From the “Sucks To Be Me” Department…
Based upon feedback from attendees at Blackhat, my talk, "The Four Horsemen of the
Virtualization Security Apocalypse," went over well and I really had a lot of
fun delivering it. It’s had a TON of coverage.
Despite the positive feedback from folks, it seems the foreboding narrative of the apocalypse has carried over into the real world due to a rather unfortunate journalistic misinterpretation of the facts.
It’s only fair to state that I have been critical in the past of others in our line of work who have complained of their inability to control the output of their direct interviews with the press and analysts as misquotes and misunderstandings arise.
Perhaps this is a little karmic payback for my outspokenness, as after my talk at Blackhat, I have now enjoyed the fruits of journalistic distortion firsthand. It’s important to note that this was not the result of a direct interview, but rather the inaccurate reporting of a reporter sitting in the audience of my talk. I was never contacted with questions or asked for clarification or review.
Many of the points I made in my presentation were reflected upon poorly and my perspective butchered, but one specific item is causing me some serious grief in a professional capacity. It cast a rather crappy pall on the rest of my Blackhat and Defcon experience (more on that later.)
One of the "Four Horsemen" which represents a critical issue in virtualization security is that of the hidden costs involved in virtualizing security. The point I made, and the language I used to consistently describe it multiple times appears below:
To be perfectly clear, what I obviously said was that "virtualizing security will not save you money, it will cost you more."
What Ellen Messmer reported in her Network World article was that I said "Virtualization will not save you money, it will cost you more.”
Now, this may not seem like much of a difference, but it’s a profoundly impacting dissimilarity.
It’s a dangerous rephrase that has now caused significant pain for me that I’m going to have to deal with once I return from vacation. It’s been picked up and re-printed/adapted so many times without validation that I can’t keep count any longer.
You see, I work as the security architect for the division of a company who is maniacally focused on designing, deploying and supporting heavily-virtualized realtime infrastructure for our customers. One of the (obvious) value propositions of virtualization/RTI is cost savings/reduction/avoidance which I specifically referenced during my presentation as a well-established fact and reasonable motivation for virtualization.
You can probably imagine the surprise of folks when they read Ellen’s article which is written in a way that directly contradicts our corporate messaging and the value proposition offered to our clients. It reflects rather poorly on me and my company.
And just to be clear, my scorn was not directed at the "network industry" or the "virtualization industry" as reported in the article; the context of my entire talk was the security industry, a point sorely missed.
This article reads like the output result of a bad game of "telephone."
I intend to contact Ellen Messmer and ask for a retraction as well as corrections of multiple other mistakes in the article, but as we all know, there’s no real retraction on the Internet. All I can offer is my presentation, the video recording of it and the recollection of the 500+ others that were in the audience when I presented (including numerous other reporters.)
The only other thing left to do is to sheepishly admit that despite the fact that this was not an interview that I or anyone else could control or influence for correctness, Joanna Rutkowska was essentially correct in her assertion during our last debate that you cannot control the press, despite best efforts.
Even though I’ve never had a problem of this degree in the almost 15 years of doing this sort of thing, I humbly submit to her on that point.