broadstuff

Network World reporting on news from Gartner:

Sixty percent of virtual servers are less secure than the physical servers they replace, the analyst firm Gartner said in new research Monday.

This state of affairs will remain true until 2012, but security should improve substantially after that point, Gartner said.

Gartner predicted that by 2015, only 30% of virtualized servers will be less secure than the physical machines they replaced.

The basis of the issue is the new layer of virtualizing middleware that is emerging to help such virtual systems operate easily. These are new pieces of software, largely untested, and 40% are developed by people who know not a lot about high end system security.

There are 5 other main risks identified (see the press release here)

- A Compromise of the Virtualization Layer Could Result in the Compromise of All Hosted Workloads

- The Lack of Visibility and Controls on Internal Virtual Networks Created for VM-to-VM

- Workloads of Different Trust Levels Are Consolidated Onto a Single Physical Server Without Sufficient Separation

- Adequate Controls on Administrative Access to the Hypervisor/VMM Layer and to Administrative Tools Are Lacking

- There Is a Potential Loss of Separation of Duties for Network and Security Controls

Quite why its going to get amazingly better in 5 years is not made clear in the press release, I would have thought there is at least 5 years of FUD and Greed in there. The report is sitting behind a $95 paywall - so here's a free opinion:

There will be a load of cowboys entering the game in the next 3 years, by 2015 there will have been some major security f*ckups, and by 2015 many customers will have been spooked - and the big players who do this stuff in their sleep (they are called Telcos and Web 1.0 Hosters) will enter the game and just integrate it all as part of their infrastructure.

It is clearly becoming traditional at SXSW to have an Interview Keynote that everyone loves to hate, a process that is affectionately known as Lacyration. This year's tag team were Havas's Umair Haque and Twitter's Ev Williams. Just see here and here for the articles - but read the comments for a more balanced view than just the Twitter faithful.

But of course, this one was all predictable, as the chart above shows. Today's competition is to "spot the middle ground". Answers on a postcard.....

I'm beginning to like dana boyd No, seriously, I first came across her stuff a few years ago and found it a bit too "Social media right on" - Teen Brave New World laced liberally with Kool Aid - the sort of academic stuff Posy Simmonds would send up most wittily. But I think moving to Microsoft has been the making of her as she has started to embrace the real world outside academia and the Teen. In other words, I find myself agreeing with her more and more

SXSW this year (to me) has seen the scary trend of a vicious competition between various privacy-busting location based services for (ahem) Buzz. Thus this piece from SXSW by dana on Privacy is rather good - here are some highlights:

DEAR ERIC SCHMIDT, PRIVACY IS NOT DEAD. KTXBY.

No matter how many times a privileged straight white male technology executive pronounces the death of privacy, Privacy Is Not Dead. People of all ages care deeply about privacy. And they care just as much about privacy online as they do offline. But what privacy means may not be what you think.

Fundamentally, privacy is about having control over how information flows. It's about being able to understand the social setting in order to behave appropriately. To do so, people must trust their interpretation of the context, including the people in the room and the architecture that defines the setting. When they feel as though control has been taken away from them or when they lack the control they need to do the right thing, they scream privacy foul.

To get at the challenges around privacy, let's consider a recent privacy FAIL: Google Buzz. What the outrage around Google Buzz showed us is that people care deeply about privacy and control. Don't get me wrong - plenty of people will use the service and it will be extremely popular, but this doesn't mean Google didn’t screw up. They’re taking a hit in terms of trust, because not everyone benefited from what they did.

Hear hear. And then there is this:

THE BINARIES OF PUBLIC AND PRIVATE

It's easy to think that "public" and "private" are binaries. We certainly build a lot of technology with this assumption. At best, we break out of this with access-control lists where we list specific people who some piece of content should be available to. And at best, we expand our notion of "private" to include everything that is not "public." But this binary logic isn't good enough for understanding what people mean when they talk about privacy. What people experience when they talk about privacy is more complicated than what can be instantiated in a byte.

To get at this, let's talk about how people experience public and private in unmediated situations. Because it's not so binary there either.

First, think about a conversation that you may have with a close friend. You may think about that conversation as private, but there is nothing stopping your friend from telling someone else what was said, except for your trust in your friend. You actually learned to trust your friend, presumably through experience.

Learning who to trust is actually quite hard. Anyone who has middle school-aged kids knows that there's inevitably a point in time when someone says something that they shouldn't have and tears are shed. It's hard to learn to really know for sure that someone will keep their word. But we don't choose not to tell people things simply because they could spill the beans. We do our best to assess the situation and act accordingly.

Quite - we have been saying for 5 years that the trust seeking systems in Real Life are far more nuanced than a few puffs of whuffie, and that online systems are still very risky as they are so crude in ability to divine intentions - especially given the economic motives of some of the major players. She sums up with:

CHANGING THE RULES

Let's think of this in terms of a second privacy FAIL: Facebook's changes in December. For those who missed it, Facebook asked users to reconsider their privacy settings. The first instantiation of the process asked users to consider various types of content and choose whether to make that content available to "Everyone" or to keep their old settings. The default new choice was "Everyone." Many users encountered this pop-up when they logged in and just clicked on through because they wanted to get to Facebook itself. In doing so, these users changed all of their settings to public, many without realizing it. When challenged by the Federal Trade Commission, Facebook proudly announced that 35% of users had altered their privacy settings when they had encountered this popup. They were proud of this because, as research has shown, very few people actually change the defaults. But this means that 65% of users changed their settings to public.

If one believes that no one cares about privacy, one might think that Facebook users consciously made their content public. But I've spent a lot of time browsing Facebook's "Everybody" feed since the privacy setting debacle in December and I don't think a lot of what I'm seeing is meant to be public. [Picture of some "public" status updates on Facebook.] So I started asking non-techy users about their privacy settings on Facebook. I ask them what they think their settings are and then ask them to look at their settings with me. I have yet to find someone whose belief matched up with their reality. That is not good news. Facebook built its name and reputation on being a closed network that enabled privacy in new ways, something that its users deeply value and STILL believe is the case. Are there Facebook users who want their content to be publicly accessible? Of course. But 65% of all Facebook users? No way.

And she concludes with Five key issues:

PRIVACY DISCONNECTS

When thinking about privacy in a digital context, there are five main things you need to know.

First, you must differentiate between PII and PEI. If you've spent any time thinking about privacy, you've probably heard of PII - "Personally Identifiable Information." All too often, we assume that when people make PII available publicly that they don't care about privacy. While some folks are deeply concerned about PII, PII isn't the whole privacy story. What many people are concerned about is PEI - "Personally Embarrassing Information." This is what they're brokering, battling over, and trying to make sense of.

Second, we're seeing an inversion of defaults when it comes to what's public and what's private. Historically, a conversation that you might have in the hallway is private by default, public through effort. It's private because no one bothers to share what's being said. The conversation may be made public if something worth spreading is said. Even though the conversation took place in a public setting, the conversation is private by default, public through effort.

Third, people regularly calculate both what they have to lose and what they have to gain when entering public situations. Having control over a situation is extremely important, but it must be weighed against the opportunities that one might have to gain a friend or have a new experience by being public. The equations people use differ depending on where they are at in their life. Most generalizably, youth focus on all that they have to gain when entering into public spaces while adults are thinking about all that they have to lose. Part of the challenge in this is figuring out where someone's at and what their expectations are.

Fourth concept. Keep in mind that people don’t always make material publicly accessible because they want the world to see it. Consider this quote from 17-year-old Bly Lauritano-Warner:

"My mom always uses the excuse about the internet being "public" when she defends herself. It's not like I do anything to be ashamed of, but a girl needs her privacy. I do online journals so I can communicate with my friends. Not so my mother could catch up on the latest gossip of my life."

Finally, I want to come back to what I keep raising briefly but not properly addressing. Just because something is publicly accessible does not mean that people want it to be publicized. Making something that is public more public is a violation of privacy.

All very good stuff and I urge you to tread the whole original. But I want to leave you with an observation of my own, which is that the people who are heading the companies espousing Public Living the most, are also ensuring their own privacy the most - to the extent that I think we are seeing the emergence of "Privacy Feudalism" - there is a risk that in the future only the rich/powerful will have privacy, life will be lived in a public bubble except for those who can live behind the gated online communities.

So, the Location Wars have begun in earnest - Facebook and Twitter have joined Google in launching location based services.

NYT on Facebook:

Starting next month, the more than 400 million Facebook users could begin seeing a new kind of status update flow through their news feed: the current locations of their friends.

Facebook plans to take the wraps off a new location-based feature in late April at f8, the company’s yearly developer conference, according to several people briefed on the project, who spoke on condition of anonymity because they were not authorized to discuss unannounced services.

In preparation for the introduction, Facebook updated its privacy policy last November. The new policy states: “When you share your location with others or add a location to something you post, we treat that like any other content you post.”

At that time, the company also offered some foreshadowing of the new feature: “If we offer a service that supports this type of location sharing we will present you with an opt-in choice of whether you want to participate.”

The temptation to do opt-out is going to be very strong though.....on past performance it wouldn't be surprising is that "opt-in2 promise is very liberally interpreted,

Twitter too is gearing up - TechCrunch:

The service has just turned on geolocation on its website today for the first time.

While Twitter’s geolocation feature has been live through its API since last November, there was no sign of integration into the main twitter.com site until now. As you can see in the screenshot above, for tweets tagged with location, right next to the source of the tweet there is a location placemarker. When you hover over it, it turns blue, and clicking on it brings up a little Google map showing the location that tweet was sent from.

You can see these maps as overlays both on individual tweet pages, and on tweets in your main stream. In some cases, depending on how Twitter geolocation API is being used, it looks like place names are even passed through to Twitter.

Timing is of course to coincide with SXSWi, where Location startups Gowalla, Foursquae and who knows how many others are trying to get that lifegiving buzz going (Buzz - now there is another location ploy) in the biggest geekfest on the planet. SXSW lends itself to this sort of thing as thousands of hungry and thirsty (for knowledge, natch) geeks seek their networked friends for meals over the 12 or so blocks of Austin Olde Town.

What can we say that we haven't said already (just search for "location" on the blog) except be careful - Location based services play faster and looser with privacy than anything that has gone before.

Talking about Sexy New Media Startups being as poor as churchmice, here 's an example - the iconic LOLCat site is that most poverty-attracting thing, being a sexy and new media site. And it would appear its using Slave labour (or something like that) - Gawker:

Cheezburger Network might be the internet's largest "meme aggregator," according to Wired, with upwards of $4 million per year gleaned from other people's pet pictures, supplied to the company for free. But that doesn't mean the 30 or so employees share fairly in the bounty; as we reported last week, Huh has blogged about proudly offering jobs at Seattle's minimum wage of $8.55 or slightly higher, at $10.

Those low wages permeate the company, insiders and their associates tell us, with some former workers also describing worker misclassification unpaid overtime.

On the bright side, it sounds like people have fun with their co-workers, as even some detractors tell us, and one employee wrote in to say his experience at Cheezburger Network beat the pants off her/his (other?) minimum wage jobs — not exactly a high bar, but, given the state of the economy, a practical one.

Seemed like it was only right to put up an appropriate LOLCat picture then (hat tip Patrick Hadfield for the caption)

While we're on the subject, Techmeme's Mahendra Palsule pointed me towards this C:Net article arguing that the media focus on what is sexy, not a decent business (he was noting it as a part-answer to this article I wrote awhile ago). The gist of it is:

A new report by ITDatabase that examines tech coverage over the last six months from eight top business news publications raises some questions, in particular: Does the business press factor companies' revenue and profits into their tech editorial agenda?

The report shows that Apple and Google dominate, while Twitter and Facebook are far more discussed in the business press than Intel, Dell, IBM, or even HP (the largest tech company in the world).

The eight publications surveyed are: The Wall Street Journal, The New York Times, Forbes, Fortune, BusinessWeek, The Economist, Financial Times, and USA Today. Over a period of six months, ITDatabase measured coverage by the number of times a tech company was mentioned in print and online in these publications, including blogs such as All Things Digital, which is affiliated with the Journal. (Disclosure: I am an adviser to ITDatabase.)

There is a chart in the post that shows Apple and Google getting the lions share of the publicity - its a power law graph by the looks of things - and it reminded me of a graph I saw many years ago, drawn in semi jest by a McKinsey colleague at the time, Ralph Lewinski. This curve explains the Hype Hyperbola (see the diagram above), ie the truism that sexy industries tend not to be profitable. This is typically due to one of 2 reasons:

- They are new industries, which usually tend to be unprofitable because they are giving away value to get market share (and/or have yet to find a business model)

- They are established and still sexy, in which case people will enter the market, and even work for them, for much less money than for less enjoyable industries

Which is of course why New Meedja startups are the poorest churchmice (its not a LOLcondition) of all as they fit both conditions Social Media profits (if you exclude the purchases of sites by the Dumb Money) drive the current "biggest $0 billion industry" going.

Google and Apple are exceptions in that they are both sexy and profitable and so really get the press attention. Typically they are profitable because (like old fashioned TV, which was once sexy) they have built strong barriers to entry. They are also both very powerful, especially in the Valley - the difference in coverage tone on Google Buzz between the independent bloggers and the Tech Media (including the big blogs) was quite remarkable.

Techmeme has launched a new vertical, the fascinatingly recursive* Mediagazer:

Today we're launching our first new news vertical in almost four years: Mediagazer, which will focus on the content production and distribution business, organizing topics as wide as journalism, blogging, video production, e-books, and digital distribution technologies.

Meedja types given a mirror to look at themselves with...hmm, I recall a Greek Myth on the subject - ended in tears of course . Anyway, the venture will still have the Human Editing function:

Mediagazer incoporates all these lessons. We've taken great care in its construction, have outfitted the site with the latest iteration of our automation engine, and have launched it from the outset with a dedicated human editor.

That editor will be Megan McCarthy. While Megan's career in media has focused more on the technology space (both at Gawker and at Techmeme), she's long developed an interest in media industry buzz and should feel very much at home at Mediagazer.

It was perhaps inevitable that such a thing aimed at The Meedja would happen, its is an interesting gambit, and I wonder if it will need more human editing than Tech. The sheer number of Media news magazines suggests it will work (I've always seen Techmeme etc as the equivalent of magazines rather than newspapers per se), with this most self-absorbed of sectors. What fascinates me is which other verticals will be launched - and survive.

*look it up

Paul Carr is mellowing! Yes, dear readers - he has written a well thought out post on the UK's new Digital Economy Bill. Not only that, he actually read the Bill! I haven't in detail*, so I'm just going to cut and paste Paul's stuff. As he points out, some of the huffing and puffing about Draconian Crackdowns on Free Spirits is somewhat overstated:

For a start, the first point of contention – the compilation of a persistent offenders list, and the potential banning of them from accessing the Internet – isn’t quite as unfair as it sounds. Despite Doctorow’s claim that “your entire family [can] be cut off from the net if anyone who lives in your house is accused of copyright infringement, without proof or evidence or trial”, there are actually multiple points at which evidence comes into play, and the accused file-swapper is given a chance to defend themselves. The bill requires the creation of an independent tribunal body to hear claims of unfairness arising from the new laws, and alleged infringers have not one but two rights of appeal to the tribunal. With each alleged breach, the new law demands that the ISP send a letter to the subscriber putting the allegations and the evidence to them.

Only once a significant number of breaches have been alledged (the drafters of the bill suggest 50) will the subscriber be added to the persistent offenders list. Again, they will be notified. Only at this point can the copyright owner appeal to the court – using a law that has been around for 36 years – to get the name and address of the offender. Even then, though, they won’t be taken to court. Instead, the copyright owner has to send the subscriber yet another letter (this will be their 52nd) warning them that legal action is imminent if they don’t stop. It’s only then that legal action will be taken, leading to a possible fine and – only at the extreme end of the scale – their Internet access being disconnected.

And, as he points out, much of it is just confirming what already exists:

Yes, the courts will have the power to require ISPs to block sites that egregiously host copyrighted files. But they can only do so if the site involved has refused to remove the copyrighted files – a last resort against foreign file lockers who ignore British court injunctions. More importantly it’s also a power that the British courts have had since the 2002 E-Commerce Directive Regulations (with ISP’s being similarly liable for inaction): the new legislation simply creates a DMCA-style process for making take-down requests easier to issue.

As Paul points out, a lot of the opposition to the Bill is coming from people without any intention of actually reading it (the "numpties" who so frustrated me last year when there were public debates about the Digital Britain report). this does not help debate, nor do the inflamed headlines from those who oppose it on ideological grounds (The Grauniad has been pretty poor in its articles on all this in my opinion).

But the thing I still don't get is why Her Majesty's Government is so desperate to get this through in the dog days of the administration. As Paul says, this is the sort of thing we must get right, so surely we can wait until after the May elections?.

* Haven't read the latest British one but had to get our heads around the DMCA, WIPO and various bits of EU legislation a few years back. Exciting reading it is not

There is a rather useful article in the NYT about how New York is starting to pop up as a startup hub again, after Silicon Alley shut down in 2002. But what really struck me is how much of it could equally be said about London. The following are to my mind the key arguments:

Firstly, a thriving scene of mutual assistance:

THE two dozen or so people arranged around wooden tables, warming their hands and bellies with steaming mugs of coffee and plates of homemade biscuits, looked like just another Sunday brunch set in New York. But members of this group had braved knee-deep snow to gab about cutting-edge ideas and as they introduced themselves the roll call sounded like a Who’s Who of digital start-ups: Foursquare, Hot Potato, Six Apart, Flickr, Flavorpill, Trust Art, Vimeo.

The New York Tech Meet-Up is held monthly, and as many as 700 people attend, a sign of the revival of tech businesses in the city.

“There’s a lot happening right here in our ZIP code,” said Dorothy McGivney, a former Google employee who is a co-coordinator of this group, the North Brooklyn Breakfast Club, and runs Jauntsetter, a travel site for women. Like the others, she had come to the brunch to help foster the growth of her little local community of entrepreneurs.

The group had its inaugural meeting in January and is among a growing cluster of informal meet-and-greets for the local technology and media industries. A recent installment of another monthly event, called the New York Tech Meet-Up and held in Chelsea, drew 700 tech enthusiasts.

The London scene has been quite vibrant for about 3 years now, but I think what is missing is the emergence of some real category killer companies. New York has already given birth to a few, such as Etsy and DoubleClick. London doesn't really have this - yet.

As to where the London category killers may come from, London is more like New York than Silicon Valley - it's a hotbed of the more traditional Media industries which are helping drive New York startups:

Of course, services can be developed anywhere. But because so many industries now grappling with the Internet are based in New York, the city is finding surer footing among its peers as a thriving tech hub.

“Book publishing, advertising, media and even the fashion industry are all located in New York. These are the main industries that are being reshaped and redefined by technology and the Internet,” says AnnaLee Saxenian, a professor at the University of California, Berkeley, who studies regional economics and technology entrepreneurship.

And somewhere to work is key - there is a rise of incubators and workspaces again:

Some of the more interesting breeding grounds in the city are technology incubators that nurture and mentor young companies. One example is the new Manhattan arm of Dogpatch Labs, which is backed by Polaris Venture Partners, an investment firm in the Boston area.

Dogpatch, which opened in January, offers start-ups a place to work, rent-free, for several months, along with the possibility of securing an investment down the line.

Another critical factor is the input of the Universities in the area:

Colleges and universities have long helped fuel the dreams of entrepreneurs. An early pillar of Silicon Valley innovation was Stanford’s dean of engineering, Frederick Terman, who viewed the university as an incubator for the electronics industry. More recently, Facebook was born in a Harvard student’s dorm room and Google first percolated in the heads of two Stanford graduate students.

Hoping to replicate those kinds of successes, schools in New York are increasingly collaborating with local start-ups. Chris Wiggins, a professor of applied mathematics at Columbia University, regularly brings start-up founders to campus to speak to students about careers in technology and is establishing an internship program at the school.

NYC Seed works closely with the Polytechnic Institute of New York University to help students there translate promising ideas into profit-making ventures.

London has some of the best universities on the planet, so no excuses there - but more co-ordination and collaboration is required, for Cambridge to still be ahead of London is extraordinary given the assets at London's disposal. The reason for this is the main London scene-killer - funding. There is still a bigger (or at least more active) VC scene in Cambridge. New York is getting that right again, and the meltdown in teh financial sector (another thing it shares with London) is helping:

New York’s flashier industries, including big media and Wall Street, have long dwarfed the tech sector here. And the dot-com implosion only reinforced that reality. The fledgling tech scene that was just beginning to hum in the late 1990s flatlined as dozens of Internet companies folded, pink slips replaced party invitations and venture capital firms took their investments elsewhere.

During the dot-com boom, “venture capitalists were just throwing dollars at every Internet idea on every street corner,” says Owen Davis, a serial entrepreneur and managing director of NYC Seed, an early-stage technology investment fund. “There was little critical judgment about business models and ideas.”

Since then, Mr. Davis says, the New York technology industry has been steadily coming back on line and has managed to accelerate despite the economic turmoil besieging other industries.

To my mind this is still London's main weakness. All the other areas coild be done better, but are not on the critical path. But nearly every London startup I know of in the new mesia/web 2.0 space that has found funding has had to go Stateside to get it, or fairly soon after an initial round. That (and I know some of my London VC friends will disagree) to my mind is the main thing holding London back. Its not that there isn't any money here, its just that there is not enough of it, and I am concerned its not going to the right places. I think there is still too much of a tendency to give money to the "right" sort of people, rather than the sort of people who are right.

Quite an interesting article in Harvard Business Review about some research from the University of warwick on "Open Learning" circles in the business world. (I read teh hard copy, there is a summary behind a partial paywall over here). It really struck a chord to juxtapose it with the "Social Media Reality Check" event at POLIS last night. Joanne Jacobs liveblogged that over here, wasn't there but my impression was that the thing checked in last night was social media reality - at the entrance door

Anyway, the researchers show start would be recognised by any Social media adherent:

United by a common professional passion, participants would huddle around conference tables and compare data, trade insights, and argue over which designs would work best with local water systems. And the community achieved results: Participants found ways to significantly cut the time and cost involved in system design by increasing the pool of experience that they could draw upon, tapping insights from different disciplines, and recycling design ideas from other projects.

"Let them run free" was the original thinking, but these networks started to hit limits:

Too much attention from management, went the thinking, would crush the group’s collaborative nature. But the very informality of this community eventually rendered it obsolete. What happened to it was typical: The members gained access to more sophisticated design tools and to vast amounts of data via the internet. Increased global connectivity drew more people into the community and into individual projects. Soon the engineers were spending more time at their desks, gathering and organizing data, sorting through multiple versions of designs, and managing remote contacts. The community started to feel less intimate, and its members, less obligated to their peers. Swamped, the engineers found it difficult to justify time for voluntary meetings. Today the community in effect has dissolved—along with the hopes that it would continue generating high-impact ideas.

Again, anyone familiar with Social Media over a number of cycles (ie the Kool Aid has been drunk, digested and d****ated) will recognise this. What works seems to be to give them some form of top down management structure!

Our research has shown that many other communities failed for similar reasons. Nevertheless, communities of practice aren’t dead. Many are thriving—you’ll find them developing global processes, resolving troubled implementation, and guiding operational efforts. But they differ from their forebears in some important respects. Today they’re an actively managed part of the organization, with specific goals, explicit accountability, and clear executive oversight. To get experts to dedicate time to them, companies have to make sure that communities contribute meaningfully to the organization and operate efficiently.

Heresy! I hear you cry. Nonetheless, thats the emerging evidence. Its also my experience - if you want a Social Net group to achieve something, someone actually has to take charge.