The Crux

Exit Strategies

braden-hopkins-4WJcte5CByc-unsplash-3x2.jpg
11 December 2023
Justin Warren
Newsletter
HashiCorp
VMware
GitLab
Microsoft
23andMe
Apple
Google
Amazon
Broadcom
Nutanix
Intel
Scale Computing
Sellafield
StabilityAI
VLSI
Carbon Black
Newag SA
Thales Group
iRobot
Imperva
Wasm
KubeVirt
trust
surveillance
Android
BSL
Bruce Schneier
LogoFAIL
OpenBao
Section 702
PRISM
EUC
singularity
WebAssembly

Things to note

I chatted with Ned Bellavance, Nigel Poulton and Stephen Foskett on the GestaltIT On-Premise IT podcast. I boldly suggested that WebAssembly could be the biggest deal in IT in the past 15-20 years.

Broadcom will sell off VMware's end-user-computing and Carbon Black businesses, according to CEO Hock Tan. Just as predicted in our briefing note Broadcom and VMware's Next Chapter sent to clients in late November, though we thought Carbon Black might have been absorbed into the Symantec Enterprise division. Little comfort for SMBs, either, with a push to subscriptions and bigger footprint Cloud Foundation deployments, but folks like Scale Computing and Nutanix will be happy.

A further threat to HashiCorp after its BSL license change has emerged: The OpenBao project based on a fork of Vault. It's under the auspices of the Linux Foundation, and the proposal appears to be sponsored by IBM. Vault is the other major source of revenue for HashiCorp alongside Terraform, and this could be the bigger threat long-term, especially if someone else spins up a Vault-as-a-Service competitor to HashiCorp's HCP Vault offer. Another move that PivotNine anticipated in our HashiCorp and the Business of Open Source report.

LogoFAIL is a way to hack the boot splash logo in UEFI BIOS to bypass all the boot security. Both Linux and Windows devices are affected. It's a bit fiddly, but if you can get into a system it's a very persistent mechanism.

UK nuclear site Sellafield is has been infected with malware since 2015, according to The Guardian. We don't know if all the malware has been removed. It seems the senior staff at the site weren't keen on letting anyone know about the malware infection. Cool and normal.

It turns out the 23andMe data breach was much larger than the company originally claimed. Quelle surprise! Instead of 14,000 people, or 0.1% of customers, as originally claimed, it's actually 6.9 million people, or 49% of customers. Missed it by that much.

Apple has been secretly giving foreign governments data on everyone's push notifications. Apple claims it was forbidden to tell anyone. Google was doing it as well. Reminds me of PRISM and the ongoing use of Section 702 of the FISA Amendments Act of 2008. Do you feel safer?

Speaking of Section 702, alien scum like me who want to visit the US might get treated with the same paranoid scrutiny as suspected terrorists or spies if a new Section 702 bill passes. We get this authoritarian ratchet every time S702 comes up for renewal, and this time there are two competing bills. What could possibly go wrong?

Your Android mobile password app might be leaking your passwords. Dubbed AutoSpill the bug involves how Android's autofill mechanism works. It's a convenience feature that tries to autopopulate your credentials to websites you've visited before, so you can turn it off as a workaround while the password managers fix the problem.

France based Thales Group has bought cybersecurity company Imperva. Thales has been expanding bigtime into cybersecurity recently, mostly via acquisition. There's quite a lot of consolidation going on, which is long overdue in my opinion, and still hasn't really hit the levels I'd expect. Plenty of expansion left in this part of tech, it seems.

In a legal filing version of the Spiderman pointing meme, Amazon has accused Microsoft of unfairly restricting customer choice in cloud computing in a submission to the UK CMA. Google has also criticised Microsoft. Microsoft says there's plenty of competition. I think Microsoft is understating its dominance of the "number of high severity data breaches" market.

Speaking of competition, the EU has signalled to Amazon how it can get approval for its iRobot acquisition. It has to promise to be good and not manipulate marketplace rankings of robot vacuum cleaners. Those Europeans and their polite and sophisticated sense of humour! How droll.

VLSI Technology's big patent win against Intel from 2021 has been overturned on appeal. VLSI had been awarded USD $2.18 billion for patent infringement in the long-running case. There'll be a new trial, which will keep the lawyers happy.

Polish security researchers said they found evidence that trains built by Newag SA had software that would sabotage them if the hardware was serviced by competitors. The train company, apparently believing we're all credulous idiots, says it must have been hacked or that an "illegal black PR campaign" was being waged against it. I wonder if any executives from Volkswagen moved to Newag SA?

GitLab still doesn't have very good internal controls for the IT systems it uses to prepare its financial reports, it told the SEC. In its 10-Q filing, it said it wasn't very good at ensuring "IT programs, data changes and migrations affecting financial IT applications and underlying records are identified, tested, authorized and implemented appropriately." If only there was some software that could help with that.

StabilityAI will have to defend against Getty's lawsuit in the UK in a trial.

Roy Kerr, black hole pioneer, reckons that singularities don't exist.

This is a pretty accessible explanation of the different theories and why Kerr has said what he has. I don't pretend to understand the maths, and I only once glimpsed actual understanding of the concept of “frame dragging” when reading about it many years ago. Still, this is a fun read.

Longer reads

Bruce Schneier has a good essay on why trust is important and AIs are breaking it.

I'm not sure I quite agree with his categorisation of trust types and degrees, but the broad thrust works. For me it's more about layered systems and abstractions.

I would also dispute his fatalism about having no choice but to entrust ourselves to these systems. We do have a choice, individually and—more importantly—collectively. I'm glad he mentions power, though, because power differentials are a very important part of any thinking about how systems work.

VMware Exit Strategies

It should be clear by now that Broadcom is going to run its usual playbook with VMware. As covered by Simon Sharwood in The Register, Broadcom will focus on high end sales and subscription payments. It will add revenue from the enterprise and annoy SMBs to the point they go away on their own. Broadcom won't care, because SMB is not its target segment.

Buying the odd thing here and there—just the hypervisor and maybe a bit of manageware, cherry picking just the bits you need—is not what VMware wants customers to do, but that's how SMBs prefer to buy. SMBs also like to buy a thing and just have it. They resent constantly paying for a thing over and over again, especially when there's little additional perceived value.

Enterprises, in contrast, buy an ongoing relationship, no matter if it's CapEx or OpEx. They cherry-pick to start with, testing out a vendor to see if they want to make a larger, more strategic investment or not. If the vendor passes, then enterprises tend to prefer a bundle of stuff, all nicely integrated. The work of assembling a constellation of disparate pieces and stitching them altogether is hard. Too hard, for most of them. They especially don't want to rebuild the whole thing from scratch.

So SMB will probably flee, and that opens up a tremendous opportunity for Kubernetes as a destination. VMware competitors like Scale Computing and Nutanix will pick up plenty of business, I'm sure, as SMB and Commercial customers look for something less hefty, less expensive, less Broadcom than VMware. But they will face a similar challenge to VMware proper: containers and Kubernetes. How to run both without doubling your operational challenge?

Nutanix has added nascent Kubernetes support to its HCI approach to VM clusters, and Scale suggests using Rancher's k3os distribution to host Kubernetes nodes on Scale clusters. These will work, to a point, but the key piece I'm watching is the KubeVirt project.

In true worse is better style, KubeVirt lets you scheduled VMs like containers using Kubernetes mechanisms to do it. For places using both containers and VMs, having a single operations mechanism to manage them both reduces the overall complexity. VMware is trying to do this—but from the other direction—with things like Tanzu, with varying degrees of success.

VMware has a broad range of stable services to make managing VMs easier for operations staff, many of whom have no idea how to operate Kubernetes. However, containers and Kubernetes are beloved by developers writing software, including for the vendors of software that companies want to buy. Operating Kubernetes somehow is likely inevitable so it'll come down to which operational method organisations prefer: the VMware way, or the Kubernetes way.

I suspect VMware will hang on tenaciously to its enterprise accounts, most of which will end up with some KubeVirt somewhere because of guerilla action by rogue business units. They won't be ‘official’ though, just a pesky shadow-IT thing that centralised IT will try to hunt down and convert, by force if necessary, to the official company religion.

Meanwhile, everyone else may very well just go with KubeVirt—or something very much like it—because it's what everyone else is doing. Including options like Scale and Nutanix, because it's just easier. VMware will become something like a zSeries mainframe or AS400 or HP-UX as the insurgent NetFrame/Windows NT 3.51/Linux equivalent of Kubernetes quietly takes over, system by system.

And Broadcom will still squeeze lots of money out of its customers, for longer than many people currently believe is possible.