May 6, 2008 - Volume 3, #43
Good Morning:
I was wrong. It's not the first time it's happened, and I'm pretty sure
it won't be the last. I figured the Microsoft/Yahoo! deal was a slam
dunk [link]. Intuitively it made sense. The premium was 62% and that
was before the start of negotiations. Both Microsoft and Yahoo have
been sucking Google's exhaust for years. Neither had been executing
well
to gain market share. The market is rapidly maturing and that means the
big companies need to get bigger to survive.
I
could go on for
days, but I'd still be wrong. My fatal flaw (once again) is to look at
the situation from a
logical standpoint. There were lots of reasons for the deal to go
through. What logical CEO would walk away from that kind of premium,
knowing how fun it is to get your teeth kicked in by Google every day?
I know Microsoft is the universal enemy of these companies, but why not
just box up the whole things and make it Redmond's problem.
Who knew
that Yahoo! would become a blowfish once in Microsoft's clutches?
I usually get the analysis right, but I also tend to forget about the
human part of the equation. In this case, it's the sin of EGO. That's
right, ego killed this deal. I
think buyer's remorse had a bit to do with it as well (which made it
easier for MSFT to walk away), but ultimately
Jerry Yang's arrogance killed this deal. They walked away because they
couldn't squeeze another 10% out of the deal. Unbelievable. It will be
years before Yahoo's stock sees $33 again. Maybe it never
will.
So
now the Yahoo's! will get to deal with mopping up 3 months of
diversion, a couple emboldened competitors, and a couple hundred class
action lawsuits.
The old adage, "be careful what you wish for," seems very appropriate
now. Yahoo! is again independent, carving their own trail. Yang and his
executive team made
some big promises to make the case for independence. Now they'll need
to deliver. Notwithstanding this is a team that has executed poorly for
years. I doubt it will be any different moving forward. Personally, I
used to be on Yahoo! pretty much all day. Now, if I'm there once a day
- that's a lot. I'm on Google now all day. And I'm not alone.
Good luck to the Yahoo's. They are going to need it, especially when
Google's search results drive 2x the cash flow of Yahoo's internal
systems.
They may as well just burn the place to the ground. It would save us
all a lot of time.
Have a great day.
PS: My "shut down day" experiment went swimmingly. I didn't touch the
computer all day and my cell phone was off for an entire 24 hours. You
know what happened? Life went on. I was with the Boss all day, so she
had her phone - in case of emergency, but the trains ran on time. The
kids got up and went to sleep (with no help from us), we got to where
we needed to be and even ate a few meals. Basically it was a good
reminder that I can (and should) unplug more often.
Photo: "Microsoft is taking over Yahoo!"
originally uploaded
by gnal [1]
Technorati: Information
Security [2], CSO [3],Security
Mike [4], Internet
Security [5]
 [6]The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com [7] |
Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com [8]  [9] |
Top Security News
SearchSecurity
story [10]
brings up a
pretty interesting ethical quandary. If you had the ability to
neutralize compromised machines and eliminate the Trojan that is
controlling it, should you? At first glance, the answer is probably no.
Sony got hammered a few years ago when it came to light that they were
using stealth rootkit technology to drive their DRM function. If the
good guys use the same techniques as the bad guys, how do you know the
difference? What if you dig a bit deeper and maybe use a healthcare
analogy? If your kids had a dormant virus that at some point would
awaken and turn them into a criminal, and you had a way to eliminate
the virus without them ever knowing they'd been infected, would you?
That seems like a no-brainer, right? Of course, in the court of public
opinion it's not a no-brainer. A few vociferous individuals could
create an uprising against tactics like these, even if they are good
for you. And then as opposed to focusing on doing the right thing, the
company creating the vaccine is defending themselves. No wonder why
it's usually just a lot easier to let folks blow each other up.
Link to this [11]
a
review of a couple of privilege account
management tools (PAM) [12] last week. These tools basically
protect the account information and passwords for root and
administrator accounts. Why is that an issue? Basically it's about
separation of duties and accountability, mostly from a compliance
standpoint. Administrators typically just use root to make whatever
system level changes are required. They share the root password amongst
themselves and they go about their business. But what if a machine is
compromised? And it turns out it was because of a change that was made
by the root account? How do you know who to investigate? How can you
prove compliance and that you are protecting user data, when you can't
say which administrator made what changes? Right, you can't. So for big
companies, these kinds of tools can make sense. But why isn't this a
function of the server and system management hierarchies that are
already in place? Right. It will be, it's just a question of
when.
Link to this [13]
Dan
made some investments, I guess he made
some money, and now he teaches. [14] That's fantastic. Evidently
he is still investing in some start-ups, but it seems his investment
strategy is a lot less cogent than his analysis of the security market.
He says: "Security
isn’t easy to monetize, he says. “Everyone wants it
but no one is willing to pay much for it. And even if you have a
security solution, getting it adopted usually means a serious change to
something someone’s doing.” I don't
think any of us argue that case. But if I was an independent investor,
and I knew Dan's statement to be true, do you think I'd be investing
money in the latest, shiniest security widget? Especially when I could
maybe find some other things that could be more easily monetized. Ah,
another quandary of the security industry. Ultimately a few start-ups
will make money, but most won't. And I understand that, so even if I
could invest in security start-ups (I can't), I wouldn't.
Link to this [15]
The Laundry
List
- Webroot is the "first" to offer web filtering in the cloud to SMBs? Really? I suspect MessageLabs, ScanSafe, WebSense's Black Spider and bunch others would differ. Could a beat reporter do a little bit of homework (and maybe not take a vendor claim at face value) before he writes something asinine, please? - NetworkWorld coverage [16]
- But it's an excuse to poke at Microsoft? The spat about Microsoft's COFFEE incident response toolkit is much ado about nothing. I guess you need to let the Captain Privacy's out there run wild every so often. They don't get out much. - John Sawyer's Dark Reading blog [17]
- Didn't hear much interesting out of Interop, but at least Barney makes an appearance. Blue Coat gets Vericept to join their partner program. Wonder if I could pick 35 PURPLE at the roulette table? - Blue Coat release [18]
- If you are interested in CSRF attacks (and you should be), check out Jeremiah's slide deck on the topic. - Slideshare presentation [19]
Top Blog Postings
http://www.bloginfosec.com/2008/04/08/are-you-a-savvy-ciso-learn-how-to-assess-yourself/ [20]
Link
to this [21]
http://www.matasano.com/log/1044/defense-in-depth-reconsidered-is-information-security-anything-like-war/ [22]
Link
to this [23]
http://securosis.com/2008/05/02/react-faster-and-better-with-the-a-b-cs/ [24]
Link
to this [25]