Tuesday, June 30, 2015

The Imitation Game (or, Why I Invested in Distil Networks)

In 1950, the journal Mind published Alan Turing’s seminal paper, Computing Machinery and Intelligence, in which he proposed a behavioral definition of artificial intelligence. After all, if a machine can demonstrate intelligence, how can it not be said to possess intelligence? Turing’s test challenged computer scientists to create a thinking machine that, through conversation, could fool a person into believing that it, too, is human; Turing’s challenge continues to drive AI researchers today.

With the proliferation of computers in modern life, the prospect of identifying thoughtful machinery takes on more than just theoretical or philosophical interest. Back in Turing’s day, a thinking machine connected only to a “teleprinter” (as Turing envisioned) would have lived a lonely life, but today there are billions of people online with whom to converse, promising profound implications for society. For example, we increasingly find the machines who answer customer service calls to be more productive and thoughtful than human agents.

Machines who demonstrate intelligence can communicate not only with people, but also with other machines designed to communicate with people – specifically, over 100 million web servers that invite human visitors to browse, learn, chat, transact, and share and with them. If a machine can demonstrate human intelligence in the eyes of a human judge, then no doubt it can win over these other machines on the internet, who are naturally less skilled at spotting other humans.

Or are they? If, say, the human judge in a Turing test can distinguish the smartest machines from humans with 60% accuracy, how well could a machine do at judging them? I call this the Turing Judge Test, a corollary to Turing’s Test that marks a subsequent milestone in the development of AI. If a machine conversing with other parties can outperform the human judges in identifying the machines, that right there’s some mighty good thinking.

With the benefits of shared learning and infinite storage, machines only get smarter over time, and so it seems inevitable that they will eventually pass the Turing Judge Test. On the other hand, as artificial judges get smarter, so do the artificial contestants. Even when machines do pass Turing tests with flying colors, how can they ever out-think other best-in-class machines? Or is there a way of distilling human intelligence into a single line of questioning that distinguishes silicon from gray matter?

Such a distillation would have more than theoretical value – indeed, it’s arguably critical for the safety of any information society. This is not just a theory – machines are already smart enough that they account for most web traffic, successfully posing as human visitors to perpetuate fraud on the government and business web servers they talk to. That’s why many sites use Completely Automated Public Turing tests to tell Computers and Humans Apart (CAPTCHAs).

But CAPTCHAs create a nuisance for users and an outright obstacle for some disabled users; even worse, they can now be defeated in various ways – in other words CAPTCHA servers are machines who once passed the Turing Judge Test, but only until the machines they judge got smarter!

As a result, malicious bots wreak havoc on the web, perpetuating data theft, account hijacking, application DDoS attacks, form spam, click fraud, and any other naughty action they can scale up through tireless automation.

And that’s why I just invested in, and joined the board of, Distil Networks. Distil is run by a world class team of machine learning experts whose thinking machines can now distinguish other machines from people with over 99% accuracy. Staples, AOL, Dow Jones, StubHub and many others depend upon Distil’s cloud-based service to immediately eliminate entire classes of attack (and free up all the infrastructure they ran to serve the whims of robotic imposters). The Turing Judge Test has a winner!

At least for now.

Thursday, January 22, 2015

Security for Startups: A 10-Step Affordable Plan to Survival in Cyberspace

This post originally appeared in TechCrunch.

In the past two years, cyberspace has clearly changed in ways that threaten every online business, big or small. Startups now use the cloud infrastructure that mature companies do, and quickly aggregate large, juicy caches of private user data and payment credentials. As malware infestations scale to scour the “long tail” of targets, they don’t discriminate between the Fortune 50 and the TechCrunch 50.
In fact, some increasingly common attacks — like DDoS extortion — specifically target smaller, more vulnerable businesses, whose loose cowboy cultures, shallow security expertise, fragile infrastructure and fresh capital make for easy pickings.
Jeremy Grant at NIST reports “a relatively sharp increase in hackers and adversaries targeting small businesses.” According to a recent survey, 20 percent of small businesses in Canada reported cyber losses last year. Who knows how many more fell victim and just don’t know it?
“Startups are incredibly vulnerable to cyber attacks in their first 18 months. If a business thinks that it’s too small to matter to cybercriminals, then it’s fooling itself with a false sense of security.” – Brian Burch, Symantec (CNN)

For many attacks—API disruption, marketplace fraud, IP theft—the smaller the target, the greater the damage. Startups often lose a year or more when targeted by identity thieves, nation-states, hacktivists, competitors, disgruntled employees, IP thieves, fraudsters or Bitcoin miners. Evernote, Meetup, Feedly, Vimeo, BaseCamp, Shutterstock, MailChimp and Bit.ly all fell victim to extortion rackets, and Code Spaces shut downaltogether. “When our API collapsed under a DDoS attack, we experienced more customer churn in that one day than we had in the entire two years since our launch,” recalled one CEO.
StubhubUber, and Tinder struggle to battle fraud in their marketplaces. Uber employees themselves were caught defrauding competitor Gett. EvernoteBit.ly,FormspringDropboxCupid MediaZendesk, SnapchatClinkleMeetMeLastPass (a password security company!) and many others have had to tell users they lost their passwords or payment credentials to hackers. Cyber thieves stole $5 million worth of Bitcoins from Bitstamp, and destroyed Mt. Gox and Flexcoin. Hackers exposed the content and identities of Yik Yak accounts. The CEOs of HB GarySnapchat and many other startups have been vilified following the theft and publication of embarrassing emails. Google routinely blacklists websites for weeks due to malware. Appstudio,SendGridHB Gary and others have been defaced or even permanently shut down by anti-Western hacktivists for political reasons. For OnlyHonest.com, the damage appears to have been fatal.
And even if your startup beats the odds and survives its infancy without a serious incident, playing catch up later will cost many times more in time, money, reputation and distraction as you change architectures, re-writing code, moving infrastructure, re-imaging laptops, migrating email, and replacing billing systems.
But until your startup can afford a CISO, how do you protect your mission, IP, brand, assets, employees, and capital from cyber threats? For startups with limited resources and intense focus, what’s the right measured response to these threats?
To help our portfolio companies answer these questions, I surveyed Silicon Valley startups to understand their regrets and successes in mitigating cyber losses. I interviewed technical founders, Engineering VPs, CTOs and CISOs to hear what measures they wish they’d taken sooner, or in some cases, later. I also tapped security gurus like Dan Farmer (author, inventor of SATAN), Barrett Lyon (anti-DDoS warrior, hero of Fatal System Error), and Richard Clarke (author, top cyber intelligence officer in the White House and State Department).
I learned that adopting strong security practices is much easier to do when a company is young, while they still enjoy a small attack surface and a manageable number of devices to track. I was encouraged to hear that some basic, affordable practices – both technical and cultural – can mitigate the greatest risks to startups, positioning them well to develop a strong cyber posture as they grow.
So I now advise founders to download and consider these recommendations from Day One, and review the team’s progress quarterly. A secure organization starts at the top with the CEO, but demands a team effort. Whether you’re in a leadership position in finance, engineering, operations or finance, or simply in a position to influence those who are, following this 10-step plan could potentially save your venture.

Cyber security will remain unsolved for as long as people compete for resources on a planet with digital assets. We face this challenge together, so as you read, please think about what may be missing, and share your feedback. As a VC, I share the entrepreneur’s goal – to minimize the distraction of cyber threats so each startup can focus on its mission. Keep in mind that if you want your venture to make a dent in the world, you can’t let hackers make a dent in you.