2016-09-13T10:36:33.428-07:00Today, Claroty came out of stealth, announcing a Series A financing led by Bessemer. $32 Million is is a lot for Series A, but this is an important company for our nation and our planet. To explain why, I thought I'd share this excerpt from our internal investment memo.EXCERPT from APRIL 2016:The Need for Industrial Security The physical infrastructure of modern civilization runs on machinery: traffic lights, railroad switches, nuclear reactors, water treatment, electricity distribution, dams, ship engines, draw bridges, oil rigs, hospitals, gas pipelines, and factories depend upon mechanical elements such as pressure valves, turbines, motors, and pumps. These actuators (like the ones in the original Bessemer steel smelting process) were once manually configured, but today these machines are controlled by software running on directly-attached, single-purpose computers known as Programmable Logic Controllers (PLC). PLCs, in turn, are connected in aggregate to computers running Human Management Interfaces (HMI) through closed, vendor-proprietary Supervisory Control & Data Acquisition (SCADA) protocols like DNP3 and Profibus. Industrial manufacturers provide the machines, the PLCs, and the HMIs, and so Operations Technology (OT) teams typically need to use a mix of controllers and interfaces. This is collectively known as an ICS. During the PC revolution, many of these ICS components migrated to cheap, standard PCs, and their SCADA connections migrated to LAN switches and routers that leveraged the connectivity benefits of those PCs’ standard Ethernet ports. The security implications were relatively minor until the Internet came along; but now, if any computer in the building is connected to the Internet, all the machines are potentially exposed. ICS security had once depended upon an air-gap between IT and OT networks, and where absolutely necessary devices like one-way diodes were used to send data out of the OT network to the outside world. However, trends like remote management, cloud, IoT, and the adoption of open standards are eroding the network segmentation and creating new attack vectors.The threat of ICS attacks is very different from threats plaguing other computer networks. First, there is little valuable data to steal from a PLC (with the theoretical exception of pharmaceuticals), and yet the consequences of an attack are potentially catastrophic; the worst doomsday scenarios of cyber warfare arise from compromised machinery such as gas relays, dams, reactors, and water treatment facilities that can kill millions of people when they malfunction. To get a taste of the kind of damage we’re talking about, watch this video from 2007, where members of the Idaho National Laboratory hacked some of its own machinery.Second, the fear of unexpected downtime also makes OT teams less willing to experiment with new hardware and software updates. These factors create an environment of older computers running older software that is never patched despite the accumulation of known vulnerabilities.Finally, OT teams will not run encryption or conventional cybersecurity software on their computers, lest the security processes interfere with the precise and fragile timing of their network; they would rather be infected than incur downtime. And evidence of infections is mounting:• The Stuxnet worm, allegedly developed jointly by NSA and the Israeli Army’s intelligence arm (Unit 8200), crippled the Iranian nuclear program by destroying their centrifuges;• Iran crippled the operations of the most valuable company on Earth, Saudi Aramco;• According to BVP-funded iSIGHT Partners, the Russia-based Sandstone Team developed the Blackworm malware that shut down power for 700K Ukrainians;• For two years, an Iranian group controlled malware inside a dam in Rye, New York (near BVP’s Larchmont office).The malware behind these attacks likely lay dormant for some time, and there is[...]
"The primary benefit of space is real estate that biology does not need. Earth is the one special place in the solar system required by life, but machines can function anywhere else."Why now? Metzger argues that AI has reached the points of maturity and acceleration that we need to pull it off, citing Bill Gates that robotics "is developing in much the same way that the computer business did 20 years ago."
2015-10-10T11:07:51.529-07:00Oxford Zoology Professor Richard Dawkins is finishing up a whirlwind book tour through the U.S., addressing sold-out venues of free-thinking fans who flock to him as much for his sermons on Reason and Science as they do for a signature on his memoirs.One of Richard's favorite stops is always Kepler's Bookstore in Menlo Park, where I had the pleasure of interviewing Richard about his memoirs before a crowd that sold out four weeks in advance. Richard graceed his audience by reading several excerpts I selected -- chosen to give a sense for his writing but, like any good trailer, not to reveal crucial plot lines.So rather than write a review of the book (which the NY Times and Guardian have already done quite well) I'm here to share a little preview of the story, which covers the second half of Richard's illustrious life so far. With this taste of the book, you can relish how Richard crafts every message with subtle detail and humor that, in Silicon Valley parlance, delights the user.The first excerpt gives a glimpse into life at the hallowed institution of Oxford University, featuring brilliant but eccentric personalities who mix profound wisdom with the backseat bickering of children. As Richard recounts his unwelcome rotation as Sub-Warden, the setting seems less like Oxford and more like Hogwart's.Although the Sub-Warden doesn’t have to seat people and their guests (as the presiding fellow does in some other colleges), he is expected to beam the role of genial host at dessert. I did my best, but there was one awkward evening. As I was helping people to find their seats I became aware, from a sort of ominous rumbling, that all was not well. Sir Michael Dummett, immensely distinguished philosopher, Wykeham Professor of Logic in succession to Freddie Ayer, stickler for grammar, conscientious and passionate campaigner against racism, world authority on card games and voting theory, was also famously choleric. When angered he would go even more than usually white, which somehow seemed – though this may be my fevered imagination – to make his eyes glow a menacing red. Pretty terrifying . . . and it was my duty as Sub-Warden to try to sort out whatever this problem was. The rumble grew to a roar. ‘I have never been so insulted in my life. You have the most atrocious manners. You obviously must be an Etonian.’ The target of this damning sally was not me, thank goodness, but our quirkily brilliant classical historian, Robin Lane Fox. Robin was hopping with anxiety and bewildered apology: ‘But what have I done? What have I done?’ I didn’t immediately succeed in discovering what the problem was, but in my hostly role I saw to it that the two of them were seated as far from each other as possible. I later learned the full story. It had begun at lunchtime that day. Lunch is an informal, self-service meal and fellows sit where they like, although it is conventional to fill up the tables in order. Robin noticed that a new fellow was hesitantly looking for a place. He courteously motioned her to sit, but unfortunately the chair he indicated was the very chair for which Sir Michael was heading himself. The perceived slight rankled, simmered up through the afternoon and finally boiled over after dinner at dessert. The story had a happier ending, as Robin told me when I asked him recently. A couple of days after that distressing incident, he was approached by Professor Dummett who offered the most gracious apology, saying that there was nobody in the college whom he would less wish to insult than Robin. Thank goodness I was never the target of his ire, although I might have been vulnerable as he was a devout Roman Catholic with the zeal of the convert.Here is a memory of Richard's biogeographic expedition to Barro Colorado Island in Panama with John Maynard Smith:This party was also memorable because of the firework display on a huge ship passing through the canal just beyond the trees. Actually falsely memorable, because for years I have been utterly convin[...]
2015-06-30T08:52:15.962-07:00In 1950, the journal Mind published Alan Turing’s seminal paper, Computing Machinery and Intelligence, in which he proposed a behavioral definition of artificial intelligence. After all, if a machine can demonstrate intelligence, how can it not be said to possessintelligence? Turing’s test challenged computer scientists to create a thinking machine that, through conversation, could fool a person into believing that it, too, is human; Turing’s challenge continues to drive AI researchers today.With the proliferation of computers in modern life, the prospect of identifying thoughtful machinery takes on more than just theoretical or philosophical interest. Back in Turing’s day, a thinking machine connected only to a “teleprinter” (as Turing envisioned) would have lived a lonely life, but today there are billions of people online with whom to converse, promising profound implications for society. For example, we increasingly find the machines who answer customer service calls to be more productive and thoughtful than human agents.Machines who demonstrate intelligence can communicate not only with people, but also with other machines designed to communicate with people – specifically, over 100 million web servers that invite human visitors to browse, learn, chat, transact, and share and with them. If a machine can demonstrate human intelligence in the eyes of a human judge, then no doubt it can win over these other machines on the internet, who are naturally less skilled at spotting other humans. Or are they? If, say, the human judge in a Turing test can distinguish the smartest machines from humans with 60% accuracy, how well could a machine do at judging them? I call this the Turing Judge Test, a corollary to Turing’s Test that marks a subsequent milestone in the development of AI. If a machine conversing with other parties can outperform the human judges in identifying the machines, that right there’s some mighty good thinking.With the benefits of shared learning and infinite storage, machines only get smarter over time, and so it seems inevitable that they will eventually pass the Turing Judge Test. On the other hand, as artificial judges get smarter, so do the artificial contestants. Even when machines do pass Turing tests with flying colors, how can they ever out-think other best-in-class machines? Or is there a way of distilling human intelligence into a single line of questioning that distinguishes silicon from gray matter? Such a distillation would have more than theoretical value – indeed, it’s arguably critical for the safety of any information society. This is not just a theory – machines are already smart enough that they account for most web traffic, successfully posing as human visitors to perpetuate fraud on the government and business web servers they talk to. That’s why many sites use Completely Automated Public Turing tests to tell Computers and Humans Apart (CAPTCHAs). xkcdBut CAPTCHAs create a nuisance for users and an outright obstacle for some disabled users; even worse, they can now be defeated in various ways – in other words CAPTCHA servers are machines who once passed the Turing Judge Test, but only until the machines they judge got smarter!As a result, malicious bots wreak havoc on the web, perpetuating data theft, account hijacking, application DDoS attacks, form spam, click fraud, and any other naughty action they can scale up through tireless automation. And that’s why I just invested in, and joined the board of, Distil Networks. Distil is run by a world class team of machine learning experts whose thinking machines can now distinguish other machines from people with over 99% accuracy. Staples, AOL, Dow Jones, StubHub and many others depend upon Distil’s cloud-based service to immediately eliminate entire classes of attack (and free up all the infrastructure they ran to serve the whims of robotic imposters). The Turing Judge Test [...]
2015-02-12T09:36:52.857-08:00This post originally appeared in TechCrunch.In the past two years, cyberspace has clearly changed in ways that threaten every online business, big or small. Startups now use the cloud infrastructure that mature companies do, and quickly aggregate large, juicy caches of private user data and payment credentials. As malware infestations scale to scour the “long tail” of targets, they don’t discriminate between the Fortune 50 and the TechCrunch 50.In fact, some increasingly common attacks — like DDoS extortion — specifically target smaller, more vulnerable businesses, whose loose cowboy cultures, shallow security expertise, fragile infrastructure and fresh capital make for easy pickings.Jeremy Grant at NIST reports “a relatively sharp increase in hackers and adversaries targeting small businesses.” According to a recent survey, 20 percent of small businesses in Canada reported cyber losses last year. Who knows how many more fell victim and just don’t know it?“Startups are incredibly vulnerable to cyber attacks in their first 18 months. If a business thinks that it’s too small to matter to cybercriminals, then it’s fooling itself with a false sense of security.” – Brian Burch, Symantec (CNN)For many attacks—API disruption, marketplace fraud, IP theft—the smaller the target, the greater the damage. Startups often lose a year or more when targeted by identity thieves, nation-states, hacktivists, competitors, disgruntled employees, IP thieves, fraudsters or Bitcoin miners. Evernote, Meetup, Feedly, Vimeo, BaseCamp, Shutterstock, MailChimp and Bit.ly all fell victim to extortion rackets, and Code Spaces shut downaltogether. “When our API collapsed under a DDoS attack, we experienced more customer churn in that one day than we had in the entire two years since our launch,” recalled one CEO.Stubhub, Uber, and Tinder struggle to battle fraud in their marketplaces. Uber employees themselves were caught defrauding competitor Gett. Evernote, Bit.ly,Formspring, Dropbox, Cupid Media, Zendesk, Snapchat, Clinkle, MeetMe, LastPass (a password security company!) and many others have had to tell users they lost their passwords or payment credentials to hackers. Cyber thieves stole $5 million worth of Bitcoins from Bitstamp, and destroyed Mt. Gox and Flexcoin. Hackers exposed the content and identities of Yik Yak accounts. The CEOs of HB Gary, Snapchat and many other startups have been vilified following the theft and publication of embarrassing emails. Google routinely blacklists websites for weeks due to malware. Appstudio,SendGrid, HB Gary and others have been defaced or even permanently shut down by anti-Western hacktivists for political reasons. For OnlyHonest.com, the damage appears to have been fatal.And even if your startup beats the odds and survives its infancy without a serious incident, playing catch up later will cost many times more in time, money, reputation and distraction as you change architectures, re-writing code, moving infrastructure, re-imaging laptops, migrating email, and replacing billing systems.But until your startup can afford a CISO, how do you protect your mission, IP, brand, assets, employees, and capital from cyber threats? For startups with limited resources and intense focus, what’s the right measured response to these threats?To help our portfolio companies answer these questions, I surveyed Silicon Valley startups to understand their regrets and successes in mitigating cyber losses. I interviewed technical founders, Engineering VPs, CTOs and CISOs to hear what measures they wish they’d taken sooner, or in some cases, later. I also tapped security gurus like Dan Farmer (author, inventor of SATAN), Barrett Lyon (anti-[...]
2015-01-05T16:00:44.929-08:002014 will be remembered as the year the cyber dam broke, breached by sophisticated hackers who submerged international corporations and government agencies in a flood of hurt. Apple, Yahoo, PF Changs, AT&T, Google, Walmart, Dairy Queen, UPS, eBay, Neiman Marcus, US Department of Energy and the IRS all reported major losses of private data relating to customers, patients, taxpayers and employees. Breaches at Boeing, US Transportation Command, US Army Corps of Engineers, and US Investigations Services (who runs the FBI’s security clearance checks) reported serious breaches of national security. Prior to last year, devastating economic losses had accrued only to direct targets of cyberwarfare, such as RSA and Saudi Aramaco, but in 2014, at least five companies with no military ties -- JP Morgan, Target, Sony, Kmart, and Home Depot – incurred losses exceeding $100M from forensic expenses, investments in remediation, fines, legal fees, re-organizations, and class-action lawsuits, not to mention damaged brands. The press has already reported on where things went wrong at each company, promoting a false sense of security based on the delusion that remediating this vulnerability or that one would have prevented the damage. This kind of forensic review works for aviation disasters, where we have mature, well understood systems and we can fix the problems we find in an airplane. But information networks are constantly changing, and adversaries constantly invent new exploits. If one doesn’t work, they simply use another, and therein lies the folly of forensics.Only when you step back and look at 2014 more broadly can you see a pattern that points toward a systemic failure of the security infrastructure underlying corporate networks, described below. So until we see a seismic shift in how vendors and enterprises think about security, hackers will only accelerate their pace of “ownership” of corporate and government data assets.The Sprawl of CyberwarfareThe breaches of 2014 demonstrate how cyberwarfare has fueled the rampant spread of cyber crime. For the past decade, the world’s three superpowers, as well as UK, North Korea and Israel, quietly developed offensive capabilities for the purposes of espionage and military action. Destructive attacks by geopolitical adversaries have clearly been reported on private and public sector targets in the US, Iran, South Korea, North Korea, Israel, Saudi Arabia and elsewhere. While Snowden exposed the extent of cyber espionage by the US, no one doubts that other nations prowl cyberspace to a similar or greater extent. The technical distinction of these national cyber agencies is that they developed the means to target specific data assets or systems around the world, and to work their way through complex networks, over months or years, to achieve their missions. Only a state could commit the necessary combination of resources for such a targeted attack: the technical talent to create zero-day exploits and stealthy implants; labs that duplicate the target environment (e.g. the Siemens centrifuges of a nuclear enrichment facility); the field agents to conduct on-site ops (e.g. monitoring wireless communications, finding USB ports, or gaining employment); and years of patience. As a result of these investments in “military grade” cyber attacks, the best of these teams can boast a mission success rate close to 100%. But cyber weapons are even harder to contain than conventional ones. Cyberwar victories have inspired terrorists, hacktivists and criminals to follow suit, recruiting cyber veterans and investing in the military grade approach. (Plus, some nations have started targeting companies directly.) No longer content to publish malware and wait for whatever data pop up, criminals now identify the crown jewels of businesses and target them with what we call Advanced Persistent Threats (APTs). You want credit cards? Get 56 million of them from [...]
2014-11-18T09:45:35.157-08:00Last night at dinner with a group of officers from Facebook, LinkedIn and Twitter, Oxford Professor and legendary evolutionary biologist Richard Dawkins asked me to explain why I signed up to be a Trustee of the Richard Dawkins Foundation for Reason and Science. Later I was asked to share those comments, so here they are:From inside Silicon Valley, it may seem somehow unnecessary or obsolete to promote science. But it’s easy to forget how fortunate and enlightened we are here. The scientific method is ingrained in everything we do. Instead of A/B testing your apps to improve your conversion funnel, would you ever rely instead on prayer, ritual and miracles?But in the world at large, and even our country, most people still do not value the proven theories of scientists, either because they themselves do not understand science, or because there is too much social and emotional pressure upon them to value faith over evidence-based beliefs. Still, so what? Why invest my limited time and capital in a startup foundation that promotes science and secularism?As I would for any startup investment opportunity, I naturally start my assessment by looking at the incumbents in the vibrant market for people’s souls, to see how vulnerable they are to disruption. And as I deconstruct the businesses of religion, here’s what I see:The largest possible market -- 7 billion customers!Awesome value proposition – immortality – that addresses the most basic human desire.A recurring revenue business model.A Net Promoter Score higher than Apple's, where their customers go door to door on their behalf and build schools to sell their product.An impressively large and distributed field sales organization staffed by product evangelists (literally) who work for low wages.Enormous government subsidies in the form of 100% tax relief, and similar government subsidies for all their customers!Enormously high switching costs – customers who churn can lose their jobs, friends, even family, and in some countries their head.The only drawback is product quality. Not only is immortality difficult to deliver, but the entire industry agrees that only one of the thousands of products on the market actually works. The good news is that customers pay prior to shipment, and there is no mechanism for rating product satisfaction.That's a business I would want to own!The downsides are simply economic externalities – costs that are mostly born by others. Some are obvious, like Jihad and the oppression of gays and women. But the most dangerous externality of all is more subtle, and that’s the marginalization of science. Broun: "Lies straight from the pit of Hell"To keep their customers, religions convince them that faith trumps evidence, and in so doing, they undercut whatever shot we have as a species to fight disease, poverty and global warming. Medical doctors in the US are turning to prayer as treatment. 17 Americans die everyday for lack of a kidney because most of us want to keep our corpses in tact in order to enter Heaven. And when every other American believes that the Earth is 6,000 years old, we elect representatives who (at least pretend to) think that way -- like a President who outlawed federal funding to research new stem cell lines. Congressman Broun, a member of the House Space, Science and Technology Committee, called the Big Bang Theory and evolution “lies straight from the pit of Hell”. Representative John Shimkus rejected carbon emission regulations because God promised Noah in Genesis 8:21 that there won’t be a flood, so it's heresy to worry about rising sea levels. “Man will not destroy this Earth. God’s word is infallible, unchanging, perfect.” Senator Inhofe, the next Chairman of the Senate's environmental oversight committee agrees with Shimkus on God's protection, and denies that Man is changing the climate.Religions do this because science is the [...]
2014-06-09T22:31:00.627-07:00PCs and smartphones have pushed mainframes to the brink of extinction on Earth, and yet mainframes still thrive in space. Most every satellite in orbit is a floating dinosaur - a bloated, one-off, expensive, often militarized, monolithic relic of the mainframe era. The opportunity for entrepreneurs today is to launch modern computer networks into space, disrupting our aging infrastructure with an Internet of microsats. Credit DeviantArt.comSo why has it taken so long for modern computing to reach space? Gravity. It’s hard to launch things. Governments have the money and patience to do it, as do large cable and telecom corporations. These players are slow to innovate, and large satellites have met their basic needs around science, defense, and communications, albeit at very high costs. That’s changing: several IT trends have come together to herald the extinction of these orbiting pterodactyls:Moore’s law has reached the point where a single rocket launch can be amortized across dozens of tiny satellites, and the replacement cost is so low that we needn’t burden our missions with triple redundancies and a decade of testingGlobal computing clouds make it easy to deploy ground stations; andAdvances in Big Data enable us to process the torrential flows of information we get from distributed networksThese trends have reduced the cost of a single aerospace mission from a billion dollars down to a hundred million just as the early-stage VC community amassed enough capital to undertake projects of this scope. And now that a handful of venture-backed startups like SpaceX and Skybox are demonstrating success, the number of aerospace business plans circulating through Sand Hill Road has climbed faster than a Falcon 9.With each successful startup, progress accelerates and synergies emerge. As SpaceX makes launches cheaper, it opens the frontier to more entrepreneurs. Pioneers like Skybox and Planet Labs have to build end-to-end solutions for their markets, including everything from satellite buses to big data search algorithms; but there will soon evolve an ecosystem of vendors who specialize in launch mechanisms, cubesats, sensors, inter-sat communications, analytics, and software applications. So who are the customers for a space-based Internet? At first, aerospace startups will disrupt two large markets:· Scientific exploration of space. In the past, costly scientific missions such as Apollo ($355 million in 1966), ISS ($3 billion/year), Hubble ($10 billion), and Cassini ($3.3 billion) were designed and built by government agencies. Expect startups to disrupt this market with innovations in rocketry, robotics, optics, cloud computing, space suits, renewable energy, and more. · Communications. Government defense agencies spend considerable sums on communications to serve their space-based weapon systems and intelligence bureaus. Media and cable companies also commission satellites to serve their consumers. Microsat networks of radios will supply these customers more cheaply and reliably. While spatial avionics improve with Moore’s Law, certainly some payloads, like telescopes and robots, cannot be miniaturized beyond the constraints of physics. But even these missions will benefit from the cheap, rapid testing available on a nanosatellite. Just as programmers today can build entire software companies using a free A.W.S. account and the open source LAMP stack, space-faring entrepreneurs can now explore myriads of new business models by launching $1,000 cubesats out of ISS. In addition to disrupting existing markets, microsat networks in space will enable a new and important capability: Planetary Awareness. When we surround our planet with sensors across the frequency spectrum, w[...]
2015-01-09T23:50:33.313-08:00With sincere appreciation for the thankless job executed day in and out by the admins at BVP and our portfolio companies, I spent today with a barbershop quartet making our way from San Jose to San Francisco serenading these heroes of Silicon Valley. The final stop, captured below, was at Smule to recognize office manager Erika San Miguel.
2015-01-05T08:39:51.790-08:00This week, the RSA Conference draws its annual pilgrimage of data security professionals seeking insights on market and technology trends. As a seed-stage security investor in this industry, it has been my job to predict the future of cybersecurity, and so now’s a good time to share two important rules that have served me well:(i) Follow the Money: what’s the most lucrative opportunity emerging for hackers today? Identify the hacker’s next big opportunity, and you know who will need to respond! This rule, for example, steered me toward spam in 2002 (Postini), online banking theft in 2004 (Cyota), geopolitical warfare in 2009 (Endgame) and DDoS attacks in 2013 (Defense.Net).(ii) Where There’s A Way There’s A Will. Physicists know that if a natural phenomenon can exist, then most likely it does. The cyber corollary is that vulnerabilities in the wild WILL be exploited – it’s only a matter of time. Poisoning the DNS, using the cloud to factor large numbers, and streaming smartphone microphones were all considered theoretical attacks, until they weren’t. Whenever we dismiss vulnerabilities as too difficult to exploit, hackers eventually humble us with their ingenuity. Just this week we saw two important examples of this rule in action. The first is Apple’s confirmationof a glaring deficiency in their implementation of SSL that means we’ve been kidding ourselves about how secure the Mac and iPhone really are. The software engineers at Apple are mortal, and just as prone to the inevitable security lapses that plague any complex system.The second example is a blog postby RSA about new malware on Android phones that coordinate with web based attacks to hijack banking sessions. I have been expecting this “innovation” since 2005, when I predictedthat banks, plagued by the security shortcomings of passwords and biometrics, would adopt and embrace out-of-band authentication for any risky transaction:That's why solutions in the future will move away from 2-factor authentication and toward 2-channel authentication. Since your bank knows your phone numbers, a bank computer can simply call you when it needs to confirm your identity, and authorize the specific transaction ("This is Wells Fargo--please enter the code on your screen to authorize the transfer of $50,000 from your account to the account of the Boys and Girls Club of Belfast"). This is a very inexpensive and fast solution to deploy, and requires much less customer training. Not to mention that it's secure (at least for many years, until hackers can easily identify and commandeer affiliated phone lines).This prediction turned out well: 2-channel authentication has since become standard procedure for banks, application developers and consumers, thanks largely to three investments I made back then: 1. If you’re a bank…Cyota (acq. by RSA) is the market leader in assessing your transactions for risk so they can be escalated for authentication;2. If you’re a developer…Twilio is the market leader in enabling apps to launch phone calls or SMS messages for out-of-band authentication (this may be Twilio’s single largest use case); and3. If you’re an individual…Lifelock leads the Identity Theft market, by contacting you through multiple channels when they spot a risky transaction involving your Personally Identifiable Information.However, as I parenthetically noted in 2005, it’s theoretically possible to “commandeer affiliated phone lines” in order to defeat 2-channel authentication. This seem[...]
2013-11-05T06:29:13.233-08:00The Neighborhood Watch dates back to July 1, 1700 in Colonial Philadelphia with the passage of the Safe Streets bill. With no police department yet established, citizens took turns as the appointed watchmen to "go round ye town with a small bell in ye night time, to give notice of ye time of night and the weather, and anie disorders or danger." In many ways, cyberspace today feels like Colonial Philadelphia - fraught with "disorders and dangers" and no police force capable of apprehending the offenders. No wonder then that last February President Obama signed an executive order calling on Americans in the public and private sector to establish the equivalent of a cyber Neighborhood Watch."It is the policy of the United States to enhance the security and resilience of the Nation's critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties. We can achieve these goals through a partnership with the owners and operators of critical infrastructure to improve cybersecurity information sharing..."But sharing cyber threat data is shockingly rare, despite the fact that for the last two decades, hackers have steadily organized a vibrant industry around the tools and services needed to launch cyber attacks --credit card credentials, script kiddies, zero day vulnerabilities, bot armies, and other staples of cyberwarfare are sold through web sites and channels similar to those associated with legitimate IT purchases. And yet up until 12 months ago, when a wave of cyber attacks against US banks, government agencies and media sites exposed our economy's soft underbelly, no enterprise would ever voluntarily discuss its security infrastructure, let alone acknowledge a breach or even an attack, lest they worry their constituents.But in those 4 months from October 2012 to February 2013, everything changed. A steady drumbeat of DDoS attacks rendered our banks offline and, for the first time, account holders have demanded their banks openly address the problem. In a novel gesture of transparency and collaboration, Bank of America actually asked the Feds for help.The US has responded by organizing industry and government to start collaborating, so that cyber attackers, as they are detected, cannot simply jump from target to target. Twenty nine federal agencies today share real-time threat data stemming from cyber incidents through an exchange integrated with all the heterogeneous security infrastructure across those agencies. Suspect IP addresses, bad app signatures, malicious domain names, fraudulent host names, and other types of black lists are now updated in real time to broadly deflect attacks as they are discovered.Furthermore, this federal "ActiveTrust Exchange" has now been opened up to large commercial enterprises, including financial institutions (like BVP) and some mega Silicon Valley tech companies. The President's vision of a national Neighborhood Watch is now a reality.Paul Ferguson, VP Threat IntelThe company that developed and operates ActiveTrust is Internet Identity ("IID"), a somewhat obscure company in Tacoma, Washington with deep security DNA. IID is pioneering the idea that security technology should be decoupled from security data - that you can't rely on your vendor of security hardware and software to also provide you with all the intelligence you need to filter bad traffic. Your security gear is only as good as the blacklists they enforce; without up-to-date cyber intel, you can't repel the motivated and highly targeted cyber attack.IID now sells various services and intelligence feeds, but the primary product is[...]
|Photo credit: Steve Jurvetson|
2013-10-05T23:52:17.194-07:00Tonight I had the honor of introducing Richard Dawkins at a Kepler's Bookstore book-signing for his memoirs An Appetite for Wonder: The Making of a Scientist. Here are my notes from the intro:Good evening! I’m your neighbor David Cowan, and with Thanksgiving only 6 weeks away, it’s my job tonight to share with you 6 reasons why we are all very fortunate.First, we are fortunate to have Kepler’s in our community so we can meet our literary and scientific heroes.Second we are fortunate because tonight we have a visitor, Richard Dawkins, who ranks among the handful of greatest scientists of our generation. From his perch at Oxford, Professor Dawkins has advanced evolutionary biology, and authored several of the best-selling science books ever published, including Extended Phenotype, Selfish Gene, Blind Watchmaker, Unweaving the Rainbow, Devil’s Chaplain, and God Delusion, which has sold millions of copies.Another book of his, Climbing Mount Improbable, taught me our third good fortune tonight: that after billions of years of chaos, life sprung on our little planet, our species emerged from a trillion accidents of nature, and the organisms sitting in this room won the lottery of conception. (You may notice that these fortunes are not necessarily presented in any increasing or decreasing order of magnitude.)And now he’s written his memoirs, An Appettite for Wonder: the Making of a Scientist, and we are quadruply fortunate that after multiple visits here, Kepler’s remains one of Richard’s favorite places to meet his readers.The first chapter of his memoirs recounts his family history in which Clinton George Augustus Dawkins, consul to Austria and not yet a father in 1830, was fired upon by a cannonball that just barely missed his privates. Naturally, that is good fortune number five for us tonight.The memoirs go on to document the intellectual development of Earth’s most famous atheist, from humble beginnings on a country farm, and parents who lived sparingly in order to afford the finest education for their children. Reading about the collision of his Anglican indoctrination with natural evidence and common sense evoked strong memories of my own religious upbringing, as I’m sure it would for many of you. He writes:“I was intensely religious around the time I was confirmed. I priggishly upbraided my mother for not going to church. She took it very well and didn’t tell me, as she should have, to take a running jump.”But soon Young Richard (or Clinton which we now know to be his true name) started to question the institutional rituals around him. This is my favorite chapter…[p. 140] I was especially incensed by the hypocrisy of the General Confession in which we mumbled in chorus that we were miserable offenders. The very fact that the exact words were written down to be repeated the following week, and the week after and for the rest of our lives (and had been so repeated since 1662) sent a clear signal that we had no intention of being anything other than miserable offenders in the future. But Richard retained his belief in a Creator God, and as a teenager he did continue to worship.... Elvis Presley, that is. Richard privately impersonated the rock and roll legend, and remembers buying the album I Believe.[p. 142] I listened with delight – for my hero sang that every time he saw the wonders of the world, his faith was reinforced. My own sentiments exactly!...I sort of half believed that in this unexpected record, Elvis was speaking personally to me, calling me to devote my life to telling people about the Creator God. 6. Skipping down to our 6th and final good fortune tonight…[...]
2013-08-28T23:59:30.519-07:00This is a reprint of an article I wrote this week for MIT Technology Review.Our growing computer security problems will create many new companies.The threat from cyber-intrusions seems to have exploded in just the last 18 months. Mainstream media now report regularly on massive, targeted data breaches and on the digital skirmishes waged among nation states and cybermilitants.Unlike other looming technical problems that require innovation to address, cybersecurity never gets solved. The challenges of circuit miniaturization, graphical computing, database management, network routing, server virtualization, and similarly mammoth technical problems eventually wane as we tame their complexity. Cybersecurity is a never-ending Tom and Jerry cartoon. Like antibiotic-resistant bacteria, attackers adapt to our defenses and render them obsolete.As in most areas of IT and computing, innovation in security springs mostly from startup companies. Larger systems companies like Symantec, Microsoft, and Cisco contribute to the corpus of cybersecurity, but mostly acquire their new technologies from startups. Government agencies with sophisticated cyberskills tend to innovate more on the offensive side. I think that in the coming years we will see many small, creative teams of security engineers successfully discovering, testing, and building out clever new ways to secure cyberspace.Anyone looking to found or invest in one of those small security companies destined for success should focus on the tsunami of change rocking the IT world known as cloud computing. In a transformation that eclipses even the advent of client–server computing in the 1980s, business are choosing to subscribe to services in the cloud over running software on their own physical servers. Incumbents in every category of software are being disrupted by cloud-based upstarts. According to Forrester, the global market for cloud computing will grow more than sixfold this decade, to over a quarter trillion dollars.Cloud security, as it is known, is today one of the less mature areas of cloud computing, but it has already become clear that it will become a significant chunk of that vast new market. A Gartner report earlier this year predicted that the growth of cloud-based security services would overtake traditional security services in the next three years.Just like other software products, conventional security appliances are being replaced by cloud-based alternatives that are easier to deploy, cheaper to manage, and always up-to-date. Cloud-based security protections can also be more secure, since the vendor can correlate events and profile attacks across all of its customers’ networks. This collaborative capability will be critical in the coming years as the private sector looks to government agencies like the National Security Agency for protection from cyberattacks.The cloud also enables new security services based on so-called big data, which could simply not exist as standalone products. Companies like SumoLogic can harvest signals from around the Web for analysis, identifying attacks and attackers that couldn’t be detected using data from a single incident or source.These new data-centric, cloud-based security products are crucial to solving the challenges of keeping mobile devices secure. Most computers shipped today are mobile devices, and they make juicier targets than PCs because they have location and payment data, microphones, and cameras. But mobile carriers and employers cannot lock down phones and tablets completely because they are personal devices customized with personal apps. Worse, phones and tablets lack the processi[...]
2013-08-16T18:32:01.333-07:00Do recent revelations about US cyber intelligence activities jeopardize our nation’s market leadership in cloud computing? Will enterprises – domestic and foreign alike – now favor foreign vendors, or even avoid the public cloud altogether? A review of the political and technical realities points to trouble for US cloud providers, but only for the short term.In recent weeks we’ve seen a tangible backlash against the NSA’s PRISM program and those tech companies who cooperate, especially those who “don’t put up a fight.” It is the natural, reflexive reaction to the sudden awareness of a potential intrusion on our privacy, and it includes new scrutiny by individuals and enterprises as to whether they should entrust their data to US cloud vendors, who have already felt some impact on their rates of sales and churn.As related news reports and editorials come online, they provoke a lot of comments that reflect public sentiment. These comments have expressed concern about the lack of transparency in federal policies and jurisdiction, and even outrage at what many believe to be unconstitutional surveillance.But in the past week, public comments on news sites have started to incorporate a more balanced look at the situation. There is acknowledgement that US intelligence agencies are doing their jobs when they gather data on potential threats to national security, just as other governments do; that the NSA does not steal IP for economic gain as many other state agencies do, and that despite our deficiencies, the US agencies operate under tighter oversight than foreign agencies. Especially as Congress moves to improve transparency, there is a grudging awareness that US-based clouds may offer the best privacy, relatively.But is it good enough to be simply less bad? As long as privacy remains a concern, there will be resistance to adoption of any public clouds, and, as the market leaders, US vendors will suffer.Fortunately, cryptographic technology will ultimately make this issue largely moot for most cloud infrastructure, platforms and applications. To date, cloud vendors have been slow to implement proper cryptographic protocols, since demand has grown so quickly without it. But with the recent focus on privacy, SaaS, PaaS and IaaS providers must get around to implementing what they should have implemented years ago.Specifically, data in the cloud must be encrypted using keys that are controlled by the customers who own them. So whether you use SalesForce, Box, Google Apps or Workday, you should have the option of encrypting your data both in transit and storage, and although many cloud providers offer encryption today, they typically use one key for everyone, or at best they offer individual keys that are generated and controlled by the vendor.The recent, notable exception is Amazon, whose CloudHSM service offers AWS customers access to Hardware Security Modules for key protection inside their cloud. It's time for others to follow Amazon's lead, so that customers can comply with their own regulations, data breaches will be far less catastrophic, and intelligence agencies will have to find new ways to snoop.Until then, interim solutions from a new class of security startup — like CipherCloud, Vaultive, Vormetric, and Navajo (acquired by SalesForce) — enable you to encrypt your data before you send it to the cloud. Unfortunately, cloud providers cannot do much with encrypted data that they cannot decrypt - their applications cannot provide features such as sorting, fuzzy searches, and comparative metrics. CipherCloud and others have had to invent some kludg[...]
2013-07-07T17:13:36.787-07:00A fun clip from last week's Voices in Harmony concert.
2013-06-11T11:18:00.964-07:00I presented the following prediction as part of a spirited Churchill Club debate with 5 other VCs. It was first published as text in AllThingsD.Remember MS-DOS commands, and the WordStar keystroke combinations we had to memorize? Then the first Macintosh featured a mouse driven GUI that was game changing because it removed a layer of friction for both the data going in and coming out. When we tried that first model, we knew we could never go back to a C prompt.And yet the impact of graphical computing was minor compared to how facial computing will change our lives, and how we all relate to The Collective. Think of it as a man-in-the-middle attack on our senses, intercepting all the signals we see and hear, and enhancing them before they reach our brains.First Generation Mobile ComputerThis is not science fiction, and based on prototypes I’ve seen, it’s a good bet that design teams in Google, Apple, Samsung and various military contractors are building eyewear computers that will render smartphones as obsolete as the first generation of mobile computer. I’m not talking about Google Glass, with its cute little screen in the corner. I mean an immersive experience that processes what we see, and then overlays graphical objects onto our field of view: true Terminator Vision. The US military has this capability today, so that troops can see pointers to their platoon members, and markers of known IED locations. So now it’s just a question of making the hardware small, cheap, and available in four adorable colors. Not only will our favorite apps on eyewear computers be more immediate and engaging, but we’ll experience new computing capabilities so compelling that we find them indispensible. For example, eyewear computers can record our lives, and enable us to summon any relevant conversation or incident from our past. With eyewear computers, we can truly share experiences in real time, transporting ourselves to the perspective of someone on a ski slope, or in a night club, Wimbledon match, or the International Space Station. Just as Terminator did in the movie, we will air-click on actual things we see to interact with, investigate, or purchase. We’ll integrate facial recognition and CRM for background data on everyone we meet. When we travel abroad, signs will appear to us in English, and when someone is speaking to us, we can simply turn on English subtitles. A new generation of games will be more immersive and engaging than ever before.Five years from today, when smartphone sales are in decline, we will ask ourselves: Remember when we used to spend our days looking down at those little screens?[...]
2013-06-09T13:26:53.792-07:00src="http://player.vimeo.com/video/56820870?title=0&byline=0&portrait=0" width="450" height="253" frameborder="0" webkitAllowFullScreen mozallowfullscreen allowFullScreen>
2013-06-07T16:49:17.124-07:00As we adapt our laws to technology, we struggle to strike a balance between national security and privacy. As we do, we tend to thrash back and forth between extreme policies such as the Computer Fraud and Abuse Act of 1996 criminalizing researchers and hackers to the Patriot Act of 2001, criminalizing everyone else!If we begin with first principles, I'd guess that as a society most of us would find the following to be a reasonable starting point for resolving this issue: in light of threats from criminals, terrorists and geopolitical rivals, our government agencies should conduct whatever surveillance they need to, so long as they do not violate our constitutional rights in any way. Chipping away at the Constitution is far more dangerous to us as a precedent than any external enemy. But once we establish that imperative, we want the FBI and NSA to do their jobs as well as they can, with all the tools at their disposal.Unfortunately, many journalists, bloggers and other pundits prefer to stoke the fires of fear. Conspiracy theories, after all, are a time-proven way to increase clicks, grow one's twitter following, and sell books. Yesterday's report of Verizon's compliance with a court order to provide meta-data on phone calls, and today's allegations that NSA's PRISM program has had free rein on the data stores of the largest internet services, have presented just such a golden opportunity (e.g. BIG BROTHER IS HERE), and now the floodgates are open!PRISM raises tough questions about the need for transparency in our government agencies, but it is unproductive to be reactionary and polarizing, since these qualities mask the best solutions. And there probably has never been a more prolific source of security and privacy solutions than my friend Bruce Schneier, whom I've backed as an entrepreneur, whose books I've read more than once, and whose words have guided me as an investor. But even Bruce slipped into sensationalism when he posted an article today on The Atlantic titled What We Don't Know About Spying on Citizens: Scarier Than What We Know.Bruce compels the reader that we need better disclosure, but I believe he goes a bit too far in several respects. "The NSA received...everything except the voice content: who called who [sic], where they were, how long the call lasted," writes Bruce. But that seems inaccurate, since the NSA has not received any personally identifiable information of the callers. For that, they need a court order."We know [the FBI] can collect a wide array of personal data from the Internet without a warrant," but so can Google and thousands of other internet companies who track everything we do; should the FBI do any less? Bruce asserts that the FBI can use the microphone in our smartphones to bug a room, if they have a warrant; but why shouldn't the FBI use smartphones to effect a warranted bugging?"We know that the NSA has many domestic-surveillance and data-mining programs with codenames like Trailblazer, Stellar Wind, and Ragtime," Bruce writes, "deliberately using different codenames for similar programs to stymie oversight and conceal what's really going on." But I cannot find any evidence that these codenames -- typical for all government projects -- were invented specifically to stymie oversight.For a balanced view of the facts and issues, I recommend Joshua Foust's blog post, and I leave you with this conclusion from today's Washington Post editorial:In the days after the Boston bombings, many asked why the government[...]
2013-06-03T05:27:19.482-07:00I presented the following prediction as part of a spirited Churchill Club debate with 5 other VCs. It was first published at AllThingsD. Ever since Hollywood gave us War Games, the fear of cyber apocalypse has gripped America. We’ve outlawed hacking to such an extent that if you’re shut down by a cyber attack, or your data have been stolen, it’s a federal crime to even probe the attacking computers, let alone disable them. Rather than educate and activate our best and brightest hackers, we prosecute and imprison them. Businesses haven’t complained because they’ve never wanted to fight back. You can’t prosecute the attackers even if you find them, and admitting a breach may spook customers and even invite more attacks. So instead of fighting, we’ve just quietly taken the punches, and wished it all away. But wishing it away is like trying to reduce teen pregnancy by preaching abstinence. Two years ago I watched a TED audience cheer Ralph Langner for exposing the Stuxnet worm that our government developed to retard Iran’s nuclear weapons program. It was as if the US and Israel had invented malware. Somehow, it was evil for us to use cyberspace to stop the most vitriolic, warmongering fundamentalist on our planet from making nuclear bombs. Because cyber is “unconventional”, we somehow consider it to be just as taboo to use as nuclear and chemical weapons. Meanwhile, the NY Times reported this morning that, “Hackers Find China is a Land of Opportunity.” Not only has China allegedly hacked Google and Evernote to spy on its citizens, but it has funded massive efforts to steal information valuable to economies and national security. Attacks on our banks, utilities, and defense contractors can be traced back to units in the Chinese military. We even know what building they’re in.I do not advocate the theft of IP for economic gain, but as cyber war rages on around us, I predict that Americans will come to appreciate that cyber operations can achieve our military and intelligence objectives far better than bullets and bombs. Cyber weapons are faster, more effective, safer, and orders magnitude cheaper than kinetic weapons. Stuxnet penetrated where missiles cannot. Indeed, the stigma associated with offensive cyber activity is breaking down, now that cyber attacks have exploded in frequency and scale. The banks are now asking the Feds to join the fight, so DHS, FBI and NSA are trying to figure out how to collaborate, without going to jail themselves for hacking or disclosing classified data. "America's economic prosperity in the 21st century will depend on cybersecurity… Protecting this infrastructure will be a national security priority. "- President Obama This sea change presents great opportunities for startups to build a new ecosystem of cyber capabilities that actively defend our nation, and support our military and intelligence objectives. We’ve got the best security experts in the world. New startups are enabling the exchange of threat data, using honeypots to collect counter intelligence on foreign hackers, and deploying HADOOP clusters to track botnets. They even develop exploits around newly discovered vulnerabilities to deliver offensive payloads.Over the next five years, our nation will embrace the capabilities of American hackers to fight back in cyberspace, securing our economy and our lives. Our Defense Department will need fewer bombers, missiles and d[...]
2013-06-03T06:11:09.738-07:00TED is an organization devoted to Ideas Worth Spreading, mainly through the free distribution of 8-to-18-minute TED Talks - originally about technology, entertainment and design, but now TED covers heftier global topics such as climate change, poverty and education reform. TED hosts hundreds of events around the world but the main event is an annual invitation-only conference that attracts the most accomplished scientists, academics, politicians, writers, artists, inventors, entrepreneurs and entertainers.TED 2013, which took place last week in Long Beach, CA, was my eighth TED. My best TED moments were conversations with Julia Sweeney, Michael Shermer, Sam Harris, Jill Bolte Taylor and Amanda Palmer.As in prior years I have ranked the TED Talks below so that you can quickly decide which ones to watch. If you disagree with my rankings, please comment! For those of you who have pointed out my tardiness in publishing this year's list, I apologize. On the bright side, my review is so late that many of the talks are already available to watch on TED.com as you read this, so I have linked to those talks below.This year the TED staff followed a new process for selecting TED speakers. Rather than simply invite interesting people, they attended TEDx events and selected the best speakers from those. The result was a set of TED Talks that were consistently more engaging and entertaining than in all prior years (especially compared to last year). The only downside is that fewer talks conveyed novel and important news or developments - many offered more form than substance.So here are almost all of this year's TED Talks in order from best to worst (measured by TED Balloons even though the giant TED Balloon was mysteriously missing this year):10 TED BalloonsAnas Aremeyaw Anas This undercover journalist exposes horrible crimes in Africa, by inserting himself into prisons, hospitals, and other hotspots of abuse. He has exposed enough powerful bad guys that he had to wear a mask on the TED stage. Lawrence LessigLessig is such a strong, experienced lecturer that he has an unfair advantage being compared to other speakers! Lessig's talk on the need for legislative reform in Washington is riveting and compelling. Jack Andraka 15 years old, Jack invented a fast $3 method to detect pancreatic cancer, at a Johns Hopkins lab. He won the Intel Science Fair so I'm presuming it's real! John McWhorterThis linguist presents a compelling argument on why we should all stop worrying about the decay of English skills among texting teenagers. He reviews the successful adaptation of language to other technologies, and considers how English still evolves today. Eleanor LongdenDiagnosed with schizophrenia, Eleanor's life was "shattered" with medical treatments, discrimination and isolation. But Eleanor overcame the terror, talked to the voices, and began to understand them. She still hears the voices (even during her TED Talk), but she feels recovered, working as a psychologist herself and counseling people who hear voices.Adam SpencerAdam shares his enthusiasm for numbers. With lots of self-effacing nerd humor, he gets the audience laughing about math! 9 TED Balloons Hyonseo Lee A South Korean activist tells the story of her family's escape from North Korea. Elon Musk interviewElon needs no introduction from me. What a hero, and humble, too. Taylor WilsonAt 14 he produced fusion, and now he's a Peter Thiel fellow. Ta[...]
2012-12-17T08:36:21.618-08:00And here's Avery's latest film, "Trading Futures" which he wrote and directed. This courtroom drama features Avery's whole family, and also debuts the talented Sunil Nagaraj. (Sunil was working at his desk last Saturday afternoon when Avery was shooting and needed another actor, so Avery roped him into it.)