Sunday, July 17, 2005

My Security Anti Road Map

Bessemer has funded 16 security startups--more than any other traditional VC firm--but there are some areas of security that even we have never funded, despite the large number of these projects getting funded elsewhere. These opportunities fall into my Anti Road Map (without which I could never focus on my real road map)...

Biometrics: too expensive to deploy in large communities, and still easily defeated by slipstreamers and man-in-the-middle malware (as explained in prior posting Doomsday Hackers and Evildoing Robots). And as Bruce Schneier points out, it's easy to change your password--but what do you once your retinal scan is compromised?

Homeland Security: long sales cycle, and hard to find enough commonality across governmental bodies to build repeatable businesses.

Single Sign On: requires way too much ongoing integration to be useful. Think about the last Universal Remote Control you bought--it ends up as just one more remote control on the coffee table. (The one promising exception may be Encentuate.)

Mobile firewalls: Eventually this will emerge as a real category but enterprises won't roll this out until (i) widespread attacks cause real pain, and (ii) mobile devices converge to one or two operating systems.

Enterprise Document Rights Management: Boy, we've seen some terrific work done in this area by startups like Authentica and Alchemedia (acquired by Finjan), but Microsoft will own this space. The embarassment from leaked documents is too episodic for users to regularly define permissions, and enterprise initiatives often lose steam, yielding to more chronic pain points. Plus, the damage is too intangible to quantify, limiting price.

Innovations in Cryptography: Does it matter whether it takes one billion computers or 100 billion computers to decrpyt a key? Cryptography today is the strong link in the chain--the key is simply not a vector of attack, nor will it be any time soon.


As a scientist and a skeptic, I welcome disagreement. Hopefully I have provoked some entrepeneurs among you to convince me I am wrong, either now by posting, or later on your IPO prospectus. Indeed, there is always room on Bessemer's Anti-Portfolio for the next great Enterprise DRM company!

Saturday, July 16, 2005

Calculate Your Ethical Quotient

This just in from my partner and Harvard Business School Professor Felda Hardymon...

This test only has one question, but it's a very important one. By giving an honest answer, you will discover where you stand morally. The test features an unlikely, completely fictional situation in which you will have to make a decision. Remember that your answer needs to be honest, yet spontaneous. Please scroll down slowly and give due consideration to each line...

You are in Florida, Miami to be specific. There is chaos all around you caused by a hurricane with severe flooding. This is a flood of biblical proportions. You are a photojournalist working for a major newspaper, and you're caught in the middle of this epic disaster, The situation is nearly hopeless. You're trying to shoot career-making photos. There are houses and people swirling around you, some disappearing under the water. Nature is unleashing all of its destructive fury. Suddenly you see a man floundering in the water. He is fighting for his life, trying not to be taken down with the debris. You move closer . . . somehow the man looks familiar. You suddenly realize who it is. It's George W. Bush! At the same time you notice that the raging waters are about to take him under...forever. You have two options--you can save the life of G.W. Bush or you can shoot a dramatic Pulitzer Prize winning photo, documenting the death of one of the world's most powerful men. So here's the question, and please give an honest answer: Would you select high contrast color film, or would you go with the classic simplicity of black and white?

Thursday, July 14, 2005

Doomsday Hackers and Evildoing Robots

I can't sleep tonight because I have apocalypse on the mind, thanks to Federal judge Richard Posner's recent publication Catastrophe: Risk and Response. Posner's tale of horror would curl Stephen King's toes--except for the part about doomsday hackers and evildoing robots. I'd sooner expect Tom Cruise et al to fall prey to invading martians.

But just because hackers can't wipe out our species doesn't mean they won't do the same to my bank account. That's why I've stopped banking online...

Like prior threats to the internet (viruses destroying all data, P2P files crashing the network, worms immobilizing air travel, spam rendering email useless...), phishing will eventually decline thanks to some combination of technology, legislation, education, and prosecution. (George Stewart's novel Earth Abides, which describes the aftermath of an infection that devastates humanity, predicts the rapid rise and fall of new species infestations--an apt analogy for the scourges that come and go in the new digital wild.) But right now identity theft is in full swing, and this plague is going to take a much longer time to mitigate.

As Willie Sutton observed, the banks are where the money is, and so it's no surprise that ID thieves bring a lot more patience and resource to bear than their evildoing predecessors have. Further, the banks have ignorantly succumbed to 3 myths that render them incapable of solving the problem. Only after dollar losses reach the billions will these superstitions yield to reason:

Myth 1: User education is the key to solving the phishing problem.

What a convenient way to (literally) pass the buck: blame ID theft on users, because they clicked on something naughty. This myth stems from the most rudimentary understanding of primitive phishing attacks. Even sophisticated computer users have no way of knowing that, for example, their ISP's DNS stack has been compromised by a pharming attack, or that a credit agency employee lost her laptop with their credentials on it, or that an unreported Windows vulnerability has allowed malware to redirect their browsers or capture their keystrokes. Most new attacks no longer exploit user naivete, and you can bet that once "education" prevails, all the attacks will move that way.

Myth 2: We need smart cards and biometrics instead of passwords.

Smart cards and biometrics may solve some problems, but NOT THIS ONE. Phishing is essentially a man-in-the-middle attack, in which the thief pretends to be your bank as well as the bank's customer. The "man in the middle" can capture your biometrics just as easily as your password. If the banks deploy SecurID cards, you can bet that the phishers will simply log into the bank while the SecurID code is still valid. Simply put, any authentication that utilizes the computer can be compromised by malware.

That's why solutions in the future will move away from 2-factor authentication and toward 2-channel authentication. (Spy agencies have known this a long time--if you want to authenticate someone, call on a different phone line.) Since your bank knows your phone numbers, a bank computer can simply call you when it needs to confirm your identity, and authorize the specific transaction ("This is Wells Fargo--please enter the code on your screen to authorize the transfer of $50,000 from your account to the account of the Boys and Girls Club of Belfast"). This is a very inexpensive and fast solution to deploy, and requires much less customer training. Not to mention that it's secure (at least for many years, until hackers can easily identify and commandeer affiliated phone lines).

Myth 3: Banks need to deploy strong authentication at the login so that only trusted individuals enter the bank.

The login is the wrong step to focus on. Most logins do not lead to worrisome transactions. It's the withdrawals and transfers that require close scrutiny. Why not simply frisk people at the door of the bank branch, and those who pass can fetch their own money without the inconvenience of security? Security dollars are much better spent on regulating traffic around the cash itself, not around the lobby.

The best security works through escalated response--identify the high risk actions and focus your attention on them (if you've ever flown El Al Airlines, you know that profiling works). Escalated response includes increasingly difficult challenge and response questions, followed by 2-channel authentication. Settle for passwords at the login, but when money (or stock, or real estate...) is changing hands, escalate. When something anomalous is happenning (e.g. $100,000 transfer after 3 years of $1,000 transfers), escalate further. When one of the IP addresses looks Latvian, escalate. Note also that escalated response is cheaper to implement and less inconvenient for customers.

If you still believe any of the three myths, consider the slipstreaming attack, an old fashioned technique of following someone else into a door with controlled access. Slipstreaming malware exists today that waits for you to login, and then passes your session over to the thief. You can educate, and use all the retina scans you want at login, but slipstreamers will still get the money. That's why we need more than strong authentication--we need strong authorization on every transaction.

I don't really believe that billions of dollars will be stolen, but as Cyota CEO (and Israeli Army Commander) Naftali Bennett observed: in the past 18 months people have already stopped responding to banks' emails as a result of phishing; as losses mount over the next 18 months, users will stop banking online. After all these years of banks building low cost online businesses, the reversion to branch and telephone banking will cost the industry billions.

Unlike Richard "Chicken Little" Posner, I don't really think the sky is falling. But common sense tells me that banks can protect my money only by combining escalated response with 2-channel authorization. Until that happens, I'm using the ATM.

Wednesday, July 13, 2005

Too Many Security Startups?

The night I closed our investment in my 12th data security deal, Cyota, my wife Nathalie took me to see the Bourne Supremacy in Mountain View. On the way, she asked why I seem to keep investing in what sounds like the same company over and over. That's a fair question, and one that many people ask about the VC industry in general.

As we approached the theater, I tried to think of how to explain the fluid nature of the data security threat. Walking in (thanks to Fandango we righteously bypassed the long lines of teenagers), I noticed that the theater had just implemented its own security program to mitigate Movie View Theft by patrons who would watch a second film without paying. Instead of collecting tickets at the front door, tickets were now collected at the two hallways off the lobby, to where customers were ushered out as each film ended. No ticket, no second movie.

So I said: watch this. I stood by the front door, waited for a lull in traffic, and then nonchalantly proferred my hand toward the next approaching bevy of teenagers. "Tickets" I murmured.

Once the first victim handed me his ticket, the rest were cake. Tickets accumulated in my hand as my victims jabbered on about football games and SAT prep. I collected half a dozen and stopped. A good 5 minutes passed before they wafted over to the hallway, encountering another ticket stand (by then I could have sold the tickets to folks standing in line). Another 2 minutes passed as they tried to figure out which of them had the tickets! As it dawned on them that they had been phished, I returned their assets (and thankfully they didn't kick mine).

Security systems are not like computers or network switches, which improve over time and asymptotically approach perfection. To quote Justin Label, security is a Man v. Man problem, not Man v. Nature. Creative and motivated thieves respond to every new security system with a workaround, and so the best we can ever hope to do with the safety of our computer networks is tread water.

That's why we will always need more startups--hungry, brilliant teams that innovate new defenses against phish, pharm, spim, spam, malware, keystroke logs, worms, slipstreamers, spoofs, bitlets and packetflies (ok, I just made up those last two).

I'm not saying that enterprises like to buy stuff from itty bitty startups. Of course they prefer Integrated Suites deployed on Unified Appliances with Management Consoles and Event Correllation, all packaged up in nice yellow boxes from big companies with beefy, publicly funded balance sheets. And if the suite doesn't stand up to new attacks, other enterprises will suffer downtime too, providing an excuse that promises the buyer some hope of job security. Think of wildebeasts, who survive by sticking to the middle of the herd.

But yesterday's security suite can never withstand today's attacks, and so the suites need a constant injection of startup-style innovation. The big acquisitions that characterized data security for the last 2 years (Neoteris, Riptech, Recourse, Pedastal, Netsec, Entercept, Okena, Intruvert...) do not signal a phase of consolidation (as widely reported); the M&A trend, rather, is a fixture of the new ecosystem.

And so Bessemer continues to launch new companies in partnership with the industry's best and brightest minds in data security, like Dan Farmer (Elemental), Bruce Schneier (Counterpane), MIT Professor Ron Rivest (VeriSign), MIT Professor Saman Amarasinghe (Determina), Paul Mockapetris (Nominum), Mark Maiffret (eEye), Gene Spafford and Gene Kim (Tripwire).

It was right after I affirmed this final proclamation that Nathalie kissed me on the cheek and said: Shut up, now, the movie's starting.

Tuesday, July 12, 2005

My Two Favorite Gadgets

Let me just come out and admit that I carry a purse. ("Come out" may have been the wrong choice of words.) No, I don't have matching shoes, and no, you can't borrow my lipstick. ("Ho, ho, ho--I never heard that one before!") Of all the gadgets I have tried, none has changed my life so much for the better than this old black camera bag that I now sport wherever I go.

In pre-purse days, I would end every meeting, movie, and meal with The Dance, patting myself down as I ran through the checklist--keys, wallet, blackberry, camera, phone, receipts--and still inevitably leave a trail of belongings sprinkled behind me. But now that I carry a purse, I no longer (publicly) pat myself down or trace back my steps in search of my wallet. Every morning when I dress, every moment I move around, my chachkes are present and accounted for in my precious sack. Truly, it's technology that works.

At least half of you already know how to use a purse. For the rest of you, if you're man enough to brave the stigma here are some tips:

1. Old camera cases work best -- they are free, slightly masculine, padded, and equipped with strap.
2. Get one with Velcro! It's the quickest way to extract and deposit, without risking leakage.
3. When your beer-bellied pals ask "What is THAT??" just look them in the eye as tell them it's your purse. ("Man bag", "camera case", or other diversions will only encourage the snickers.)
4. Label your new purse with name and telephone in the unlikely event of total loss. I recommend the P-Touch Label Printer, my second favorite gadget!

Monday, July 11, 2005

Thank You Henry Phipps!

In 1890-something Henry started up a company with his friend Andy. In 1902 Hank and Andy sold their startup, Carnegie Steel, to JP Morgan, and Hank pocketed $50 million, which was, back then, the equivalent of approximately three gazillion Euros today. Henry decided to save it for his kids...and grand-kids, and great grand-kids, and great-great-great grand-kids. So he creates Bessemer Securities Corp. as a vehicle for boldly investing his family's billion nickels back into other startups like WR Grace and Ingersoll Rand, thereby kicking off Amercia's favorite pastime, Venture Capital.

Fast forward a century, and somehow the family fortune is managed in part by Bessemer Venture Partners--for the most part, a nerdy crew of Jews and Indians who never stepped foot in a good old fashioned steel mill. (As if, my imaginary reader, you have?) Nonetheless, here we are, entrusted with a legacy, trying our damnedest to sustain our predecessors' long track record of innovation, intellectual leadership, and dumb luck.

This is the blog of one fortunate shlub who is paid to ruminate on the future and charged with a budget to back up his dreams.

Thank you Henry Phipps!