Sunday, July 17, 2005

My Security Anti Road Map

Bessemer has funded 16 security startups--more than any other traditional VC firm--but there are some areas of security that even we have never funded, despite the large number of these projects getting funded elsewhere. These opportunities fall into my Anti Road Map (without which I could never focus on my real road map)...

Biometrics: too expensive to deploy in large communities, and still easily defeated by slipstreamers and man-in-the-middle malware (as explained in prior posting Doomsday Hackers and Evildoing Robots). And as Bruce Schneier points out, it's easy to change your password--but what do you once your retinal scan is compromised?

Homeland Security: long sales cycle, and hard to find enough commonality across governmental bodies to build repeatable businesses.

Single Sign On: requires way too much ongoing integration to be useful. Think about the last Universal Remote Control you bought--it ends up as just one more remote control on the coffee table. (The one promising exception may be Encentuate.)

Mobile firewalls: Eventually this will emerge as a real category but enterprises won't roll this out until (i) widespread attacks cause real pain, and (ii) mobile devices converge to one or two operating systems.

Enterprise Document Rights Management: Boy, we've seen some terrific work done in this area by startups like Authentica and Alchemedia (acquired by Finjan), but Microsoft will own this space. The embarassment from leaked documents is too episodic for users to regularly define permissions, and enterprise initiatives often lose steam, yielding to more chronic pain points. Plus, the damage is too intangible to quantify, limiting price.

Innovations in Cryptography: Does it matter whether it takes one billion computers or 100 billion computers to decrpyt a key? Cryptography today is the strong link in the chain--the key is simply not a vector of attack, nor will it be any time soon.


As a scientist and a skeptic, I welcome disagreement. Hopefully I have provoked some entrepeneurs among you to convince me I am wrong, either now by posting, or later on your IPO prospectus. Indeed, there is always room on Bessemer's Anti-Portfolio for the next great Enterprise DRM company!


  1. Hey there. Adam S. suggested that i look over your blog. And there's lots to comment on...

    First, I think that you're wrong about Biometrics. Well, your conclusion is right, but for the wrong reasons. it's not that it is too expensive to deploy into large communities, it's that it's impossible to deploy in large communities because there are many individuals who simply cannot enroll in any given biometric. This is called Failure To Enroll (FTE). For example, you might have had your fingers cut off, so you can't be fingerprint. (A few years ago, I wrote about some Asian women in Seattle who couldn't get US Citizenship because the FBI couldn't capture their fingerprints.) Biometrics are inherently anti-democratic.

    Bruce Schneier's comment that you only have one biometric---what do you do when your retina scan is compromised---is wrong on several counts. It's irrelevant if a biometric is compromised, because biometrics are simply not secure unless they are captured with trusted hardware. Otherwise they are susceptible to replay attacks, man-in-the-middle attacks, etc., as you correctly write. More problematical, the comment confused identification with authentication. And then, as a little nit, retinal scans really aren't used anymore---the technology is very 1970s/1980s---because of probable retinal damage from repeated scans, because it uses lasers, and because retinal scans are not stable over time. (In particular, pregnant women have changes in their retinal vascularization as a result of pregnency.)

    Anyway, as an aside, I've been wanting to make your acquaintance. So hello!

    More later.

  2. Simson,

    Nice to meet you.

    Interesting point on FTE. Yes, biometric authentication (not ID) does work well on trusted hardware, but to defeat man-in-the-middle attacks, I think that such hardware would have to include cryptographic capabilities with hard-wired keys, precluding the possibility for a standard reader that any bank or e-commerce vendor can use (unless the reader is expanded to the point where it costs more than the PC itself).

    Turns out that there is in fact a biometric reader that is already universally deployed, and runs outside the reach of malware--the telephone. If banks implement 2-channel authentication, they can incorporate voice recognition in the process as added authentication. For example: "To authorize the after-hours sale of 10,000 Microsoft shares from your account, for a limit price of $23 per share, say the code presented to you on your computer screen." 2-channel authentication is essentially a poor man's biometric on trusted hardware!

  3. This is a neat little ultra-lightweight bottoms-up Single Sign On solution (wait til the end of the screencast to see the cool greasemonkey integration).

  4. Several years ago, I did some research for the US Army regarding biometrics...specifically, thumbprint scanners that users could use to log into their PCs. These things were marketed as "security through convenience" devices, and in one case, the ROI was specifically stated as helpdesk hours that were no longer spent on resetting passwords.

    However, not only could you subvert these things with a gummi bear (I kid you not), but the systems were NOT protected from network-based could still access the system with something as simple as the 'net use' command (a la Windows).

    H. Carvey
    "Windows Forensics and Incident Recovery"

  5. I agree with all the list. Problem is, I'd probably want to put the (positive) Road Map on there as well :)

    The big failing which I see is that in security, there is a lack of scientific connect from device to need. In the absence of a cohesive way to demonstrate a need in theory, there needs to be a practical demonstration of the need: which means that there should be an application.

    In essence, security is application-driven in today's world. (Skipping whether this is a good thing or a bad thing.) What then are the applications? Only DRM in your list had any hint of application.