August 27, 2004
At the recent Crypto 2004 Conference, French computer scientist Antoine Joux reported an apparent flaw in MD5, the algorithm that serves as the basis for many popular 128-bit digital signature solutions. His findings were followed by a report from a team of Chinese researchers who released a paper detailing a method for creating two different files that shared the same MD5-based digital signature. In addition, Eli Belham and Rafi Chen from the Technion Institute in Israel discussed preliminary findings which identified potential vulnerabilities in SHA-1, a popular 160-bit output algorithm embedded in PGP and SSL, and the only signing algorithm approved for use in the U.S. government’s Digital Signature Standard. If the findings are substantiated, they could potentially curtail the long-term viability of SHA-1 and drive the need for other options.
The IT industry is one where the relationship between research and commercial product development is often blurred, sometimes despite the best of intentions and sometime purposely. While much IT research is arcane in the extreme, other developments have significant and measurable impacts on the lives of IT solution customers. The Crypto 2004 findings are a case in point. Are the French and Chinese reports on possible weaknesses in MD5 a cause for concern? Sure. If you discover a crack in the foundation of your home, prudence suggests you investigate and repair the damage. Similarly, since the venerable MD5 algorithm (originally introduced by Rivest in 1991) serves as the basis for so many digital signature solutions, further investigations are warranted. But do these apparent cracks mean that any solutions using MD5 as a digital signature foundation are in danger of collapse? Well, no. For one thing, the researchers’ results did not demonstrate a usable hack but a negligible vulnerability that might be conceivably be exploited. In other words, it’s still a long way from here to there, though hackers taking advantage of increasingly powerful and sophisticated computing tools may have less trouble making the journey at some future point.
Most importantly, the Crypto 2004 reports did not address or discuss potential dangers to MD5 Plus-based solutions, which utilize vendor-developed technologies in addition to MD5. For example, EMC utilizes MD5 as only one naming system in the GM (GlobalMD5) solution set featured in products such as Centera Compliance Edition. Along with the MD5 128-bit name, Centera attaches a day and time (to the millisecond) stamp to documents, as well as additional encryption features that can result in a 256-bit total output. The application runs checks to ensure that original documents and their backups are the same, and also provides an option to turn off the single-instance storage feature. In order to exploit the flaws discussed at Crypto 2004 in a Centera system, a hacker would need to create rogue files produced at precisely the same time, on precisely the same nodes, and with precisely the same content as the originals. Overall, the reports of the French and Chinese researchers offer an interesting window into the way previous generations of technology are inevitably overtaken by robust newer generation solutions. Similarly, MD5 Plus offers an example of how innovative vendors can use well designed foundation technologies as a basis for their own, more formidable creations.
BEA Systems has announced second-quarter revenues of $263.2 million, below previous estimates of between $265 and $275 million, yet on target for lowered numbers BEA circulated a week before the financials were released. While revenues were up quarter-to-quarter by some 7%, the latest financials show that this is the second straight quarter in which the company has not met projections. The company has also been hard hit by a series of high-level departures in the past few months, as well as an ongoing drop in licensing revenues. Those departing include the company’s CTO, the company’s chief architect for long-term initiatives, the vice president of channels and alliances, the senior vice president of marketing, and a senior director of product marketing.
While BEA officials (the remaining ones, that is) note that the company is still strong and that its soft revenues are endemic throughout the software industry, we have to suspect that something much more dire is going on within the halls and cubicles of BEA. The loss of so many key executives may indicate that they see the writing on the wall for the company, and are seeking greener pastures. As such, we suspect there is no small amount of consternation at companies partnering with BEA receiving application servers and middleware from the company. The developments at BEA are in all probability not being well received at HP or Sun, for example. Meanwhile, folks at IBM may find themselves reaping a significant windfall for WebSphere middleware sales as customers begin to raise legitimate questions concerning BEA’s viability. The folks at JBoss may also be smiling, but we are not all that sure they should be, since they may end up in a head-to-head battle with IBM while being forced to fight headwinds associated with their own stature and long-term viability.
In our mind, the source of BEA’s problems is simple. The company is selling a product that is increasingly considered a commodity offering that is only a subset of a larger and more complex IT environment. At the height of the Internet boom, application servers were the hot, hot, hot technology, with dozens of innovative smaller companies bringing their products to the fore. BEA itself bought WebLogic, the maker of one such app server, and bet its future on a middleware play for partners like HP who decided such efforts were not worth the expense and time. Companies like IBM wove their application server into a broad range of in-house offerings, making it largely the glue for its other task-specific products like databases or storage products running on IBM hardware. Meanwhile, companies like Sun started giving away an app server, despite its relationship with BEA. Sun cancelled the giveaway, but the action indicates clearly that the technology itself is now a means to sell and market ancillary products, not the core offering itself. What’s next for BEA? We suspect that the company will continue bravely on while seeing its market share shrink in the face of increasingly valid questions regarding the actual value-add of app servers and middleware. In all likelihood, either by partnership or M&A activity, its technology will become an element of a larger, integrated set of offerings, just like all the other leading-edge products that have drifted out of the high-tech limelight into a behind-the-scenes supporting role.
HP has announced it is ending its effort to offer a new antivirus technology after finding that it had problems making the product work with computers running the Windows operating system. The product, called Virus Throttler, was designed to slow the spread of viruses by limiting the connections an infected computer could make during a fixed time after noticing different behavior on the machine after it has been infected. The product worked well in Linux and HP-UX environments, but was unable to run on Windows because it required that changes be made to the operating system. HP officials said they did not have the ability to make the needed changes in Windows because they did not own the OS.
HP has shown its Virus Throttler product to Microsoft and has deployed it on its own internal network of nearly 250,000 hosts. But it looks as though the product will not be sold or marketed in its present form in the foreseeable future since it basically would only be able to provide its protections to a subset of an enterprise network. While such protection may have some value for those machines, most viruses are written to attack Windows machines, and the network as a whole would still be vulnerable. For the most part, security products that have out-of-the-box holes in their protection don’t do particularly well in the marketplace. This one would have been no exception.
HP announced this product just six months ago at the annual RSA conference along with another security product called Active Countermeasures, a product that scans networks looking for vulnerabilities. Active Countermeasures will go into beta testing with some of HP’s customers, and HP hopes to release the product in 2005. Perhaps it will fare better than Virus Throttler. One of the things that has us concerned is the fact that Throttler got as far along as it did, given the fact that anyone working on the project knew that the Windows issue was inevitable and unavoidable. HP defended its announcement of the product as a way to demonstrate innovative product development. But the old saying concerning pudding and tasting clearly apply here as the product’s viability window was measured in mere months, reminiscent of the go-go days of the of the Internet boom in which innovation was the sacred mantra throughout the industry. But as the carcasses of so many “innovators” rotting across the landscape clearly show, product quality and value to the marketplace trumps vacuous innovation every time.
In contrast to historical patterns, Ethernet switch prices are on the rise, and more such devices are being purchased, according to market researcher Dell’Oro. The company says the average price of an Ethernet switch port has risen to $96, with Fast Ethernet approximately $50 per port and Gigabit Ethernet approximately $200 per port.
The “common” wisdom in the electronics industry says that cost and price of such equipment decrease over time, as volume increases. Innovation and experience in the development and production process are other contributors to this phenomenon. The Ethernet switch market seems to be operating under uncommon wisdom. IT enterprise shifts to higher speed devices, with greater functionality and intelligence, can be blamed in part for this phenomenon. For example, buyer “must haves” for layer 3 and above switches include distributed hardware based routing, wire speed switching and routing, multi-gigabit architecture, support for high-speed and -density interfaces, load balancing, and simpler device management. Higher price tags and underutilized bandwidth have not suppressed demand for these faster and more capable devices because technologies like convergence, VoIP, and wireless LANs are driving the demand for them. In the future the adoption of such technologies will continue, if not accelerate, but we expect switch price trends to return to the historical declining pattern over the long term.
Another potentially underrated factor, in our opinion, is the U.S. economic climate. The vast majority of components used in devices like switches are manufactured offshore. For the last several years the U.S. dollar has remained low against virtually all major foreign currencies fanning the flames of a tightly focused inflation furnace. Lower outsourced production costs may have been more than offset by a weak U.S. dollar against other currencies, resulting in net cost increases. This complexity is difficult to factor into production decisions such as to outsource or not to outsource, but vendors will be forced to factor the ongoing value of the U.S. dollar in making such decisions. The almighty buck is having increased difficulty filling offshore buckets.