Peter Christy

Google held its first full blown developer meeting recently in SF (Google I/O) packing in a big crowd of very bright (and young) geeks (can you imagine how out of place I felt without by iPhone?) The event was informative in any number of ways. Along the lines of "it might be really significant maybe" it was interesting to note that Google couldn't do either registration or feeding very well (certainly not to Microsoft's refined standards) -- do you think it's curious that a company with 2 million servers can't do registration in time for the keynote? More consequentially, in his keynote Google's VP of Developer Relations (and some other stuff) -- Vic Gundotra -- gave a strangely evangelical talk, speaking of how the community had built the Internet, not companies. For a company like Google that prints money this religious fervor all seems somewhat strange until it struck me that Google, unlike Microsoft, doesn't have a lot of experience monetizing software development (most of Google's programming effort is given away and the benefit accrued in advertising delivery). In stark contrast Microsoft (where Vic spent 15 years) understands intimately how their partners, ISP's and VAR's make a buck and how their efforts make Microsoft a lot of money. When Ballmer bellows "I love you!" at a developer conference it may sound corny but I have no doubt that he really means it. I think like the registration and feeding of large crowds, Google doesn't quite have the developer value chain sorted out.

At the Trend Micro analyst meeting Eva Chen was very honest and straightforward about the fact that traditional A/V protection works because someone "dies" (gets infected) so the rest of the tribe can "live" (be protected). For attacks that hit large populations the statistics work out reasonably for this approach but as the attacks get more targeting things look worse. If a malware is specifically designed to get you personally ("SpearPhishing") then the fact that someone has to die doesn't work at all. White listing of files (having repositories of software that is known to be safe) and refusing to execute anything but white listed files is one solution approach. There are major pump priming problems with the approach (not workable until the white lists are comprehensive) but we already know two white list service vendors (SignaCert and Bit9) and various tools to catalog and categorize executables within an enterprise. When questioned Eva thought the approach had merit over time but wouldn't work now. In a recent briefing Kaspersky Labs had more or less the same answer. Let me give you another way to think about the problem. Given the smarmy network we all use, it seems unlikely to be that we can find protection that works transparently and perfectly. A scheme like white listing only works if both software providers and users are motivated to make it work. Think of it like joining a subset of the network that value trust enough to put some effort in. Will there be problems? Will you sometimes be frustrated because software you trust and want to use won't be on the white list? Absolutely! But is that frustration justified by being able to live in a cleaner and safer network (albeit not perfect)? I for one would certainly like to experiment with the concept (trusted email is an analogous idea that we've never been able to collectively reach critical mass).

GigaOM held an interesting, sold out one day meeting on the emerging Cloud. There was only one flaw, or in fact I am completely over the hill and deluded (a possibility). To listen to the discussion here, Microsoft isn't a player (to be fair to the rest, Microsoft does an amazing job NOT talking about their Live plans). It seems to me that this is at first blush a two-horse race -- Google and Microsoft. SaaS isn't a children's crusade. Eventually it takes huge CapEx and OpEx investments to play. It isn't at all clear that even a $1B player like SalesForce has the financial chops to survive against the big players with big resources. Let's say this was an interesting exploration of ideas but without anyone obviously asking the pivotal business questions. Oh to be one of those "other" analysts that doesn't want to be bothered by the business bits...

Microsoft seems to be feeling reasonably good about Hyper-V. Microsoft VP Bob Muglia reports it is functionally complete and performance complete and what remains is ringing out the bugs (as far as I can tell the stability is pretty good already). Mu said it was very surprising to him when they did their first performance testing against VMware ESX last fall and found the HV performance to be in the ballpark. When I first met Bob he was a Windows NT product manager. A key workload for NT was File Server and the competition was Drew Major's NetWare (as regular readers will now, Drew is in my pantheon of software gods). It took Microsoft until NT 4 to be performance comparable with NetWare so you can imagine Mu's surprise and pleasure to find HV Alpha code in the ballpark. The comparison between HV and ESX is complex. Microsoft knows it will take some time to catch up with the full VMW functionality. On the other hand, out of the box HV is supported by System Center, a much more comprehensive management system than virtual center. And just make things interesting and weird, MS announced and demonstrated System Center managing ESX, and MS support for management of key UNIX variants (along with OpenSourcing the integration technology). So this time MS is the heterogeneous, embracing vendor (that clearly tickles Mu too). How this all plays out is yet to be seen. MS points out that they know how to coordinate virtualization with Windows and key MS applications better than anyone and that should be quite valuable (e.g., to make virtual infrastructure memory management more efficient). In any case, MS is cranking up all the MS sales and competitive engines so things should get lively. When I pressed Mu at the MMS analyst meeting to say how we should observe competitive progress he said that after 18 months in the market if they weren't shipping more hypervisors than VMW he would be very disappointed. "Microsoft is very good at high-volume, low-cost software you know" (Hyper-V is priced at $28 if you missed that). Game very much about to be on.

I've been attending the Microsoft Management Summit for three years now and the evolution is worth watching. The management effort began in earnest five years ago when Bob Muglia faced the fact that manageability was a liability for Windows server and hired Kirill Tatarinov from BMC to fix the problem. Kirill and his team developed a 10 year vision around the "dynamic systems initiative." The initial reasoning for the effort was that with good systems management Windows Server could have superior overall cost-of-ownership compared to alternatives like LINUX. The management systems team developed a pretty good plan and Muglia put his money where his mouth was. I think it's fair to say that five years into this ten year plan systems management is now a Windows Server asset rather than a liability. A little over a year ago the discussion started to move to focus on System Center (the Microsoft branding for the whole product line) as a profitable line of business rather than just a Windows Server asset. From what we heard at MMS we're estimating that the product line will close this year just south of $1B certainly a credible number even within MS. Perhaps more interesting, System Center (in turn built on SQL Server) is becoming a focal point for the virtualization strategy (virtualization management integrated with hardware, operating system and application management in contrast to VMware's "virtualization is everything" strategy) and also now at the core of Microsoft's Forefront Security as well. Muglia still describes it as five years into a ten year vision, and speaks to more sophisticated model-based applications (I'm expecting that some of these ideas will become clearer in the forthcoming Oslo release). The analyst meetings at MMS are getting a lot more popular (they used to be intimate little events).

The services shoes that I spoke of around the MIX 08 conference are starting to drop left and right. Microsoft has begun a technical Beta for the Live Mesh service and put some quite informative videos up on the Web. I've known some of Ray's core team since back in our mutual DEC days (the team started at UIUC earlier, and really coagulated at Iris Associates, the group that did Lotus Notes). Then some of them moved on to Groove and hence to Microsoft. Ray has been doing "sync" for a long time through many generations and refinements of products (at the core of Notes and Groove for sure). Not unexpectedly sync is at the root of Live Mesh (as Ray said would be the case earlier). When I told one of our networking friends he should really take at look at Live Mesh, his answer was "It's just file replication, right?" to suggest his disinterest. It is about file replication. But if you think about it, intelligent file replication is at the core of how we use computers. In Live Mesh you can define a Mesh of devices or people that share specific information. At the simplest you mesh together your computers, phones and MP3 players and share music and photos. In business applications you can collaborate using various forms of documents (IRG runs on Groove collaboration of this form). Notes was a heavyweight structure with high administrative burden. Groove is still pretty heavyweight in terms of the client size but doesn't require any IT admin. Live Mesh is much lighter weight on the client end in part because it's a refined and elegant design and in part because a node in the cloud is a necessary part and the greater complexity can be put there. So in addition to syncing your devices and friends, there is a cloud version that's always up to date and can be accessed via a browser. If you have an application that can run on your PC then it uses a local version of the meshed data and synchronizes it back to the mesh as changes are made (analogous to how modern Outlook cached operation works with Exchange). You can run a PC application in the cloud (they provide a version of .NET Framework that runs in the Live cloud). Or you can write the application in a Web 2.0 mode (more natural for the cloud) and MS supports running it locally on the PC. Very interesting! But wait, there's more. Suppose Microsoft sold a subscription to an up to date Windows and Office "image" and every time you accessed the cloud with one of your computers it was automatically updated with no burden to you (now we have sort of the mōka5 version). Or if you merge it with what MS is doing with SoftGrid (a strong part of the desktop virtualization portfolio) it becomes applications on demand. It's all just file replication but if you do file replication elegantly (as Groove certainly does) it is way cool technology.

The final keynote at MMS was Debra Chrapaty, Microsoft's Corporate VP of Windows Live Operations, speaking about all those data centers Microsoft has been visibly building. Debra is getting increasing exposure as Microsoft rolls out Live services (Debra is also scheduled to speak at the upcoming Google developer meeting). She's a delight to listen to if you get a chance (accurately describes herself as a WYSIWYG kind of person). She confirmed the sense I got from talking to the Cloud Data Services team at MIX 2008 -- it's definitely game on in terms of services. Debra said MS is adding 10,000 servers a month. The MS total server count is much smaller than Google's -- maybe a third of a million to GOOG's 2M -- but to paraphrase Everett Dirksen, 10,000 servers here, 10,000 servers there, after a while it starts to add up to real compute power! The next 18 months are going to be fun to watch not to mention to experience.

RSA is a puzzling event. On the one had it's a very successful meeting, fun to attend, and brings together the IT security industry for a week. On the other hand, when we saw old friends and exchanged the traditional show greeting "What have you seen that's exciting?" and the answer in general was "not much." That's paradoxical, or at least troubling. All the vendors were there and they were spending money like Persian Princes. And the security problems are as important as ever, if not more. So if the spending is there and the problems exist, why wasn't there much new? It's a puzzlement. Part of the problem is that it's a lot harder to solve today's criminal attack problems than it was to stop worms and viruses. And the customer now wants to talk in terms of intelligent risk mitigation rather than just "preventing bad things from happening" and that's difficult too. Maybe most of the vendors neither know how to prevent the modern problems nor how their customer should justify the expense. We can hope that things will improve by next year.

Cisco held a press/analyst day just before RSA that included a very interesting customer visit to (and dinner with) Esurance, the Web-based auto insurance company with the flashy cartoon ads. The event started with a "big" announcement of a partnership with RSA (specifically integrating information from EMC's Infoscape technology -- where the Tablus DLP content analysis stuff ended up) with the Cisco Security Agent (so the user would be notified when they were about to do inappropriate stuff with sensitive files). The cooperation makes sense and the basic ideas are noteworthy but on balance the discussion seemed sort of premature because what was actually being committed to was vague and sounded more like a "Barney" announcement ("I love you, you love me, we're a happy family!). There was more than enough "side story" to make up for any holes however. Richard Palmer, the long term Cisco security SVP and GM is moving off to run the edge router group (a $6-7 B business!) and Scott Weiss, the GM and previous head of IronPort is going to take over the larger security effort. The IronPort guys certainly think of security well out of the network box so it will be interesting to see how they change direction and speed.

At RSA Microsoft (with great fanfare) introduced the notion of "end-to-end trust" featuring a White Paper by Scott Charney, VP Trustworthy Computing, and featured in Craig Mundie's keynote, shown here in dialog with Chris Leach, Affiliated Computer Services' CISO. The paper and the topic are thoughtful and meaningful, but the tenor of the paper is very academic and not at all prescriptive. My MS friends explained that there is still a good deal of remembered pain from Hailstorm, Microsoft's web authentication effort from some years ago which was too prescriptive. Trying to resolve this tension I went around and polled some wise men in security on whether they thought we were winning the war (making the Internet safer) and sadly few feel very optimistic. In the past Microsoft has been a real industry leader in trying to drive collective change. Maybe it's just that Mundie isn't very comfortable wearing the shoes he inherited from Gates. With no blame meant toward Microsoft (they're still out in front of the pack in leadership) it sort of feels like the bad old days of Spam "control" -- Fiddling while Rome burns. I wonder if the bad guys buy analyst services.