[ISN] Has Dan Farmer Sold His Soul?

[InfoSec News]

http://www.businessweek.com/smallbiz/content/apr2005/sb2005045_4318_sb013.htm

Edited by Rod Kurtz
APRIL 5, 2005   

The security guru and fiercely independent creator of free software
tool SATAN explains why he teamed up with VCs to launch Elemental
Software

Most computer aficionados associate Dan Farmer with the word "free,"  
both in terms of spirit and software. In the early 1990s he co-wrote
and released for free a software program called SATAN (System
Administrator's Tool for Analyzing Networks), which helps companies
take a good look at their computer networks and identify any weak
spots. When Farmer first released it, many in law enforcement worried
the program would help the bad guys break into computer networks,
while colleagues in the computer-security world figured he was giving
them the tools to keep the bad guys out.

A former Marine who applied for and received conscientious-objector
status during the first Persian Gulf War, Farmer has always done
things his own way. He became one of the tech industry's leading
experts on computer security, working as a consultant and occasional
employee for companies ranging from Sun Microsystems (SUNW) to Geffen
Records (V).

About two years ago, Farmer decided to start his own company,
Elemental Security. He and engineers at the San Mateo (Calif.)  
software startup have built a package that allows corporate-tech
managers to devise and implement security policies. They took the
wraps off the technology at a security conference in Orlando (Fla.) on
Apr. 4, but Farmer spoke with BusinessWeek Online Technology Editor
Jim Kerstetter a few days earlier about his devilishly named free
program, and why he's happy to be Elemental's chief technology officer
rather than CEO. Edited excerpts of their conversation follow.


Q: The release of SATAN generated quite a buzz. How did your work on
that eventually lead to Elemental?

A: We just released SATAN once, and that was in '95. I had this great
idea of writing a book in '96, a compendium of security. Sort of like
the project [French philosopher Jean-Jacques] Rousseau did on the Age
of Enlightenment. One area we thought we knew a lot about was
auditing.

But we discovered after a year or two that auditing is really hard. I
suggested, let's scale back and work on forensic security, because no
one was working on that at the time. We put out a forensic-tool kit,
back in '99, I guess. I was also doing some work for the recording
industry at the time.


Q: Really, on what?

A: Back in I think it was '99 there was this young company just
starting up called Napster. I had never heard of them before. But I
was doing some work for a friend of mine at Geffen Records. And he
asked me to do some technical due diligence on the thing. This turned
into being an expert witness for the recording industry against
Napster. People would ask me: "Hey, you gave away software. Why can't
they give away music?" But it was a choice I made. Napster was
predicating its business model on violation of copyright. I happen to
believe in copyright. Eventually, I won a gold album from the
recording industry for this whole trial thing. And this eventually led
into the whole Elemental story.


Q: Why did you finally start a company?

A: I had been offered a lot of money over the years for things like
SATAN, especially during the boom years. I thought if I could start a
company now [in 2002] and make it succeed, there could be some merit
to it. Bessemer [Ventures] and Mayfield [Ventures] funded it, and
later in a second round they were joined by Sequoia.


Q: What was your elevator pitch?

A: It was about policy management. What is a policy? It's an
expression of your desire. If you are talking about computer security,
you know what you want: You want your systems to behave in
well-defined ways. You don't want surprises. You want a list of things
you wish to see happen. The hard part is expressing those desires in a
way that is meaningful to computers. Automation is the key here.  
Express your desire, and find a way to enforce that process. That
sounded like a great idea to me.


Q: You've been pretty independent over the years. So there must have
been a serious crossing-the-Rubicon moment for you.

A: Oh, absolutely. One of the big reasons I didn't start a company
before is it's a lot of responsibility. We're up to 35 employees now.  
I can't say all 34 other people are depending on me for their
livelihood, but they wouldn't be working here if they weren't. You
really have to give your heart and soul to the company for a
considerable length of time.

I was pretty confident the idea was sound, and the technology would
work. But the real reason I started the company was, if I could have
done it myself and written it and given it away, I would have done it.  
I had no burning desire to start a company. But the idea was so huge,
there was no way I could have done it myself or with a couple of pals.  
The resources a company gives you allows you to take on bigger
challenges.


Q: Do you get sentimental about your independent days?

A: Oh yeah, all the time. Elemental probably won't last forever. If it
does, great. But at some point, I'll probably go back into research
mode. If there's one thing I'll never run out of is ideas. I'll
probably go back at some point to writing free software or something
like that.


Q: So it sounds like you never thought you'd be the guy running the
company. In fact, security industry vet Peter Watkins is running the
show.

A: I'm not a business guy. I'm not a manager. I believe I understand
the problems and strategic issue. But the tactical matters, how to
raise the money, raise the company. I'm a really huge believer in
marketing and messaging. Part of SATAN's reason for success was its
name: System Administrator's Tool for Analyzing Networks. That acronym
propelled it to a lot of places where it wouldn't have gotten much
visibility. I think the power of names, the power of messages, the
power of how people perceive things is really crucial. The technology
by itself, if no one knows about it and no one uses it, is pretty
useless.


Q: Do you see Elemental staying independent or getting acquired by a
bigger security company?

A: That's a good question. I think, by and large, the investors feel
if all things are equal, most people would prefer to see a company
stay independent. On the other hand, acquisitions can generate a lot
more cash, and people are vacuum-cleaning these companies up.

But the basic model for the company was we weren't going to hit just
one little niche. We started from a pretty broad base. We had to have
a broad product from the start. Perhaps it makes us a little less
desirable takeover target. I don't know.