Blood Sport – Securities & Security

16 August 2008

In an act of astonishing cunning - or astonishing vengeance - yesterday Cadence announced at 12:39 PM ET that they're withdrawing their offer to purchase Mentor Graphics. The press release cited Mentor's unwillingness to cooperate or communicate about the offer. Clearly caught unawares, Mentor countered with their own press release two hours later saying the Cadence announcement was “inconsistent” with what Mentor had heard to date, and that Mentor was working to protect shareholder value.

Too late.

In the 2 short hours following the Cadence announcement, MENT fell an astounding 25% while CDNS went up 10%. (Silly, shortsighted CDNS shareholders never did embrace the CDNS-uber-MENT deal.) By closing bell, MENT was down over 26% to $10.33 a share, and CDNS was up 7% on the day, closing at $7.64.

So, let's do some hypothetical math here. As of their July 23rd earnings call with The Street, CDNS management announced that they had purchased 4.7% of MENT, or 4.3 million shares. Let's say CDNS paid $16 a share, per their public offer in June, for that 4.7% stake in MENT. By closing bell yesterday, CDNS potentially lost $16 minus $10.33 times 4.3 million, or $24+ million dollars. That's almost 5x over their 2Q'08 net income. Wow.

Of course, they gained on the uptick in CDNS. Oh happy day.

For heaven's sakes, you're probably saying, this is just paper money and these calculations have no basis in reality. Cadence probably bought many of those MENT shares prior to their public offer, and hence paid less than $16/share. Besides, you're probably saying, this is just business. Nobody's actually 'won' or 'lost' anything here. And it's neither an act of 'cunning' nor 'vengeance' to give up and walk away from a deal that just ain't happening.

You know, quite honestly, my instincts say otherwise. Next Wednesday, less than 72 hours after this newsletter is posted, Wally Rhines will stand up in front of The Street to discuss his company's most recent quarterly earnings. What do you think? You think that call's going to go well? You think it's going to go as smoothly, say, as Mike Fister's meeting with The Street on July 23rd? You think Rhines' upcoming date with destiny had any particular influence on the day and time chosen for yesterday's announcement from Cadence? No? Are you daft?

This whole stupid mess mystifies me. Sorry, Adolph - I know you've assured me that it's just “business as usual.” Sorry, Lou - I know you've assured us all that there “is nothing personal” about the CDNS-uber-MENT attempt, but I'm unconvinced. I remain mystified because I know some of the people at Cadence.

The last time I spoke at length with Mike Fister was at a bowling alley in Silicon Valley where he was hosting Stars and Strikes and raising mega-funds for local charities. The last time I spoke at length with Alberto Sangiovanni-Vincentelli, Ellen Sentovich, and Nancy Szymanski , we were chatting over cappuccinos in Alberto's gracious home in the Berkeley hills talking about technology and education. The last time I spoke at length with Andreas Kuhlmann, he was in his office overlooking the Golden Gate Bridge, waxing poetic about the intellectual stimulation and opportunities for innovation at the Cadence Berkeley Labs. I've attended team dinners with Bill Porter at the local high school where his son and my son ran cross-country together. Ted Vucurevich always has a grin as wide as the world when he's rocking away with his band. Roger Siboni gave the toast at my sister's wedding.

I want to believe these are real people. They certainly seem decent enough in person.

But do they all really think this is normal corporate behavior? That it's a good day's work for a good day's pay to crush the life out of a fellow company in the industry? To humiliate a company by publicly revealing their rejecting a private acquisition offer? To destroy the stock valuation of a company by issuing a devastating press release just prior to the close of trading for the week, just in time for everybody who holds MENT to have a long weekend to think it over and put in their sell orders in advance of Monday's opening bell? To guarantee that Wally Rhines will have the roughest moment of his life next Wednesday at 8 AM ET?

I just can't understand it. Do these people that I've met over the years run their private lives this way, taking every opportunity to annihilate the spirit and optimism out of the folks around them?

Oh, that's right. Again, I forgot. There's “nothing personal” here. It's just “business as usual.”

The business of EDA … a blood sport we can all be proud of.

****************************

Predicating the Future …

* Why TSMC should buy Cadence

It's easy to site numerous motives that TSMC might have for buying Cadence. [more]

* Death of EDA as an Independent Industry

The glory days of EDA as an independent industry will be over quite soon. [more]

****************************

Blood Sport - Security

You've got data and you want to secure it, so people without proper authorization can't get to it. That data could be a DVD, or an Internet broadcast, or financial data, or medical records, or a digital design. In order to secure that data, you need both a scheme for encrypting the data and a strategy for creating and protecting a key that allows only the authorized to decrypt that data. These days, the challenge is not so much in the encryption as in distributing and retaining keys in a secure manner.

Many believe keys shouldn't be executed in software, because software is always ultimately hackable. However, you also can't guarantee the integrity of keys executed in hardware if the hardware platform is vulnerable. So, what to do? Working together, Kilopass and Certicom say they've come up with a strategy that guarantees the integrity of keys executed in hardware, something that I talked to them about recently by phone.

Ours was a confusing conversation, because the topic's as convoluted as EDA. Just remember -it's not about the data or the encryption of the data. It's about the keys that decrypt the data that's been encrypted, using either industry-standard or proprietary security schemes.

Craig Rawlings is director of marketing at Kilopass and Brian Neill is product manager at Certicom.

****************************

Peggy Aycinena - So digital security is a problem.

Craig Rawlings - Digital security about protecting your identify, your money, or whatever you hold dear. You can say security is crap. You can say, I don't like it because it makes my life less interesting. A lot of people don't have to like experience of dealing with security, but money, credit card information - that's the stuff that's real world. People do care about that.

Brian Neill - You absolutely have to make sure an electronic product is robust from a security point of view, both when the product is in the field and when it's being manufactured. In order for somebody like Sony to produce a Blue-ray DVD, for instance, they have to have assurance from the manufacturer that the DVD won't show up on the Internet. Content protection standards make sure that the makers of the devices and consumer electronics can't make copies of them.

Craig Rawlings - Security's important to a ton of people. Everybody from the people who make TV's to the people who make chips. Look at the 40 million credit cards stolen from Barnes and Noble, TJ Maxx, etc., folks who didn't have sufficient wireless security for data going out into the air. What we've seen [as a result of this type of thing] is a growing interest in standards being formed, standards for putting security into the physical layer in the silicon.

Some standards have robust security built in, which protect third-party multi-media - things like HDMI [high-definition multimedia interface]. WiMax also has a security scheme similar HDMI for building security requirements into the hardware, and Blue-ray as well. All of these things take security very seriously at the silicon layer, because that's where you need to store sensitive information that's fundamental to how the system works.

Brian Neill - A lot of security standards have licensing bodies or are proprietary. HDCP [High-bandwidth Digital Content Protection] is licensed by Intel, for instance. When you license a technology - say HDCP or AACS [Advanced Access Content System] for Blue-ray - the licenses say data will be secure, both in the field and while the device is being manufactured.

But it's pretty common knowledge that when you're using subcontractors in Asia for manufacturing, those subcontractors haven't signed the license, so it's up to you to make sure your subcontractors are complying. Or, it's up to us here at Certicom [working on behalf of our customers] to be sure that all levels of security are being honored.

Peggy Aycinena - Clearly, there's a lot of motivation and market pressure to get these security issues under control. What are you guys contributing?

Craig Rawlings - Kilopass provides secure storage in the chip in the silicon layers, in the physical layers.

Brian Neill - And Certicom's role is to get that secure information into the chip during manufacturing at the factory.

Craig Rawlings - We call this front-to-back security. The front-end from design, and the back-end from manufacturing. Our two companies are joining forces as strategic partners to set the stage for what we're about to tackle.

Peggy Aycinena - I'm lost again. What data are we securing here?

Craig Rawlings - We have all these sophisticated locks, encryption schemes that provide an incredible lock. The problem is, you can have the greatest lock on the front of the house and still have to leave the key somewhere. In our case, these keys are stored in non-volatile memory, [which is retained even] if the power's taken away.

In the past, that's been a hard drive, or masked ROM, or a data stick. These traditional non-volatile memory technologies are relatively low cost, but they're not physically secure. In a hard drive, for instance, you can scan it magnetically to get the information off of it. Attackers are very sophisticated these days and have figured out how to go for the key first. Then, everything else in the security scheme falls apart.

Peggy Aycinena - So we're talking about securing the key? Craig Rawlings - Yes, we're specifically talking about the storage of encryption keys for protecting media that's distributed through the HDMI interface, the standard for communicating or distributing information between different types of multi-media equipment.

Kilopass has a high-density NV memory technology that's built into standard logic CMOS. You don't need to store the key information in an external device in this case, because it's built into the physical layer during the manufacturing process. High-density memory keeps the costs down in terms of die area, and therefore makes a great storage facility for the key.

Our technology is based on an anti-fuse, where we're actually hiding the key information amidst the atoms of silicon. It's like looking for a needle in a haystack to find the key, unless you know where to look, because it's based on randomness. This makes the memory, and the key stored there, very secure from all types of attacks - passive attacks, semi-invasive attacks, and invasive attacks.

Peggy Aycinena - Can you define those categories of attack?

Craig Rawlings - Passive attacks are done electrically without looking inside the chip. You can determine what's in there by giving stimulus to the device and seeing how it responds.

Semi-invasive attacks may involve doing things environmentally or through modest physical attacks -breaking the device open and looking at it under a microscope to see what's in there.

Invasive attacks are deep attacks. Some people use microprobes. They can even attach a wire inside of the chip, but they have to have a big budget for the very fine equipment needed to do that. Basically everything's hackable.

Peggy Aycinena - And everybody has a price, which really guarantees that everything's eventually hackable, even hardware.

Craig Rawlings - Yes, everybody has a price. But we want [to set the price very high], to force them to have a lot a money and a lot of resources [to do this work]. We don't want to have to worry about some teenager in Sweden breaking into a standard that protects data.

Peggy Aycinena - Couldn't you just hire those Swedish teenagers?

Brian Neill - Maybe, but they'd need a business plan. [Laughing]

Craig Rawlings - Or, we could force things down into the silicon layer where it's a lot harder to attack, so no kids or adults will be successful at breaking the standard. Also, if it requires somebody with a Ph.D. to understand the technology, [we're in better shape from a security point of view].

Peggy Aycinena - I'm not sure all hackers are really unethical. Maybe they just see it as a challenge, a puzzle to be solved.

Craig Rawlings - Yeah, a lot of teenagers are probably just mischievous, but we're not just looking at key storage as an application for the Kilopass technology. We're also looking at design IP protection. We live in a very global marketplace, IP protection is not equal across all borders, and legal protections aren't as compelling as they used t be. We all know that if you don't protect innovation - which is what IP is all about - innovation comes to a screeching halt.

Peggy Aycinena - How did you guys find each other?

Brian Neill - We were both looking on Google for something like the other guy had. When we saw that our two products are distinct, but co-exist, we asked - why not tie our two products together more closely. That's the genesis of our partnership.

Peggy Aycinena - Brian, what does Certicom contribute to the partnership?

Brian Neill - At Certicom, we see our product as an add-on to Kilopass memories, an add-on that allows the memory to be programmed natively by a Certicom key-inject system at post-package test. Not only do we stick appliances on the test floor to do this work [at the manufacturing site], we also offer software that takes keys for different standards and injects them into the device.

Basically, you have to decrypt the key before you put it into the chip, so you have this security gap at the tester. With our tools, we keep keys protected all the way to the chips. There really isn't any technology on the market right now that competes with that.

So, from Certicom's point of view, we get and protect the secret data that people sign away their life for. You might purchase a set of a million keys, for instance, then put each of those keys into a million devices, so everything's unique.

Peggy Aycinena - Craig, the Kilopass contribution?

Craig Rawlings - When the key is stored in the chip, we make it much harder for that key to be exposed. That information's much more secure inside the chip.

Peggy Aycinena - So again, why can't security be handled in the software?

Craig Rawlings - Brian actually does do some software security.

Brian Neill - We do have products in software, using general-purpose platforms. We configure those general-purpose platforms using COT components to do what you have to do. That's great for word processors, but we've had 2 decades of software with people trying to do security in software, and we always find that you need to obfuscate things to hide the cryptographic keys. You have to keep the key in memory or in special tokens or other portable hardware, or do it by putting the key into the chip itself.

Look at banking standards. They have ATM cards with smart chips, but the logistics for setting up a system like that are very onerous. Similarly, if you have a DVD and you have to have a smart card to get the content, then you have to set up a 24x7 call center [to initiate the process], which is a big, big hassle.

So, yes - a lot of the security can be done in software, but you can speed the whole thing up by doing it in the hardware. Now we're seeing is people burying the key right in the ASIC and the chipsets, and using products like Certicom to get it to the manufacturing facility.

Peggy Aycinena - I'm wondering if you guys could help solve the piracy problem in EDA?

Craig Rawlings - Actually, at one point Intel was going to put a unique ID on every processor, but then a kind of Big Brother backlash happened, so they quietly killed the program.

Peggy Aycinena - But some things in technology start, then die, and then come back for a second round. So why couldn't my processor read my fingerprint or my eye contour to recognize that I'm the one with the right to use the software?

Brian Neill - That's the future of biometrics.

Craig Rawlings - Yeah, and if every machine had a unique ID then you could attach each EDA license to a unique fingerprint, but you'd still need to store that fingerprint info.

Peggy Aycinena - So, I'm guessing there's more to come from your partnership.

Brian Neill - Absolutely. Our relationship effects more than straight security. We're enhancing the usability of our products, the type of technology we both have. We're adding great value - it's more than just storing encryption. There's a big future here.

You can find the full EDACafe.com event calendar here.

To read more news, click here.

-- Peggy Aycinena, EDACafe.com Contributing Editor.