Computer Forensics – Does Your Used Hard Drive Still Have Data On It?
Tom Bartel – a long time colleague going back to the early days of Email Publishing in the mid-1990s and a hardcore privacy advocate currently working at Return Path – mentioned a powerpoint presentation by Simson Garfinkel titled Remembrance of Data Passed: Used Disk Drives and Computer Forensics. While I don’t know Simson, we were both in the same year at MIT (87) and I remember him as the guy that always had articles and photos in a variety of MIT-related publications and I’m reminded of it every time I see an article by him in Technology Review.
If you care about data security and privacy, it’s worth downloading the powerpoint and scanning through it. Simson bought 235 used hard drives between 11/2000 and 1/2003 from eBay, computer stores, and swap meets. He set up a technical infrastructure to mount the drives, image them (using FreeBSD), store the images on a RAID server, store the metadata in a MySQL database, and then mine the data.
Not surprisingly, he found a huge amount of data, including confidential information such as medical records, HR correspondence, and financial data. For example, Drive #134 was from an ATM in a Chicago bank. It contained one year’s worth of transactions, including over 3,000 card numbers. In this case, the bank had apparently hired a contractor to upgrade the ATM machines – the contractor hired a sub-contractor. The bank and contractor assumed the disks would be properly sanitized, but there were no procedures specified in the contract. As a result, the drives weren’t sanitized correctly and the data was still on them for Simson to play around with.
In addition to explaining the problem and substantiating it with real data, Simson makes a number of suggestions for how to address the issue. Two of his more severe (but logical) suggestions for cleaning all the data off of used drives are (a) to degauss them with a Type 1 or Type II degausser or (b) destroy, disintegrate, incinerate, pulverize, shred, or melt the drive. Simson’s ultimate prognosis is that “drive slagging is a fool-proof method to prevent data recovery.” Just be careful not to light your house (or office) on fire.
Simson logically ponders this issue, especially in our current Patriot Act governed world. For less than $1,000 and working part time, he was able to collect thousands of credit cards, detailed financial records on hundreds of people, and confidential corporate files. He concludes by asking – “who else is doing this?”
ProSavvy – a company I’ve been on the board of since 1996 – announced this week that they have merged with eWork. The combined company (called eWork) is the leader in consulting project and contracted workforce services procurement, management, and payment and is a $42 million, profitable company. We continue to be significant investors in ProSavvy and Seth Levine – who works with me at Mobius in Colorado – has joined the eWork board.
Seth has a comprehensive post on the merger, some history, the rationale, and the strategy of the go-forward business. We’re very excited about the transaction and the prospects for eWork going forward, as ProSavvy was a solid, but slow growth company that needed a bigger overall platform to achieve its full potential. We’ve been looking patiently for a merger partner for the past year, having talked to a number of companies that were tangential and/or complimentary to ProSavvy. eWork was the most promising fit and – after a long effort on both sides to make sure that the combined company was greater than the sum of its parts – we moved forward with a deal.
The combination of scale, growth, and profitability matters a lot these days with regard to value creation for enterprise application software and services companies. The combination of eWork and ProSavvy satisfies all of the parameters nicely and we’re optimistic about our ability to create a company with meaningful long term value.
I had a great board meeting today at Quova and a near perfect board meeting at Rally last week. While it’s a pleasure to be involved in both companies since they are both performing very well, the structure and tempo of each board meeting really turned me on.
I had started to notice a disconcerting rhythm to some of my board meetings. On the positive side, several of my CEOs have done a spectacular job of putting together comprehensive board packages that we’ve replicated throughout much of our portfolio. As a result, we have substantial, detailed board packages that come out around a week prior to the board meeting. This gives me plenty of time to read through the board package, ask specific questions of the CEO in advance of the board meeting, and study the financials carefully. Since most of my companies are working off the same board package template, the information is predictably organized, easy to follow, and comprehensive.
However, I’ve noticed recently that a lot of the time being spent in the board meeting was being squandered by effectively reading through the board package in real time. This is often disguised as “functional updates” where each VP goes through his part of the business by simply rehashing the information in the board book. Given that the typical board meeting is three hours, I started to notice that most of the meeting was being spent reviewing the board book (which I’d already read and gotten 90% of the information from) and a minority of the time was being spent on non-operational (e.g. strategic) discussion.
I’d subtly made this comment to several of my CEOs (as subtle as I’m capable of being – visualize a bull in a china shop) during board meetings in Q4 where I realized that while it was exciting to rehash what was essentially solid performance for 2004, I was much more interested in spending time looking forward and talking about what we needed to do to drive asymmetric business value in 2005.
Rally’s board meeting last week nailed it. The board package came out five days prior to the meeting so everyone had plenty of time to read it. We had a typical three hour board meeting that started on time. The meeting then occurred as follows:
- 5 minutes: Administrative items (approve the minutes, approve new options).
- 55 minutes: Department updates. We used the board package as the guide, but each exec spent a few minutes summarizing key points (rather than reading from the package) and then we drilled into Q&A and discussion on each area. It was a spirited discussion that was forward looking (e.g. “what are we doing in the next 30 days about issue X”) rather than backward looking (e.g. “good job on doing Y last month.”)
- 90 minutes: 2005 Strategic Priorities. We worked from a six page powerpoint presentation (that had crappy production value, but was high content value) and spent 80% of our time on one slide. The entire leadership team participated in the discussion – it wasn’t a “presentation of a conclusion” but a “discussion about what to do given limited resources and divergent opportunities.”
- 30 minutes: Executive Session (Board Only). We talked about a handful of personnel related issues, summarized the discussion, and set the tone for Q105.
I left the meeting feeling both excited by where Rally is at, delighted by the dynamic among the members of the leadership team, and satisfied with the direction the board gave the leadership team.
Today, I had a very similar board meeting at Quova. While we covered very different topics – especially since we celebrated Quova’s five year anniversary today (with a fun event at the San Francisco Museum of Craft + Design) – the preparation was equivalent, the tempo was similar, and the I walked out of the meeting equally excited about where Quova is and how the leadership team is interacting with each other.
The CEOs of Rally and Quova reminded me how a well-executed board meeting early in the year is a great way to set the tone for the business for the year to come.
Fortunately for my wife Amy, she’s aware that I’m a 15 year old boy trapped in a 39 year old’s body. So – when Netflix delivers Caddyshack to us, she let me watch it on a Friday night after I’ve worked much too hard, exercised too much (and still struggled to get all the weight off), and been entirely too serious for the past five days (ok – as serious as I get about anything – which isn’t that serious since I am really a 15 year old after all.)
In 1980, I saw Caddyshack about 10 times (I think the only movie I saw more frequently was Star Wars, but I was only 12 then so I can be forgiven since I hadn’t yet matured enough to have perspective.) God only knows (and he’s the only one I’ll ever tell) how many times I’ve seen Caddyshack since, although it totals a number close to my current age. I hadn’t seen it in a while (where “a while” is obviously relative) and it was a delight. I even noticed Amy sneaking looks and laughing at the antics of Bill Murray, Rodney Dangerfield, Ted Knight, and Chevy Chase (wow – what a cast for 1980 comedy.)
I feel much better (and younger) then I did at 5:30 this evening.
We had a good day yesterday at Mobius VC as MCI announced they were acquiring NetSec for approximately $105m.
My partner Rex Golding has been involved since NetSec’s first venture round in mid 2000. As this investment was done at the peak of the bubble, we – like many other venture firms – were investing heavily in the promise of companies that provided “managed services” and were labelled “managed service providers (MSPs).” In many cases, post-bubble, the outcome of these companies was disappointing. NetSec – which specializes in managed security services (being one of the notable “MSSP’s”), built a very strong government practice, and has a deep, experienced leadership team. Things were challenging for the company in the 2001 – 2002 time frame, but everyone was patient, the team continued to systematically build a solid business, and has seen phenomenal growth the past 24 months.
Several months ago, another significant MSP – Inflow – was acquired by Sungard. As with the MCI / NetSec acquisition, this was a successful exit for Inflow (disclaimer: I’m an investor in one of the VC funds that was invested in Inflow), and give the well worn theory that two data points makes a trend, may be the beginning of positive exit activity for the MSPs that survived the downturn and built sustainable businesses in 2003 and 2004.
One of the key themes that has been floating around recently in the venture business is that the patient capital through the downturn (e.g. folks that hung in there with solid businesses in 2001 and 2002) is starting to be handsomely rewarded for their perseverance. We’ve had a few nice cases of this in the past 12 months – such as IAC’s acquisition of Service Magic – and a number of my colleagues are also seeing solid successes for companies formed in the 1999 – 2000 time frame.
Congrats to Rex, Glenn Hazard, and the team at NetSec!
As Jason and I continue to work our way through a typical venture capital term sheet, we encounter another key control term – the “protective provisions.” Protective provisions are effectively veto rights that investors have on certain actions by the company. Not surprisingly, these provisions protect the VC (unfortunately, not from himself.)
The protective provisions are often hotly negotiated. Entrepreneurs would like to see few or no protective provisions in their documents. VCs – in contrast – would like to have some veto-level control over a subset of actions the company could take, especially when it impacts the VC’s economic position.
A typical protective provision clause looks as follows:
“Protective Provisions: For so long as any shares of Series A Preferred remain outstanding, consent of the holders of at least a majority of the Series A Preferred shall be required for any action, whether directly or though any merger, recapitalization or similar event, that (i) alters or changes the rights, preferences or privileges of the Series A Preferred, (ii) increases or decreases the authorized number of shares of Common or Preferred Stock, (iii) creates (by reclassification or otherwise) any new class or series of shares having rights, preferences or privileges senior to or on a parity with the Series A Preferred, (iv) results in the redemption or repurchase of any shares of Common Stock (other than pursuant to equity incentive agreements with service providers giving the Company the right to repurchase shares upon the termination of services), (v) results in any merger, other corporate reorganization, sale of control, or any transaction in which all or substantially all of the assets of the Company are sold, (vi) amends or waives any provision of the Company’s Certificate of Incorporation or Bylaws, (vii) increases or decreases the authorized size of the Company’s Board of Directors, or (viii) results in the payment or declaration of any dividend on any shares of Common or Preferred Stock, or (ix) issuance of debt in excess of $100,000.”
Subsection (ix) is often the first thing that gets changed by raising the debt threshold to something higher, as long as the company is a real operating business rather than an early stage startup. Another easily accepted change is to add a minimum threshold of preferred shares outstanding for the protective provisions to apply, keeping the protective provisions from “lingering on forever” when the capital structure is changed – either through a positive or negative event.
Many company counsels will ask for “materiality qualifiers” (e.g. that the word “material” or “materially” be inserted in front of subsections (i), (ii) and (vi), above.) We always decline this request, not to be stubborn (ok – sometimes to be stubborn), but because we don’t really know what “material” means (if you ask a judge, or read any case law, they will not help you either) and we believe that specificity is more important that debating reasonableness. Remember – these are protective provisions – they don’t “eliminate” the ability to do these things – they simply require consent of the investors. As long as things are “not material” from the VC’s point of view, the consent to do these things will be granted. We’d always rather be clear up front what the rules of engagement are, rather than having a debate over “what material means” in the middle of a situation where these protective provisions might come into play.
When future financing rounds occur (e.g. Series B – a new “class” of preferred stock), there is always a discussion as to how the protective provisions will work with regard to the new financing. There are two cases: (a) the Series B gets its own protective provisions or (b) the Series B investors vote alongside the original investors as a single class. Entrepreneurs almost always will want a single vote for all the investors (case b), as the separate investor class protective provision vote means the company now has two classes of potential veto constituents to deal with. Normally new investors will ask for a separate vote, as their interests may diverge from those of the original investors due to different pricing, different risk profiles, and a false need for overall control. However, many experienced investors will align with the entrepreneur’s point of view of not wanting separate class votes as they do not want the potential headaches of another equity class vetoing an important company action. If your Series B investors are the same as your Series A investors, this is an irrelevant discussion, and it should be easy for everyone to default to case b. If you have new investors in the Series B, be wary of inappropriate veto rights for small investors (e.g. consent percentage required is 90% instead of a majority (50.1%), so a new investor who only owns 10.1% of the financing can effectively assert control over the protective provisions through his vote.)
Some investors that feel they have enough control with their board involvement to ensure the company does not take any action contrary to their interests, and as a result will not focus on these protective provisions. During a financing, this is the typical argument used by company counsel to try to convince the VCs to back off of some or all of the protective provisions We think this is a short-sighted approach for the investor, for as a board member, an investor designee has legal duties to work in the best interests of the company. Sometimes the interests of the company and a particular class of shareholders diverge. Therefore, there can be times whereby an individual would legally have to approve something as a board member in the best interests of the company as a whole and not have a protective provision to fall back on as a shareholder. While this dynamic does not necessarily “benefit” the entrepreneur, it’s good governance, as it functionally separates the duties of a board member from that of a shareholder, shining a clearer lens on a area of potential conflict.
While one could make the argument that protective provisions are at the core of the “trust” between a VC and entrepreneur, we think that’s a hollow and inappropriate statement. When an entrepreneur asks “don’t you trust me – why do we need these things?”, the simple answer is that it is not an issue of trust. Rather, we like to eliminate the discussion about who ultimately gets to make which decisions before we do a deal. Eliminating the ambiguity in roles, control, and rules of engagement is an important part of any financing – the protective provisions cut to the heart of some of this.
RSS and Blogging are starting to permeate mainstream media. It’s both a blessing and a curse when something makes the front cover of the major business rags. In this case, we’re still so early on the adoption curve that these major press mentions are good early indicators that RSS / Blogging is growing real roots.
CNBC’s segment is two minutes long and was at the tail end of Closing Bell a week ago. The segment was an introduction to RSS and features NewsGator / Greg Reinacker and Yahoo! / Scott Gatz.
The Fortune article – Why There’s No Escaping the Blog – is a big one full of good stuff including mentions our of companies Technorati and NewsGator. In the “best quote in the article” category, we have Steve Hayden, vice chairman of Oglivy & Mather, saying “If you fudge or lie on a blog, you are biting the karmic weenie. The negative reaction will be so great that, whatever your intention was, it will be overwhelmed and crushed like a bug. You’re fighting with very powerful forces because it’s real people’s opinions.”
Karmic weenie – perfect – I wish I’d said that.
Fred Wilson has a great post about his decision to no longer sit on public company boards – it’s worth reading if you are either on a public company board or considering being on one.
I’m playing around with ads in my feeds. I’ve enabled the Feedburner feature to insert Amazon ads in my book feeds and Overture “context based” ads in several (but not all) of my other feeds. The ads should appear at the bottom of the feed so they should be easy to ignore if you aren’t interested in them.
I’m looking for both feedback (a) on relevance and (b) unobtrusiveness.