setting up a lab to ensure vendors’ products and services that meet the National Institute of Standards and Technology’s Federal Information Processing Standard-201 can operate with each other.
In the FIPS-201 Evaluation Program Development-Laboratory Concept of Operations, GSA describes how the test labs will work and provides an overview of the product and services evaluation process.
“The purpose of this ConOps document is to define the roles, responsibilities, processes and procedures necessary to operate the lab…” the document said. “In addition, the ConOps discusses the principles and practices underlying lab operations such as privacy, confidentiality, security, and scheduling.”
GSA’s Office of Governmentwide Policy will authorize the labs, which will be run by the private sector, to evaluate the products and services and retain final approval for what is listed on the approved catalog, the document said.
Vendors should submit their products or services through the Evaluation Program Development Program Management Office Web site once it is online. The labs will evaluate the products and services based on a first-in, first-out basis.
goin fishn
OT?-A possible Wave/Microsoft link?
I don't know if this has been posted before, but even if it has, it might be useful to consider it again, in light of the Juniper and Nortel announcements.
I read the "smaller players filling NAC void article," and followed the link to another article on Microsoft's upcoming NAP capabilities in "Longhorn." Following are some quotes:
http://www.eweek.com/article2/0,1895,1779208,00.asp
Microsoft: Network Security Coming in Longhorn Client
By Ryan Naraine
March 24, 2005
Microsoft Corp. plans to fit out-of-the-box NAP capabilities into the Longhorn client due out in 2006.
That's the word from Jawad Khaki, corporate vice president of Microsoft's networking and devices technologies division.
During an hourlong Web chat to share details on Longhorn Networking, Khaki disclosed that the Longhorn client will ship with capabilities to enforce security policy compliance powered by Network Access Protection.
The initial release of NAP was originally planned for the server variant of Longhorn scheduled for 2007, but Khaki said some features will find its way into the client version.
"Additionally, we are working with 40-plus partners who are industry leaders in anti-virus, intrusion detection [and] prevention, network access devices and much more to support the NAP architecture," Khaki said.
Network Access Protection is a policy enforcement platform that lets IT administrators set policies to "quarantine" and restricts clients from accessing a network until the clients can prove policy compliance.
"The idea behind NAP is that we create a framework that allows IT administrators to ensure policy compliance of their systems. In essence, a computer has to prove that it is healthy [compliant with policy] before it is allowed to connect to the network," Khaki said.
Doesn't this sound like TPMs attesting to a central server?
And this later:
During the chat session, Microsoft executives said Longhorn will feature improved usability and manageability for network security.
The plan is to have NAP serve as the framework to provide a "holistic" solution to protect networks as well as the devices and endpoints connected to the network, the executives said.
And last-maybe most interesting
About 40 third-party vendors have announced support for Microsoft NAP, including Cisco, Trend Micro Inc., eEye Digital Security, F-Secure Corp., Juniper Networks Inc., McAfee Inc., Nortel Networks Corp. and Symantec Corp.
My questions are:
Why would Nortel and Juniper demonstrate capability with the TNC architecture/Wave if "Longhorn" is going to come out with what sounds like a similar capability soon?
Wouldn't a "gorilla" like Microsoft squash an offering from Wave and TCG/TNC if they both did the same thing? (So, again, why the interest from Nortel and Juniper-or the military-especially considering that Vista will be out soon, as well?)
Why would Microsoft come out with a totally different system if they are an important part of the TCG, and must have played a role in at least approving the TCG specs on Trusted Network Connect? Why would they bother with TCG/TNC if they had a product already in development that would be competition with their own when it was released?
Is Longhorn a threat to Wave, or is it Microsoft's incorporation of TNC in it's own products?
Last, if "Longhorn" uses TNC, does this suggest that there may be a link between the TNC/Wave and the above mentioned companies, including Cisco-if they are compatible with Longhorn, are they compatibile with TNC?
From what I have read on this board, any TPM network will require at least a part of Wave's IP to allow TPMs from different manufacturers to communicate with the central server within the same network-no one else has this capability yet, am I correct? So, that would mean that those who choose to implement TNC will need at least that IP from Wave. I assume that is why Juniper and Nortel are demonstrating with Wave.
I have no intention of implying anything concrete here, but I felt that these interesting convergences might give some valuable clues. At the very least, it is something to keep an eye on. Or, am I way off base?
Comments?
goin fish
Thanks, Orda eom
Orda
I never said Wave had an eighteen month lead in anything, whether three years ago or today. This is what I will say about this issue. I am not seeing anyone else doing what Wave does in the whole of the technology sector. (creating networks of interoperable TPM equipped computers)
Now, I make no claim to encyclopedic knowledge here, and because of that, I will invite anyone to post companies that they think have products which could subsume Wave's offerings. I will also reiterate what I said before-If there is a company in stealth mode out there, why are they waiting? Why wait while Wave makes the first monies off this new market? Why let Wave establish so many good relationships? Why let Wave establish servers in corporations and the government, bundling with major companies, and positions of leadership in industry organizations? Why let Wave become "in" and then have to fight against all of that, when they might have a product in stealth mode right now? Last, why would a company buy and install Wave, only to spend more money a short time later to replace it?
IMO, if we see a major jump in Wave's revenues in the third and fourth quarters, combined with announced major deals with the government, Wave is in good shape. Is it a done deal? Only the government knows. Meanwhile, we are all stuck rowing the same boat, like it or not. I do realize that some have been pulling at the oars much longer than me, and I make no presumption to tell you that you are wrong to be frustrated, or to question when land will finally appear. Is it just over the horizon-again?-I do think that we will know this year, good or bad. I wish you luck, and, if you will forgive the pun, a boatload of money.
goin fishn
(aka Rodney King)
Thanks to all for the discussion eom
CPA-Thanks for your thoughts
As you could see with the question that I attached at the end of my post/summary, I intended to spark discussion. I think that I am best served as an investor to be able to read perspectives from many different points of view. So, I thank you for your additions to the discussion, even if others don't seem to want to.
You probably have a fair point on management underestimating the length of time that it would take to achieve adoption of the technologies that they have developed. Yet, your criticism is unfair to them in one way-any leader is basically required to keep things positive-without holding out hope, a leader will not be able to motivate anyone to follow. So, I think a small amount of slack is in order for SS, with the knowledge that any investor must take company projections with a grain of salt and a healthy dose of DD. Always check to see if words, actions and numbers add up.
Why do I believe them now? Simple-there is now real evidence of Wave gaining traction, and not just company projections. You will note that my post was based solely on the government plan for securing cyberspace and on licensing deals that Wave has with various companies, along with the interesting timing of their advent. There are no promises from Wave/SS that are any part of the underpinning premises of my post.
I would add that we are near to the answering of all questions reagrding development and deployment. Wave will suceed or fail soon, and you and I will know who is right and who is mistaken. IMO, the only 2 things that are important this year are Wave securing a significant role in the government solution, and Wave making it to break even. If those happen, all else will follow and we will be off to the races.
As to the possibility of a gorilla holding out to swoop in at the last moment and steal the market from Wave, I suppose that is always a possibility, even after they become successful. Yet, I do not see any evidence that matches this scenario. If a gorrilla was in such a position, why hold out any longer? The government is deciding, 250 billion in government monies are going to be doled out, and the winner of the selection process will be the defacto application, according to the government plan. Why wait any longer? Additionally, from everything posted here, it seems that Microsoft has elected to supply only the most minimal of TPM functionality to Vista. It will be interesting to find out why, since they would seem best positioned to challenge Wave.
You have posted that you trade in and out of this stock, so you are following it closely enough that if they do succeed, you will jump in and make a good return on your investment at that point. I will leave you with this wish-may we both get a good payday from Wave.
goin fishn
eamonshute-Thank you
That was the one I was referring to. Thanks for taking the time to help.
goin fishn
rachelelise-thank you for your comments
They are a reasonable and useful addition to the "history" that I posted.
FWIW, as a newbie, I do think sometimes of how different a perspective the long time investors must have of Wave's progress. The true Wavoids who have been invested since well before 2003 have seen many ups and downs, and I do not mean to somehow minimize any areas of unhappiness that they might have with management. In fact, I owe them a debt of gratitude. They helped Wave through the wilderness years to the point where they are now. They also give useful information through this board. So, many thanks to you and all of the others who post here. Hopefully, once in a while I will throw in something of use.
goin fishn
Orda
The source of my statement was a post that I had read on this board. I do not have the premium membership, or I would find it for you. My apologies. If anyone can/will help, it would be appreciated.
goin fishn
Management deserves praise, not criticism
Those who would criticize management should go back and re-read the government .pdf on securing cyber space posted by x-point last week. It clearly spells out what has happened to delay deployment of TPMs and Wave's software.
In February, 2003, before Wave had really started to market anything like the systems they have today, the government put out their plan for securing cyberspace. The plan clearly states that the government would go through several steps in the process of making cyberspace secure. First, they were ordered to assess what threats existed. Next, the plan called for assessing what solutions were available to defeat the threats. The plan next called for a period of assessment for the solutions identified. When solutions were found to be effective, the plan called for the government to implement them across the entire spectrum of government activities. Finally, the plan calls for the government to encourage all other sectors to adopt the solutions, starting with government vendors-especially defense contractors. After that, cyberspace wouild be secure. This last part is critical. The government would be the defacto standard.
Now, what OEM or software company in their right mind would disregard this plan when the government stated that they would in essence be picking a uniform standard security solution and then pushing it's implementation? What company would move before they knew what the government would pick?
This plan put Wave on hold. No one was going to move too far until it became apparent what solutions the government would pick. In addition, we all know how the government can drag it's feet when making a big decision. Meanwhile, events played out in Wave's favor.
In 2003, the Mitre Corp., a government think tank, experimented with TPMs as a security solution. They became advocates for TPMs. That summer, Intel signed with Wave to produce motherboards with TPMs. This is no coincidence, IMO.
In 2004, Wave began trials at West Point. The government plan calls for "Red Team-Blue Team" review of the solution selected. If I am not mistaken, this is a military term for war games. I believe West Point was chosen as a small, self contained arena for a simulated cyber war against a TPM protected network. Once this was successfully concluded, and it looked like the government liked TPMs, we began to see movement within the industry to adopt TPMs on a widening scale.
During this time period, SS was seen with a very high powered military lobbyist/advisor. Again, no coincidence IMO. He was working to make sure that the right people were aware of the success of TPMs, and forming relationships that will now be paying off, hopefully in huge revenues for Wave.
Wave deals with STMicro, Atmel, and NTRU followed in short order, followed by Dell, etc. in 2005. The likelyhood of governmental adoption of TPMs pushed the OEM and software companies off the fence and into action. We now see an accelerating adoption of TPMs to be followed by real revenues for Wave. And that is not the best part! If the government sticks to their plan, they will be pushing all stae governments and also government vendors to adopt TPMs, which will mean they will need Wave.
IMO, Management has done a herculean job at guiding Wave's fortunes through this critical time. If they succeed, (and I believe they already have) Management will have moved the entire US government and military industrial compex to the use of TPms. It is clear that this has been a major part of their business plan, and it looks like they have executed it nearly perfectly.
Now, tell me again-Why should they be criticized? I can forgive a few small mistakes along the way. If they pull this off, they deserve a frickin' medal.
Just my opinion
goin fishn
OT- Govt smartcards use cryptographic module and applets
I believe wherever the PIV-II cards are used, TPMs and Wave will be needed. (And maybe even Embassy 2100) IMO
http://www.gcn.com/vol1_no1/authentication/38103-1.html?topic=authentication
NIST preapproves first PIV-II smart card
By Jason Miller
GCN Staff
The National Institute of Standards and Technology has issued the first preapproval for a smart card that meets Homeland Security Presidential Directive 12, Federal Information Processing Standard 201.
On their Personal Identity Verification program Web site, NIST listed Oberthur Card Systems of Rancho Dominguez, Calf., as having its Cosmo 64 v5 Smart Card with PIV II v.1.03 JavaCard applet meeting the FIPS-201 conformance test.
Oberthur’s card now is undergoing testing for compliance with FIPS-140-2 Cryptographic Module Validation Program to ensure it still conforms to the security requirements.
"It looks as though we will have some cards make it all the way through the process [by] early February," said Curt Barker, NIST's PIV program manager. "By having a precertified card, it means the application has been approved; so when CMVP people look at it, they are looking at a stable configuration, and they are looking at stable product."
Because smart cards that include the PIV application are cryptographic modules, the conformance to FIPS-140-2 needs to be re-examined to make sure continues to conform, Barker said. He estimated that completion of the CMVP validation would take six to eight weeks.
Barker added that Oberthur’s card has already started the CMVP validation process.
Other cards, including one from GemPlus SA of Luxembourg, are also being tested, industry experts said.
Once validated for FIPS-201 and FIPS-140-2, cards must go through interoperability testing at labs sponsored by the General Services Administration before agencies can purchase them. GSA officials have said they plan to begin testing by late spring.
NIST eventually also will list preapproved middleware products on the Web site.
goin fishn
OT- Fixs signs with DoD!
http://www.washingtontechnology.com/news/1_1/defense/27925-1.html
Govt PIV Cards use applets and biometrics
From an 1/25/06 interview with Jim Schoening, GSA Smartcard Project Manager. It is a Q/A format
Whole interview is found here:
http://appserv.gcn.com/forum/qna_forum/38060-2.html
Some hilites
Falls Church, VA: PIV is a great challenge to agencies but of the two classes of individuals, employees and contractors, PIV card issuance and management is for more complex for contractors. Given that a contractor may work for more that one organization at the same time, has a process been developed to avoid duplication of credential issuance? The same holds for instances where a contractor may be temporarily between engangements because of funding or acquisition process delays. That could lead to revocations and new credential issuance expenses that might otherwise be avoidable. Has any consideration been given to GSA centrally managing contractor PIV credentials? That could reduce the level of effort agencies would expend and allow them to focus just on managing authorization privileges instead of both.
GSA's Jim Schoening:
Each agency is currently required to handle badging issues for contractors they employ. Vendors should complete a NACI equivalent for each of their employees and have them available to provide to agencies so that a badge maybe issued. Each agency may handle how a vendor is badges, it could be a permanent badge or a temporary. The suggestion of GSA handling badging of vendors is a good one and I will submit it for consideration. It would save a lot of money in reducing redundant issuance.
Good suggestion. This appears to be exactly the kind of thing the HSPD-12 IPWG is trying to hammer out. My guess is they would embrace this, although it is up to the agency to decide if they'd agree provide this service. --Rob Thormeyer
*********************************
Washington, DC: What are the minimal components that an agency has to instantiate to be considered HSPD-12 compliant?
GSA's Jim Schoening: Agencies must comply with policy for issuance of PIV cards and must have the ability to authenticate them either as a stand-alone system or part of a physical-access system.
******************************
Kirby McKinney - Pennsylvania: How far down the road of FIPS201 compliancy can an agency currently travel safely? Will cards procured at this time be useless and invalid in the future? Or, if changes are made, can the Applet on the card be upgraded/updated to allow the continued use of the card?
GSA's Jim Schoening: Although FIPS-201 compliant cards may be available soon, the PIV applets have not yet been fully tested. The result is that if cards are issued now you may have a compatibility issue in the future. Depending on the card acquired you may be able to update the applet or you might not. My recommendation is to hold off for awhile, you can proceed to design your card's topology and topcoat laminates.
Sorry if already posted
goin fishn
X-Point-Great Find-Now we have the road map
And most roads seem to lead to Wave!
I like where the report says that all military/industrial components should be encouraged to protect themselves by the DoD. (page 54) I also like this:
Through the ongoing E-Authentication initiative,
the federal government will review the need for
stronger access control and authentication; explore
the extent to which all departments can employ the
same physical and logical access control tools and
authentication mechanisms; and consequently,
further promote consistency and interoperability.
Pages from 52-end of document have lots of good news for Wave
Many Thanks
goin fishn
cslewis-Nice find-a very interesting quote here:
Touting a host of industry firsts for advanced security, the EntrePad 1610, for example, is the first sensor to leverage several industry security platforms including the Trusted Computing Group's (TCG) version 1.2 Trusted Platform Module (TPM) specifications and Microsoft Vista Secure Startup, as well as future platforms such as Intel's LaGrande technology.
Aebli said AuthenTec is the first company to offer a complete solution that is tied in with the Trusted Computer Group's TPM module, and is the first to show some of the advantages it will offer with the upcoming Microsoft Vista operating system. "We've done quite a lot of work to tie in Vista with the TCG and upcoming technologies offered by Intel to round out a complete solution to ensure that the data on your PC is as secure as it can be," Aebli said.
Looks like Authentec is planning for a world in which encryption through TPMs plays an important role. I also like the meintion of upcoming technologies from Intel. Maybe Viiv? If it is, does this make it more likely Wave will be a part of the Viiv user experience?
We also know that the ARM Trustzone is doing well, according to awk's post a few days back. Maybe Authentec is positoning themselves for that change in technology, as well. All IMO, of course.
Thanks for the DD
goin fishn
Thank you for your kind responses Scorpio and Micro
I have learned so much from reading this board over the years that I was kind of bummed to think that I might have angered you. I am very appreciative of the DD posted here. No one could ever do all of this on their own. So, back to more relevant issues...
goin fishn
Scorpio and Micro
You posted replies that took exception to my post on the Phil Windley blog posted by khillo. If you thought I was harsh, I apologize, as that was not my intent. I didn't think that I used perjorative terms, or otherwise was personal in my comments, but I know that you disagree. So, I note your comments, thank you for the feedback, and will try to improve.
Perhaps you felt it was lengthy (I agree). What can I say-except that the anti-digital rights management tone of the blog was what most motivated me to respond as I did. As someone who has had his AOL account illegally accessed, I am all for a little less anonymity while online-and I think that if TPMs get abused by software makers, etc. to the point that people are losing significant functionality of their computers, two forces will keep the abusers in check. One is government regulation, which I mentioned, and the other is the marketplace. Neither need help from Phil Windley, or his bad analogies (and they are bad). Simply saying that the government has screwed things up before does not constitute a good reason to abandon a new technology. TPMs will actually provide many changes of a positive nature through expanded e-commerce, downloads of premium content, and protection from cyber thieves/hackers and a host of other improvements. They will also be another milestone in the ever accelerating process of change/improvement in technology. (Accelerating much the same as aircraft design.)
goin fishn
To khillo
khillo. after reading a few of the replies to my commentary on the blog you posted, it seems that some thought I was harsh. That was not my intent, and I would like to say that if you felt attacked in a personal manner, I apologize. I didn't think that I got personal, but if you were left with bad feelings, then what I think doesn't matter. So, my apologies. I would have posted sooner, but I was out of town.
goin fishn
khillo, this blog has serious problems:
I’m not sure if this is your blog, or you are just posting it, but it is riddled with logical fallacies.
Paragraph 1-
Last night I was reading an article about the birth of the DC-3, one of the world's classic airplanes. What caught my attention was the fact that the DC-3 was designed and built just 30 years after the Wright brothers made their first flight. The DC-3 was arguably the first modern airliner in form and function, completely recognizable to today's passengers.
False analogy-a DC-3 was made of metal, had seats and engines, but that’s where the simlarities end. Today’s airliners are pressurized, have jet engines, fly several times higher and faster than the DC-3, control surfaces are computer controlled, have GPS, and a whole host of other improvements. There have been incredible changes in passenger aircraft since the DC-3.
Paragraph 2-
I fly and my plane is, by almost any external measure, primitive. Even so, my 1978 Turbo Arrow is still state-of-the-art by most aviation industry standards and the envy of many private pilots. Except for where computers have affected the avionics, my plane is almost identical to any plane you would have found for sale in the 1940s and 1950s. A pilot from that era would feel perfectly at home in the cockpit of my plane (as long as you turned the GPS off so it didn't distract them).
This tends to refute paragraph 1. The controls and abilities that the author attributes to his 1978 Turbo Arrow are the very ones that a DC-3 had, yet, for this paragraph, they are “primitive.” Are airliners today primitive?
So, why am I telling you about the sorry state of flying in a blog about technology? Because I think it holds a lesson for us.
Paragraphs 3 and 4
The trajectory of progress represented by the drive from the Wright brothers to the DC-3 is a story that most techies to day would recognize as analogous to the progress that's been made in the first 50 years of the computer age. Most of us assume that that progress will continue unimpeded. We imagine, or try to imagine, what the world will be like in 5, 10 or 20 years given the pace with which computers have changed in our recent past.
Early aviation pioneers did the same thing–that's where those visions of flying cars come from. But I argue that if the designers of the DC-3 and their colleagues could be brought forward to the first decade of the 21st century, they'd be sorely disappointed by the state of aviation.
The statement about what imaginary time travelers would think is a Red Herring, it is totally unrelated to the issue of the TPM. That it is based on a false analogy only exacerbates the weakness of the argument.
Paragraph 5
How did we get to this moribund, stagnant state of affairs? Simple: the government decided to make flying safe. When I moderated a talk by Rick Adam, CEO of Adam Aircraft, he said that they'd spent $80 million before they ever got the first product they could deliver. Much of that was a direct result of responding to government regulation.
This is a combination Red Herring and a Straw Man argument. Government interference with aircraft design is the Red Herring, it has nothing to do with TPMs. The author then sets up government interference with the aircraft industry as his straw man, and proceeds to argue that it is bad. He argues against the straw man, not TPMs, which is why it is such a weak form of argument. These statements are essentially irrelevant to the issue of technology. The statement that aircraft manufacturers spend over 80 million dollars developing planes is also a Fallacy of Exclusion. The author does not reveal other information which might potentially refute his case, and instead merely attributes cost increases to one factor-the government-the figure of 80 million dollars is not adjusted to 1930s dollars, (when the DC-3 was developed) nor are other increased expenses for manufacturers noted. And who or what is Adam Aircraft, anyway? What does Boeing say?
Paragraph 6
Admittedly, there's a trade-off here. We like to be safe. Especially when the true cost is hidden. Efforts to use digital restrictions management tools like TPM (the trusted platform module–part of the Trusted Computing Platform) to reduce identity theft are a case in point. The hidden cost in this case is the potential loss of general purpose computing platforms as we know them. With TCP technology Microsoft, Apple, or even the MPAA could become the arbiters of what will and what won't run on your system. It would be possible to construct software whitelists and blacklists under the control of someone other than the person who owns the computer. TCP is essentially a rootkit you can't uninstall. That scares me.
Probably the best paragraph here, it is still filled with unsupported statements of what the government, Apple, Microsoft, etc. are going to do. Relax, issues like this are why we have representative government. Fill your congressman’s ear with your concerns and make sure to vote on election day.
goin fishn
Thanks Ispro
For asking instead of just assuming. Things always work out better with straightforward, upfront discussion- Which is why this board is an interesting place to come.
goin fishn
Ispro re: other board
I have posted there once. After the first post I put on here at IHUB, someone tried to go on the Yahoos board and claim they were me. So, I posted a reply as fivepar_oneputz, because all the variations of goin fishin were taken. See message number 93167. I doubt that I will be back over at Yahoo, though, I've got plenty of walls to talk to here at home if I want that quality of discussion.
I've followed Wave for three years, but only recently bought in. Four letters tell why I bought: D E L L.
Have a great day
goin fishn
x-point
I have begun to wonder whether we have misread what SKS has based his hints of breakeven in Q2-Q3. I always assumed that Dell and ST Micro would have ramped up enough by then to justify the breakeven assumption, but, maybe SKS knew that we looked good on enough govt. contracts, and that they would be awarded soon enough that money would flow our way in the 2-3 quarter. That would be a more solid timeline than assuming a steady ramping up.
All complete speculation, of course, and I am likely just
goin fishn
hnstabe-also see this article from August 30
Hopefully enough money will be flowing to allow end to end adoption of TCG standards/TPM/Wave all at once:
September 2005 INPUT Says 250 Billion Expected in Major IT Contract Awards Will be Awarded in Fiscal Year 2006 Twenty major contracts will be awarded by the federal government in fiscal year 2006 with a combined potential value of $250 billion, according to a report released today by INPUT, the authority on government business. The General Services Administration (GSA) will account for the highest value of award dollars due to the Alliant and Networx Government- Wide Acquisition Contracts (GWACs). "2006 looks to be a banner year for small business awards with nearly all acquisitions setting aside a significant amount of contracting dollars for small businesses," said Darren Bezdek, manager subcontract opportunities for INPUT. "GSA's Alliant Small Business GWAC may represent the largest IT contract ever awarded exclusively to small business." The Department of Homeland Security (DHS) will award three major contracts in FY06 carrying a combined ceiling value of $50 billion: Enterprise Acquisition Gateway for Leading Edge solutions (EAGLE), First Source, and American Shield Initiative (ASI). The EAGLE acquisition accounts for the majority of the awards with a ceiling value set at $45 billion. The contract will provide DHS with its own method of purchasing IT services as opposed to utilizing other GWACs and consolidates the majority of DHS IT services needs under one contract. Awards are planned to be made to both small and large businesses. Within the major contracts, some important technology standards are likely to be selected that will have significant impact on future acquisitions. "Most notable is the Justice Department's Integrated Wireless Network (IWN) contract which may set standards for how state, local, and tribal public safety and homeland security entities communicate," stated Bezdek. "Similarly, the ASI contract in DHS will utilize cutting-edge technology to monitor America's borders and could be a proving ground for the application of monitoring technology across government agencies in a variety of applications." "There are few markets in the world where one can find a single contract valued at $50 billion," added Bezdek. "The contracts awarded in the next year are going to have a significant impact on vendor market share and the insertion of technology in the federal government. Vendors should pay close attention to ensure they are positioned to play a role in these opportunities."
goin fishn
hnstabe re: TCG penetration of govt.
Came across the MITRE Corporation last night while surfing around. They are a government think tank, and they know TPMs and have for a while. From their website:
"About MITRE
The MITRE Corporation is a not-for-profit organization chartered to work in the public interest. As a national resource, we apply our expertise in systems engineering, information technology, operational concepts, and enterprise modernization to address our sponsors' critical needs.
MITRE manages three Federally Funded Research and Development Centers (FFRDCs): one for the Department of Defense (known as the DOD Command, Control, Communications and Intelligence FFRDC), one for the Federal Aviation Administration (the Center for Advanced Aviation System Development), and one for the Internal Revenue Service (the Center for Enterprise Modernization). MITRE also has its own independent research and development program that explores new technologies and new uses of technologies to solve our sponsors' problems in the near-term and in the future."
TPMs have been the subject of research in the Center for Enterprise Modernization. Link follows:
http://www.mitre.org/about/ffrdcs/cem.html
Go to the link and do a search for TPM. They apparently have been researching them since 2003. There have been a number of presentations on the topic.
The Center for Enterprise Modernization's principal customers include:
Internal Revenue Service
Department of the Treasury
U.S. Customs and Border Protection
Department of Homeland Security
Department of Health and Human Services
U.S. Census Bureau
***********************************
Hope this bodes well for a speedy adoption of TPMs by the government.
Sorry if already posted
goin fishn
ISPRO-Maybe I misread something...
I thought that Wave was part of a group that included Northrup Grumman and said group was playing an important role in the upcoming defense contracts to be awarded at the end of the month, with Northrup possibly being a prime in those deals. Was it Fixs? Or, did I misunderstand? I know I read something along those lines here.
goin fishn
AWK, the next time...
one of the more pessimistic "show me the money" types goes a little too far to the dark side on this board, just send him to that string/discussion. Great job of DD to all that chipped in, and many thanks for the time you put in. Hope my post was not too repetetive with previous posts, but there are so many possibilities discussed here daily that its easy to forget what's been dug up already.
I went back and double checked the date of the analyst report on ORC. It was dated yesterday, so starting now, according to ORC they have a 12 to 18 month window to advocate/sell PKI solutions (Hopefully with Wave as a part)to their clients without significant competition. No wonder that they are predicting business will be good. Question-do you see ORC's bullish take on their prospects as an outside confirmation of the good year for Wave that is expected?
Thanks
goin fishn
warbil, I would say no
Judging from their financials, they don't have the kind of money that the acquisition would take. It will all be moot after the end of the month, if Wave is a part of the 5 Billion dollar big tamale. After that, if they try to sell the company I will march to Lee, don orange robes and douse myself in gasoline in protest.
Goin Fishn