“Excitement” and “storage” aren’t really words that go together very often. But this week was different, with the first storage IPO in three years sparking a surge of interest not only in the newly public flash vendor Fusion-io (NYSE:FIO) but investments in several other storage companies as well.
Fusion-io has the advantage of a couple of big names associated with it — chief technology officer Steve Wozniak (am I old enough that I have to explain his connection with Apple?) and Facebook, which uses the company’s storage devices. Another couple of big names that helped were LinkedIn and Zynga, not because they use the company’s products but by having successful IPOs in the computer industry in the past few weeks that paved the way.
Like LinkedIn, Fusion-io raised the planned price of its IPO the day before it went public, to $16 to $18 per share after originally suggesting it would be priced at $13 to $15 — and then actually priced it at $19, raising $233.7 million and giving the company a valuation of $1.8 billion, according to Investor’s Business Daily.
The Debbie Downers at the Wall Street Journal, however, pointed out a number of issues with Fusion-io:
- It doesn’t expect it to maintain its growth
- It’s never made a profit for an entire year at a time
- The nine-month period ending March 31 showed a slender profit of $35,000
- 10 of its clients account for 91% of its revenue
- Facebook alone accounts for 47% of its revenue
- Oh, and by the way, that was going to decrease
- Virsto Software, a virtual machines storage company, raised $12 million in Series B venture capital funding led by InterWest Partners with August Capital and Canaan Partners also participating
- Virsto also acquired EvoStor, which specializes in storage virtualization technology for VMware environments, for an undisclosed amount
- Flash array maker Violin Memory raised a $40 million Series C round from public-market investors
- VeloBit raised an undisclosed amount of Series A funding from Fairhaven Capital and Longworth Venture Partners
IDC recently released its Q1 disk storage systems sales figures, and there’s good news and…well, actually, it’s pretty much just good news, unless you’re Dell or a small vendor.
Here’s several aspects of the good news:
- 13.2% growth in external disk storage factory revenues year over year
- 17.3% growth in open networked disk storage systems
- 13.4% growth in open SAN
- 27.1% growth in NAS
- 23.0% growth in iSCSI SAN
- 12.1% growth in total disk storage systems
- Fifth quarter in a row of double-digit growth
- 46.3% growth in capacity
Broken down by vendor, in terms of market share, things haven’t changed much, relatively speaking. In external disk storage, the top five vendors are EMC, NetApp, IBM, HP, and Fujitsu — NetApp and IBM swapped places compared with a year ago. In the total open networked disk storage market, EMC led NetApp. Broken out into components, Open SAN had EMC, IBM, and HP; NAS had EMC and NetApp; and iSCSI SAN had Dell, followed by HP and EMC tied for second. Finally, in worldwide total disk storage factory revenue, we have EMC, HP, IBM, Dell, and NetApp, the same order as a year ago.
There are, however, a couple of interesting points to be made:
- We saw a case of “the rich getting richer.” Generally, the market shares of the top vendors increased, while the market share of “other” decreased.
- The one exception was Dell, which went from 12.7% to 11.4% — and that was *after* IDC started including Compellant in its figures, after the company’s acquisition. Chris Mellor of the Register UK points out that Dell fell completely out of the top 5 in external disk revenues, being replaced by Hitachi, with which it had tied in the previous quarter. In fact, in total revenues, NetApp may overtake Dell in the next quarter, he adds.
- In external disk storage, ranked by revenue growth, we’d have seen NetApp, Hitachi, EMC, IBM, and HP.
- In total disk storage, we’d have seen NetApp, EMC, IBM, HP, and Dell. Mellor points out, however, that NetApp’s growth has slowed compared to previous quarters.
Some of HP and EMC’s growth is due to acquisition — in HP’s case , it’s H3C and 3PAR, while in EMC’s case it’s Isilon.
It will be interesting to see how things change in the next quarter.
- With everyone talking about the cloud, will fewer people be buying fewer drives?
- Or will the storage sold to all the cloud vendors make up for it?
- Or, will the Amazon outage send people scrambling to take care of their own storage again?
- What will happen to disk storage sales as flash becomes more popular?
- How might acquisitions in the drive manufacturing space change things in the system space?
- What will happen with Dell?
Two events happened last week that are expected to lead to acquisitions of a quarter of the electronic discovery vendors by 2014 — and one of them even provided a shopping list.
The first event was security vendor Symantec acquiring e-discovery vendor Clearwell. Dave Raffo already talked about the details of the acquisition; what’s interesting about it in this context is that it’s simply the first domino, as predicted by the second event.
The second event was Gartner releasing its first “Magic Quadrant” analysis of the e-discovery marketplace, which, among other things, predicted that a quarter of all e-discovery companies will be consolidated by 2014, with the acquirers likely to be mainstream companies such as Hewlett-Packard, Oracle, Microsoft, and storage vendors.
Symantec’s acquisition of Clearwell fit right into predictions: Clearwell was named to the leaders quadrant, and Symantec had been named to the challengers quadrant, meaning it primarily needed more vision — which Clearwell could provide.
Now it’s likely that in the kind of musical chairs M&A people go through because they don’t want to be the one standing when the music stops, the sorts of vendors Gartner talked about as acquirers — particularly the major vendors in the challengers quadrant, IBM and EMC, as well as Nuix — will start looking at the list of contenders so helpfully provided in the report.
Likely to be up, of course, are the other vendors in the Leaders quadrant — Autonomy, which just acquired niche player’s Iron Mountain’s digital business itself; FTI Technology; Guidance Software; and kCura. Less attractive, but also likely to be less expensive and, maybe, more desperate, will be the other vendors, such as AccessData Group, CaseCentral, Catalyst Repository Systems, CommVault, Exterro, Recommind and ZyLab in the “visionaries” quadrants, and Daegis, Epiq Systems, Integreon, Ipro, Kroll Ontrack, as well as the ediscovery components of Lexis/Nexis and Xerox Litigation Services.
Anybody placing bets?
The Center for Disease Control recently issued an emergency preparedness and response circular about….zombies.
“You may laugh now, but when it happens you’ll be happy you read this,” the circular warns. It goes on to describe the zombie threat, and what people can do to be prepared in the event of a zombie apocalypse.
No, it wasn’t issued on April Fool’s Day, and no, it wasn’t a joke. Well, sort of. Does the CDC really expect a zombie apocalypse anytime soon? No, probably not. But its purpose in creating the alert was deadly serious, and it’s something we can all take lessons from in developing disaster recovery plans:
- It got attention. The CDC had more than 1,000 articles published about the Zombie Apocalypse circular, and got so many Internet hits that its server crashed. Even so, the zombie circular got 60,000 hits in that first day. In contrast, a typical CDC blog post might get between 1,000 and 3,000 hits, and the most traffic on record had been a post that saw around 10,000 visits, a CDC spokesman told Reuters.
- Disasters are all the same. Seriously, there’s not going to be that much difference in preparing for an earthquake vs. preparing for a pandemic vs. preparing for…well, a zombie apocalypse. The CDC suggested list of preparations included getting together food and water supplies, making arrangements to meet with loved ones, etc. — all the same sorts of things you’d do if you were making *any* disaster plan. True, some of it was with the theme (“Plan your evacuation route. When zombies are hungry they won’t stop until they get food (i.e., brains), which means you need to get out of town fast!”) but generally the suggestions were generic and could apply to any disaster.
- Bypasses the Critical Censor. As a former resident of the Bay Area, I can testify that people who live in an area prone to disasters can develop a certain kind of blinders. Yes, we all knew there’d be an earthquake sometime, and some of us even had some preparation, but in general people don’t worry about it all the time. “Human beings are hard-wired to believe in their heart and soul that disasters don’t happen and won’t happen to them,” Dennis Mileti, a retired University of Colorado sociology professor and researcher, told MSN Money. Writing the circular about zombies allowed people to read it and absorb the lessons without them getting into the whole “Oh, I know all that, I don’t need that, lalala” reaction that a more realistic disaster could have elicited. (In point of fact, the CDC wrote the circular to help people prepare for hurricanes.)
It seems pretty self-evident that one could apply these same lessons to writing a disaster recovery plan — just write all the same preparations, but wrap it into another event that could get people’s attention and make them laugh a little as they read it.
I hear the next Rapture is scheduled for October 21.
Well, the other Dropbox shoe has, uh, dropped. In response to last month’s revelation that the Dropbox file sharing service can’t actually promise to keep your files secure, but can look at them and will turn them in to law enforcement if requested, a researcher has filed a complaint with the Federal Trade Commission claiming deceptive practices.
The complaint was filed on May 11 by Christopher Soghoian, who was a busy boy this month; as you may recall, he also hit the front pages by breaking the story on May 3 of an unknown perpetrator, which turned out to be Facebook, attempting to smear Google with privacy accusations.
The problem is, that’s something someone else can see, too. They can upload a file, and, if much less data transmits than the file size, they know it’s a file Dropbox already has. This is where law enforcement comes in. Writes Soghoian:
What this means, is that from the comfort of their desks, law enforcement agencies or copyright trolls can upload contraband files to Dropbox, watch the amount of bandwidth consumed, and then obtain a court order if the amount of data transferred is smaller than the size of the file.
Last year, the New York Attorney General announced that Facebook, MySpace and IsoHunt had agreed to start comparing every image uploaded by a user to an AG supplied database of more than 8000 hashes of child pornography. It is easy to imagine a similar database of hashes for pirated movies and songs, ebooks stripped of DRM, or leaked US government diplomatic cables.
Do you see how this is even worse than simply Dropbox having to cough up a specific user’s data upon request from law enforcement? Law enforcement can now say, we *know* you have this data online, *you* tell *us* who has it.
And think of how this would play with the new PROTECT-IP bill that’s being proposed, which would let a third party shut down a site for having a copy of its intellectual property: Viacom, say, uploads a copy of a movie it suspects is available on Dropbox, finds it’s already there, demands to know who it owns it, and then shuts down that company’s site — potentially all without ever getting a warrant, because if Dropbox won’t tell, Viacom can shut *it* down for having a copy of the file. And if Dropbox gets shut down, what happens to all its other, innocent users’ files?
Moreover, Soghoian writes in his complaint, users now run the risk of having either rogue employees or hackers breaking into the Dropbox system to steal files and the stored keys that enable the company to decrypt and deduplicate files.
Recent high profile data breaches experienced by RSA, 32 Comodo, and Lastpass demonstrate that hackers are increasingly sophisticated, and are now seeking out high‐value infrastructure targets that can deliver more than just a few million credit card numbers.
(Oddly, Soghoian doesn’t list Epsilon as one of his examples, the electronic mail service bureau that was broken into in March in a data breach, the costs of which could eventually reach $3 to $4 billion.)
Soghoian’s not asking for much in return: Just that Dropbox tell people they can decrypt files, by emailing all its users rather than just changing its terms of service, make Dropbox give their money back to anybody who wants it, and never, ever to do it again.
While Dropbox has responded to the basic facts of the complaint in its blog, it hasn’t addressed the security hole associated with law enforcement or other data owner being able to tell what’s already on the service by sending another copy of it up.
Between this and Facebook/Google, one wonders what Soghoian’s going to do for an encore.
A lot of my friends spent the day scoffing at the notion that anybody would spend $28 a month (for a business user), $20 a month (for a student), or almost $500 to outright purchase a Chromebook, a netbook computer that uses Google Apps to use data stored entirely in the cloud.
Okay, I’ve got geeky friends. Granted.
The thing is, I think my friends are wrong, and that there’s quite the business case to be made for Chromebooks.
Consider. In March alone, there were several incidents of laptops lost with large amounts of sensitive personally identifiable information. And in recent months, the Ponemon Institute has performed studies about the cost involved in data lost through laptops, both in Europe and the U.S. The numbers are astonishing.
According to the findings, the number of lost or stolen laptops is huge. Participating organizations reported that in a 12 month period 86,455 laptops were lost or missing. The average number of lost laptops per organization was 263.”
That’s in the U.S. In Europe, the figures 72,789 laptops, and 265 laptops per organization. This adds up to $2.1 billion in the U.S., and 1.29 billion Euros in Europe.
That’d lease a lotta Chromebooks.
But even if companies suddenly became much more careful of their laptops, there’s another issue, one over which they don’t have much control, and that’s search and seizure by the U.S. government.
In August 2009, the U.S. government implemented a new policy for the Department of Homeland Security giving the department the right to search laptops in border areas. The problem is, according to Udi Ofer, Advocacy Director for the New York Civil Liberties Union, in a letter he wrote to the New York Times in August, 2010, Border Patrol agents have the right to conduct such seizures within 100 miles of the U.S. border, which covers much more of the United States than it sounds. In fact, two-thirds of the population of the U.S. lives in one of those areas, he wrote — and people in those areas could be subject to losing their laptops. (Indeed, the Ninth Circuit Court recently ruled that such laptops could be transported more than 100 miles away to do a more thorough search.)
In addition to business executives, this makes two other groups very nervous: Attorneys, who are concerned about privileged client information, and photojournalists, who are concerned about having their pictures taken away. This is why, last September, the National Association of Criminal Defense Lawyers (NACDL), the American Civil Liberties Union (ACLU), and the New York Civil Liberties Union (NYCLU) announced they were fighting this law. (The Electronic Frontier Foundation, which had already been following the issue, supported them.)
The advantage of data in the cloud is, it can’t be seized at the border. You might be out a $500 notebook, but not the much more valuable data that would otherwise be on it.
That’s not to say that data can be stored in the cloud with impunity — there are indications that cloud providers, too, are vulnerable to persuasion from law enforcement. But there’s at least some standard of proof required for that.
And yes, as my friends argued, there’s other ways to get thin client cloud-oriented notebooks than from Google. But Google is making it simple. And considering how many people are managing to lose their laptops these days, simple may be what we need.
Granted, it’s not every IT administrator who has to deal with a C-level executive in a remote office losing confidential company data because an elite armed military force broke into the place he was staying and took it. That said, there’s a number of lessons that IT administrators can take away from this week’s news.
It’s one of an IT administrator’s worse nightmares, to lose 10 hard drives, five computers and more than 100 thumb drives. But even if it’s left in the back of a cab, rather than being taken by Navy SEALs, it’s still a problem. So let’s look at some of the issues.
1. Backups. Did bin Laden do a backup? We already know his system wasn’t replicated, because the news articles have all said he didn’t have Internet access to his compound. If he did do a backup, then what? Was it located in the same hideout, and also taken? Or did someone use Sneakernet — or, in this case, Sandalnet — and manually carry backups to another location? If not, al-Qaida may have permanently lost access to this data. Takeaway: Do backups, and make sure copies are stored off-site.
2. Encryption. Was the data on the hard disks and thumb drives encrypted? If so, how hard is it going to be for computer experts in the government to find a key? Sent through plain text in an email message, perhaps? On one of the thumb drives? Or, Allah forbid, on a yellow sticky on the computer like some offices I’ve seen?
Failing that, how hard is it going to be for government computer experts to crack the encryption? Does bin Laden use 128-bit or 256-bit? What method? Security experts had varying opinions as to whether bin Laden practiced safe computing, or used one of his wives’ names as the key like ordinary people do.
If the data is encrypted, the U.S. government isn’t saying at this point. Officials are saying the drives contained “very valuable information,” which means either it wasn’t encrypted or it used the encryption equivalent of pig Latin. Or, for that matter, the officials could be shining us on as well. What’re they going to say? “All we found is three seasons’ worth of pirated Friends episodes and some goat porn”?
Ironically, according to MSNBC, this sort of data capture has happened before.
“The most notable previous bonanza that has publicly been revealed was uncovered in July 2004, when al-Qaida computer expert Mohammed Naeem Noor Khan was captured in Pakistan. His laptop computer provided a trove of information and more than 1,000 compact disk drives that were found in his apartment.”
You’d think they’d have learned.
Or maybe they did. One hopes that the government computer experts are taking precautions as well. Keep in mind that a number of incidents of malware — including Stuxnet — have been spread using thumb drives, under the theory that even intelligent people will pick up a thumb drive and pop it onto their computer to see what it does. Says writer Wayne Rash:
“This is exactly what happened a couple of years ago in Iran when the Israeli Defense Forces quietly planted some USB memory sticks in places frequented by Iranian nuclear engineers. Like everyone else, they popped the devices into their computers and the rest is history.”
If U.S. government computers start going nuts in a few days, we’ll know why.
This week featured millions of people glued to computer screens, waiting for all to be revealed, sharing their predictions, and crying when they finally saw the reality.
Oh, yeah, and there was a Royal Wedding.
But ten minutes before that (not that they were trying to hide anything, of course), Amazon also released the post-mortem of its extended Elastic Compute Cloud (EC2) outage of the previous week.
In case you were under a rock, a number of major computer sites — including foursquare, Reddit, and Quota — were down for a day, sometimes more, on April 21, due to a problem with Amazon’s web hosting business. It wasn’t until Monday or Tuesday of this week that all the sites really recovered.
If you’re familiar with the concept of “thrashing,” where a too-full hard disk or computer memory is so busy trying to find places to work that it doesn’t get anything done, that’s basically what happened to Amazon, on a mammoth scale. Due to a configuration problem, the cloud went down, and the first thing all the servers did when they came up was try to re-mirror themselves — which they couldn’t do because all the other servers that were up were trying to do the same thing. The actual summary goes into a lot more detail, if you really want to know, but that’s basically it.
So now the Internet is seeing a storm of a different kind: A pundit storm where people talk about 1) What It All Means and 2) Where We Go From Here and 3) Could It Happen Again?
1) S*** happens. 2) Don’t have a single point of failure, duh. 3) Of course.
Oh, you wanted more detail?
What it all means is that people are human and machines are stupid. This does not change, and will not change. Count on it. Problems happen. Then we institute new systems that help us protect against the most recent problem, and wait for a new problem to happen.
You know, like the TSA.
Where We Go From Here is that Amazon is instituting a number of changes in processes and procedures, both human and machine, that are intended to keep this from happening again.
Organizations that use the cloud — anybody’s cloud, not just Amazon’s — should take this as a wake-up call. Even if you weren’t affected by this outage, you could be on the next one. Don’t just have a backup. Have a backup for the backup. Yes, it costs money. How much money does it cost for your business to be out for a day? (Even if Amazon did give all its affected customers a freebie.) Forrester analyst Rachel Dines wrote a blog post listing a number of questions organizations should ask their cloud provider about backups and failover strategies.
Finally, accept that it’s going to happen — whether it’s from a natural disaster like the earthquake in Japan or the tornadoes in the American South, government action to shut down the Internet like in Egypt, widespread electrical failures, or simply a flu pandemic. As Dines says, “Assume nothing” — check every step in the disaster recovery plan, and figure out what the alternative is for every component that could fail.
When you absolutely, positively have to keep people from being able to look at your data, what do you do? Last week a number of people were surprised to find out that the popular cloud storage site Dropbox, which had advertised itself as encrypting its data so thoroughly that even its employees couldn’t look at it, actually could decrypt data after all — if required to do so by U.S. law enforcement.
Dropbox made a point of telling Steve Kovach at Business Insider, who broke the story, that this was a rephrasing of its terms of service, not a change in policy. “The TOS update was merely a clarification for users, not a policy update,” the company said.
Dropbox also pointed out that it wasn’t alone in this. “It is also worth noting that all companies that store user data (Google, Amazon, etc.) are not above the law and must comply with court orders and have similar statements in their respective terms of service.”
A number of articles about the incident concurred with this, including Business Insider’s. “This is nothing groundbreaking, but Dropbox has updated its security Terms of Service to say that if the government asks, they will have to decrypt user’s files and turn them over. That’s standard practice for any online storage service from Gmail to Amazon”.
But Business Insider went on to say, “and shouldn’t affect the average user unless they’re doing something wrong.”
That’s where it gets sticky.
Several other articles on the subject made similar comments. “In the meantime, don’t go doing anything that’ll get you in so much trouble that the G-Men need to decrypt your email or cloud storage,” said David Gerwitz of ZDNet, whose article headline, “If you have something to hide from the government, don’t use Dropbox” also implied that only those who had something to hide should be concerned. “Ok, so no worries–so long as you’re not doing anything wrong, you should be fine,” agreed Sarah Jacobsson Purewal of PC World. Comments in the PC World story went so far as to say that the only people who would be concerned about this would be pedophiles.
Recall that in 2005, the New York Times revealed that the National Security Agency was monitoring telephone calls, without warrants, of domestic callers. A few months later, USA Today revealed that this was going on with the cooperation of a number of telephone companies, including AT&T, Verizon, and Bell South.
“[T]o say that only the “guilty” have any reason to care about privacy shows a dangerous lack of awareness of how easy it is to violate some law or regulation and thereby become “guilty” yourself,” says William Morriss, a Senior Associate patent attorney of Frost Brown Todd, writing in the Ephemeral Law blog. “Even worse, when the government goes about collecting enormous amounts of data without having to justify itself and without any oversight, there will inevitably be false positives which have the potential to literally ruin someone’s life.”
The one solution Dropbox has to offer is that users can encrypt their own files before upload them to a data storage service like Dropbox — so that if the data storage service decrypts stored files, they continue to be encrypted, which only the user can decrypt. “Dropbox does not discriminate between the types of files stored in your Dropbox nor the applications used to open those files. This means you can use your own software encryption methods, such as third-party encryption software, to keep your files secure on your terms,” the company’s Terms of Service said.
However, it doesn’t say exactly how one goes about finding or using third-party encryption software. Moreover, there are those who fear that any encryption software — unless it’s open source, where people can examine it — could have a “back door” that would allow government agencies to decrypt it without user assistance. Attempts have been made, and continue to be made, to require such a back door. Some people, consequently, are sticking with “better safe than sorry” and using only open source encryption software. Unfortunately, this goes beyond the area of “easy to use” for the average — law-abiding — user.
A major Asian manufacturer is looking to get out of the storage business so it can invest in new areas.
In this case, however, it’s not Hitachi GST that’s doing the selling, but Samsung Electronics, which — like Hitachi — was primarily involved in the spinning disk market and had less of a presence in the solid-state disk (SSD) market and would face expensive retooling to support it, according to the article in the Wall Street Journal on Sunday that sparked all this.
The potential purchaser? Seagate Technologies, which was leapfrogged by the Western Digital-Hitachi GST merger, which took up almost 50% of the market, according to iSuppli. Seagate accounted for 29% of hard disk drive shipments in the fourth quarter, while Samsung accounted for 10%, iSuppli said. In addition, sales of hard disk drives are down 4% in Q1 compared with Q4, iSuppli said.
Perhaps Seagate — which considered and rejected a Hitachi purchase itself — didn’t want to miss out a second time. And unlike a Hitachi purchase, which might have courted an antitrust claim, a Samsung purchase would be in the consumer marketplace, rather than the enterprise market Seagate and Hitachi share, according to Jason Mick at DailyTech.
The source for all this? “A person familiar with the matter,” who said the Korean Samsung was hoping for $1.5 billion (compared to the $4.3 billion Hitachi fetched), but might settle for $1 billion.
Seagate itself wouldn’t comment, but Chris Mellor of The Register noted earlier this month, in a piece about Seagate’s earnings, that its chairman and CEO, Stephen Luczo, was spending three months in the Far East, and that the Seagate’s earnings report had noted, “The preliminary results for the fiscal third quarter do not include the impact of any potential new restructuring activities, future mergers, acquisitions, financing, dispositions or other business combinations the company may undertake.”
The Journal quoted Richard Kugele, an analyst at Needham & Co., as saying “there is really no legitimate alternative” to a sale of the unit to Seagate other than for Samsung to shut it down.