Congrats to Zhen, who joins Smule today, after submitting the resume below. Zhen used Smule's Sing! app to compile his resume from 7 original tracks of vocals, violin and guitar.
Monday, 31 March 2014
Wednesday, 26 February 2014
Cyber Soothsaying: Where There's a Way, There's a Will
This week, the RSA Conference draws its annual pilgrimage of data security professionals seeking insights on market and technology trends. As a seed-stage security investor in this industry, it has been my job to predict the future of cybersecurity, and so now’s a good time to share two important rules that have served me well:
(i) Follow the Money: what’s the most lucrative opportunity emerging for hackers today? Identify the hacker’s next big opportunity, and you know who will need to respond! This rule, for example, steered me toward spam in 2002 (Postini), online banking theft in 2004 (Cyota), geopolitical warfare in 2009 (Endgame) and DDoS attacks in 2013 (Defense.Net).
(ii) Where There’s A Way There’s A Will. Physicists know that if a natural phenomenon can exist, then most likely it does. The cyber corollary is that vulnerabilities in the wild WILL be exploited – it’s only a matter of time. Poisoning the DNS, using the cloud to factor large numbers, and streaming smartphone microphones were all considered theoretical attacks, until they weren’t. Whenever we dismiss vulnerabilities as too difficult to exploit, hackers eventually humble us with their ingenuity.
Just this week we saw two important examples of this rule in action. The first is Apple’s confirmationof a glaring deficiency in their implementation of SSL that means we’ve been kidding ourselves about how secure the Mac and iPhone really are. The software engineers at Apple are mortal, and just as prone to the inevitable security lapses that plague any complex system.
The second example is a blog postby RSA about new malware on Android phones that coordinate with web based attacks to hijack banking sessions. I have been expecting this “innovation” since 2005, when I predictedthat banks, plagued by the security shortcomings of passwords and biometrics, would adopt and embrace out-of-band authentication for any risky transaction:
That's why solutions in the future will move away from 2-factor authentication and toward 2-channel authentication. Since your bank knows your phone numbers, a bank computer can simply call you when it needs to confirm your identity, and authorize the specific transaction ("This is Wells Fargo--please enter the code on your screen to authorize the transfer of $50,000 from your account to the account of the Boys and Girls Club of Belfast"). This is a very inexpensive and fast solution to deploy, and requires much less customer training. Not to mention that it's secure (at least for many years, until hackers can easily identify and commandeer affiliated phone lines).
This prediction turned out well: 2-channel authentication has since become standard procedure for banks, application developers and consumers, thanks largely to three investments I made back then:
1. If you’re a bank…
Cyota (acq. by RSA) is the market leader in assessing your transactions for risk so they can be escalated for authentication;
2. If you’re a developer…
Twilio is the market leader in enabling apps to launch phone calls or SMS messages for out-of-band authentication (this may be Twilio’s single largest use case); and
3. If you’re an individual…
Lifelock leads the Identity Theft market, by contacting you through multiple channels when they spot a risky transaction involving your Personally Identifiable Information.
However, as I parenthetically noted in 2005, it’s theoretically possible to “commandeer affiliated phone lines” in order to defeat 2-channel authentication. This seemed like a pretty far-fetched idea 8 years ago, but sure enough where there’s a way there’s a will, and bank accounts are where the money is! So I wasn’t too surprised to hear from RSA that hackers now intercept your SMS messages and phone calls in order to defeat the banks’ security mechanism.
It is natural that hackers focused on this attack vector because so few IT people understand the perils of mobile malware. Enterprises are busy deploying MDM and app-wrapping products, but they ignore the rampant spread of malware that renders those solutions useless. If I root your phone and ship home screenshots every minute that you run SalesForce, what good are the MDM and MAM products? (Lucky for Airwatch, they sold out before customers caught on to this.)
This is why I funded Mojave Networks – the only company specifically building a cloud-based smartphone security service, which filters out mobile malware during both download and execution, as well as providing URL filtering, data leak prevention, and enterprise cloud app visibility.
At the time I invested, many people warned me that mobile malware is simply not a big concern. But see Rules 1 and 2 above! Smartphones house our most precious secrets, and there are so many easy ways into them. I’m predicting that enterprises and governments will quickly understand this, and scramble to secure their employees’ phones just as they do their (larger) computers.
If you want to join me in predicting the future of cyberspace, look for the money chasing hackers, and pay more heed this week at RSA to the warnings of security gurus, since no vulnerability is too hard to exploit. Where there’s a way, there’s a will.
Thursday, 9 January 2014
Bessemer's New Office in Minecraft
As BVP expands its global footprint, today our firm announced the opening of an office in an important new geography: Minecraft. With 35 million broadband-connected residents, growing at 100% per year, Minecraft has become a hotbed of innovation.
You can get to Bessemer's new office by pointing your Minecraft client to mc.bvp.com. Or, thanks to the recent integration of Twitch.TV into Minecraft, you can tour the office through this video below. (The thumbnail shows SkySat-1, the first geo-imaging sat launched by Skybox, currently imaging Bessemer's new office.) The video tour was shared on Twitch by my sons Avery and Eliot, who built the new office for BVP, on time and on budget!
You can get to Bessemer's new office by pointing your Minecraft client to mc.bvp.com. Or, thanks to the recent integration of Twitch.TV into Minecraft, you can tour the office through this video below. (The thumbnail shows SkySat-1, the first geo-imaging sat launched by Skybox, currently imaging Bessemer's new office.) The video tour was shared on Twitch by my sons Avery and Eliot, who built the new office for BVP, on time and on budget!
Entrepreneurs with new ways to farm pigs, fabricate redstone circuitry, or defend against creepers can submit their business plans into a /kit in the office lobby. We even have office hours Wednesdays at 10am pacific. See you there!
Tuesday, 5 November 2013
The Internet's Neighborhood Watch
The Neighborhood Watch dates back to July 1, 1700 in Colonial Philadelphia with the passage of the Safe Streets bill. With no police department yet established, citizens took turns as the appointed watchmen to "go round ye town with a small bell in ye night time, to give notice of ye time of night and the weather, and anie disorders or danger."
In many ways, cyberspace today feels like Colonial Philadelphia - fraught with "disorders and dangers" and no police force capable of apprehending the offenders. No wonder then that last February President Obama signed an executive order calling on Americans in the public and private sector to establish the equivalent of a cyber Neighborhood Watch.
But sharing cyber threat data is shockingly rare, despite the fact that for the last two decades, hackers have steadily organized a vibrant industry around the tools and services needed to launch cyber attacks --credit card credentials, script kiddies, zero day vulnerabilities, bot armies, and other staples of cyberwarfare are sold through web sites and channels similar to those associated with legitimate IT purchases. And yet up until 12 months ago, when a wave of cyber attacks against US banks, government agencies and media sites exposed our economy's soft underbelly, no enterprise would ever voluntarily discuss its security infrastructure, let alone acknowledge a breach or even an attack, lest they worry their constituents."It is the policy of the United States to enhance the security and resilience of the Nation's critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties. We can achieve these goals through a partnership with the owners and operators of critical infrastructure to improve cybersecurity information sharing..."
But in those 4 months from October 2012 to February 2013, everything changed. A steady drumbeat of DDoS attacks rendered our banks offline and, for the first time, account holders have demanded their banks openly address the problem. In a novel gesture of transparency and collaboration, Bank of America actually asked the Feds for help.
The US has responded by organizing industry and government to start collaborating, so that cyber attackers, as they are detected, cannot simply jump from target to target. Twenty nine federal agencies today share real-time threat data stemming from cyber incidents through an exchange integrated with all the heterogeneous security infrastructure across those agencies. Suspect IP addresses, bad app signatures, malicious domain names, fraudulent host names, and other types of black lists are now updated in real time to broadly deflect attacks as they are discovered.
Furthermore, this federal "ActiveTrust Exchange" has now been opened up to large commercial enterprises, including financial institutions (like BVP) and some mega Silicon Valley tech companies. The President's vision of a national Neighborhood Watch is now a reality.
 |
| Paul Ferguson, VP Threat Intel |
IID now sells various services and intelligence feeds, but the primary product is membership in the ActiveTrust exchange. ActiveTrust includes highly sophisticated governance modules to anonymize and regulate what you share (to satisfy the lawyers) and what you ingest (to weed out the George Zimmermans from your Neighborhood Watch).
Based on the success of these recurring revenue services, IID has profitably bootstrapped. But the government's collaboration initiative is so important to the viability of the internet that I'm proud to report that I've reached out to IID and Bessemer has just led their first round of venture capital. The Company is now very well funded to invite many more members to join ActiveTrust, starting with critical infrastructure.
I invite you to contact sales-AT-internetidentity.com to apply for membership in ActiveTrust. Let's work together to "to give notice of ye time of night and the weather, and anie disorders or danger."
Wednesday, 9 October 2013
Richard Dawkins and Atheist A Cappella
Richard Dawkins is a frequent visitor to the Bay Area, often stopping at Kepler's to sign books, or speaking at schools (today he taught evolutionary theory to the students at Nueva). In 2009, while he was here for a book tour for Greatest Show on Earth, I hosted a fundraiser for his foundation, for which I organized the first ever atheist a cappella group from among singers I know who tire of crooning about saviors and magical births. Having read Dawkins' book Climbing Mount Improbable, we called ourselves Hereby Chants.
Well this Sunday the Hereby Chants had the honor of delivering an encore performance for Richard at a private lunch for his foundation's supporters, and here it is...
 |
| Photo credit: Steve Jurvetson |
Saturday, 5 October 2013
An Appetite for Wonder: The Making of a Scientist
Tonight I had the honor of introducing Richard Dawkins at a Kepler's Bookstore book-signing for his memoirs An Appetite for Wonder: The Making of a Scientist. Here are my notes from the intro:
Good evening! I’m your neighbor David Cowan, and with Thanksgiving only 6 weeks away, it’s my job tonight to share with you 6 reasons why we are all very fortunate.
First, we are fortunate to have Kepler’s in our community so we can meet our literary and scientific heroes.
Second we are fortunate because tonight we have a visitor, Richard Dawkins, who ranks among the handful of greatest scientists of our generation. From his perch at Oxford, Professor Dawkins has advanced evolutionary biology, and authored several of the best-selling science books ever published, including Extended Phenotype, Selfish Gene, Blind Watchmaker, Unweaving the Rainbow, Devil’s Chaplain, and God Delusion, which has sold millions of copies.
Another book of his, Climbing Mount Improbable, taught me our third good fortune tonight: that after billions of years of chaos, life sprung on our little planet, our species emerged from a trillion accidents of nature, and the organisms sitting in this room won the lottery of conception. (You may notice that these fortunes are not necessarily presented in any increasing or decreasing order of magnitude.)
And now he’s written his memoirs, An Appettite for Wonder: the Making of a Scientist, and we are quadruply fortunate that after multiple visits here, Kepler’s remains one of Richard’s favorite places to meet his readers.
The first chapter of his memoirs recounts his family history in which Clinton George Augustus Dawkins, consul to Austria and not yet a father in 1830, was fired upon by a cannonball that just barely missed his privates. Naturally, that is good fortune number five for us tonight.
The memoirs go on to document the intellectual development of Earth’s most famous atheist, from humble beginnings on a country farm, and parents who lived sparingly in order to afford the finest education for their children. Reading about the collision of his Anglican indoctrination with natural evidence and common sense evoked strong memories of my own religious upbringing, as I’m sure it would for many of you. He writes:
So, neighbors, if you feel as fortunate as I do tonight, please join me in giving a warm Kepler’s welcome to our visiting Biologist, Author, Teacher, Social Activist, Tweeter, and Elvis Impersonator, Professor Clinton Richard Dawkins!
Good evening! I’m your neighbor David Cowan, and with Thanksgiving only 6 weeks away, it’s my job tonight to share with you 6 reasons why we are all very fortunate.
First, we are fortunate to have Kepler’s in our community so we can meet our literary and scientific heroes.
Second we are fortunate because tonight we have a visitor, Richard Dawkins, who ranks among the handful of greatest scientists of our generation. From his perch at Oxford, Professor Dawkins has advanced evolutionary biology, and authored several of the best-selling science books ever published, including Extended Phenotype, Selfish Gene, Blind Watchmaker, Unweaving the Rainbow, Devil’s Chaplain, and God Delusion, which has sold millions of copies.
Another book of his, Climbing Mount Improbable, taught me our third good fortune tonight: that after billions of years of chaos, life sprung on our little planet, our species emerged from a trillion accidents of nature, and the organisms sitting in this room won the lottery of conception. (You may notice that these fortunes are not necessarily presented in any increasing or decreasing order of magnitude.)
And now he’s written his memoirs, An Appettite for Wonder: the Making of a Scientist, and we are quadruply fortunate that after multiple visits here, Kepler’s remains one of Richard’s favorite places to meet his readers.The first chapter of his memoirs recounts his family history in which Clinton George Augustus Dawkins, consul to Austria and not yet a father in 1830, was fired upon by a cannonball that just barely missed his privates. Naturally, that is good fortune number five for us tonight.
The memoirs go on to document the intellectual development of Earth’s most famous atheist, from humble beginnings on a country farm, and parents who lived sparingly in order to afford the finest education for their children. Reading about the collision of his Anglican indoctrination with natural evidence and common sense evoked strong memories of my own religious upbringing, as I’m sure it would for many of you. He writes:
“I was intensely religious around the time I was confirmed. I priggishly upbraided my mother for not going to church. She took it very well and didn’t tell me, as she should have, to take a running jump.”But soon Young Richard (or Clinton which we now know to be his true name) started to question the institutional rituals around him. This is my favorite chapter…
[p. 140] I was especially incensed by the hypocrisy of the General Confession in which we mumbled in chorus that we were miserable offenders. The very fact that the exact words were written down to be repeated the following week, and the week after and for the rest of our lives (and had been so repeated since 1662) sent a clear signal that we had no intention of being anything other than miserable offenders in the future.But Richard retained his belief in a Creator God, and as a teenager he did continue to worship.... Elvis Presley, that is. Richard privately impersonated the rock and roll legend, and remembers buying the album I Believe.
[p. 142] I listened with delight – for my hero sang that every time he saw the wonders of the world, his faith was reinforced. My own sentiments exactly!...I sort of half believed that in this unexpected record, Elvis was speaking personally to me, calling me to devote my life to telling people about the Creator God. 6.Skipping down to our 6th and final good fortune tonight…
I became increasingly aware that Darwinian evolution was a powerfully available alternative to my creator god as an explanation for the beauty and apparent design of life. It was my father who first explained it to me… But eventually a friend – one of the two, neither of them biologists, in whose company I later refused to kneel in chapel – persuaded me of the full force of Darwin’s brilliant idea and I shed my last vestige of theistic credulity, probably at the age of about sixteen.Because Richard refused to kneel in chapel, his housemaster Peter Ling summoned his parents for a heart to heart talk over tea.
[p 143] Mr. Ling asked my parents to try to persuade me to change my ways. My father said (approximately, by mother’s recollection): ‘It is not our business to control him in that sort of way, that kind of thing is your problem, and I am afraid I must decline your request.’Richard hasn’t kneeled since then. As Oxford University’s very first Professor for Public Understanding of Science, he has become a powerful agent of social change through his discoveries, lectures, and books. He promotes science education and science-based policy through his private foundation, daily tweets and even last week’s appearance on the Daily Show.
So, neighbors, if you feel as fortunate as I do tonight, please join me in giving a warm Kepler’s welcome to our visiting Biologist, Author, Teacher, Social Activist, Tweeter, and Elvis Impersonator, Professor Clinton Richard Dawkins!
Wednesday, 28 August 2013
The Coming Wave of Cloud Security Startups
This is a reprint of an article I wrote this week for MIT Technology Review.
Our growing computer security problems will create many new companies.
The threat from cyber-intrusions seems to have exploded in just the last 18 months. Mainstream media now report regularly on massive, targeted data breaches and on the digital skirmishes waged among nation states and cybermilitants.
Unlike other looming technical problems that require innovation to address, cybersecurity never gets solved. The challenges of circuit miniaturization, graphical computing, database management, network routing, server virtualization, and similarly mammoth technical problems eventually wane as we tame their complexity. Cybersecurity is a never-ending Tom and Jerry cartoon. Like antibiotic-resistant bacteria, attackers adapt to our defenses and render them obsolete.
As in most areas of IT and computing, innovation in security springs mostly from startup companies. Larger systems companies like Symantec, Microsoft, and Cisco contribute to the corpus of cybersecurity, but mostly acquire their new technologies from startups. Government agencies with sophisticated cyberskills tend to innovate more on the offensive side. I think that in the coming years we will see many small, creative teams of security engineers successfully discovering, testing, and building out clever new ways to secure cyberspace.
Anyone looking to found or invest in one of those small security companies destined for success should focus on the tsunami of change rocking the IT world known as cloud computing. In a transformation that eclipses even the advent of client–server computing in the 1980s, business are choosing to subscribe to services in the cloud over running software on their own physical servers. Incumbents in every category of software are being disrupted by cloud-based upstarts. According to Forrester, the global market for cloud computing will grow more than sixfold this decade, to over a quarter trillion dollars.
Cloud security, as it is known, is today one of the less mature areas of cloud computing, but it has already become clear that it will become a significant chunk of that vast new market. A Gartner report earlier this year predicted that the growth of cloud-based security services would overtake traditional security services in the next three years.
Just like other software products, conventional security appliances are being replaced by cloud-based alternatives that are easier to deploy, cheaper to manage, and always up-to-date. Cloud-based security protections can also be more secure, since the vendor can correlate events and profile attacks across all of its customers’ networks. This collaborative capability will be critical in the coming years as the private sector looks to government agencies like the National Security Agency for protection from cyberattacks.
The cloud also enables new security services based on so-called big data, which could simply not exist as standalone products. Companies like SumoLogic can harvest signals from around the Web for analysis, identifying attacks and attackers that couldn’t be detected using data from a single incident or source.
These new data-centric, cloud-based security products are crucial to solving the challenges of keeping mobile devices secure. Most computers shipped today are mobile devices, and they make juicier targets than PCs because they have location and payment data, microphones, and cameras. But mobile carriers and employers cannot lock down phones and tablets completely because they are personal devices customized with personal apps. Worse, phones and tablets lack the processing power and battery life to run security processes as PCs do.
Cloud approaches to security offer a solution. Software-as-a-service security companies like Zscaler can scan our mobile data traffic using proxies and VPNs, scrubbing them for malware, phishing, data leaks, and bots. In addition we see startups like Blue Cava, Iovation, and mSignia using Big Data to prevent fraud by fingerprinting mobile devices.
Cloud security also involves protecting cloud infrastructure itself. New technologies are needed to secure the client data inside cloud-based services against theft or manipulation during transit or storage. Some security auditors and security companies already sell into this market, but most cloud developers, focused on strong customer growth, have been slow to deploy strong security. Eventually it should become possible for cloud computing customers to encrypt and destroy data using their own encryption keys. Until they do, there is an opportunity for startups such as CipherCloud and Vaultive to sell encryption technology that is used by companies over the top of their cloud services to encrypt the data inside.
Lastly, cloud security also includes protecting against the cloud, which enables creative new classes of attack. For example, Amazon Web Services can be used for brute force attacks on cryptographic protocols, like that one German hacker used in 2010 to break the NSA’s Secure Hashing Algorithm. Attackers can use botnets and virtual servers to wage distributed denial of service attacks; and bots can bypass captcha defenses by crowdsourcing the answers. Cloud-based attacks demand innovative defenses that will likely come from startups. For example, Prolexic and Defense.net (a company Bessemer has invested in) operate networks of filters that buffer their clients from cloud-based DDOS attacks.
Cloud computing may open up enormous vulnerabilities on the Internet, but it also presents great opportunity for innovative cybersecurity. In the coming decade, few areas of computing will be as attractive to entrepreneurs, technologists, and investors.
Our growing computer security problems will create many new companies.
The threat from cyber-intrusions seems to have exploded in just the last 18 months. Mainstream media now report regularly on massive, targeted data breaches and on the digital skirmishes waged among nation states and cybermilitants.
Unlike other looming technical problems that require innovation to address, cybersecurity never gets solved. The challenges of circuit miniaturization, graphical computing, database management, network routing, server virtualization, and similarly mammoth technical problems eventually wane as we tame their complexity. Cybersecurity is a never-ending Tom and Jerry cartoon. Like antibiotic-resistant bacteria, attackers adapt to our defenses and render them obsolete.
As in most areas of IT and computing, innovation in security springs mostly from startup companies. Larger systems companies like Symantec, Microsoft, and Cisco contribute to the corpus of cybersecurity, but mostly acquire their new technologies from startups. Government agencies with sophisticated cyberskills tend to innovate more on the offensive side. I think that in the coming years we will see many small, creative teams of security engineers successfully discovering, testing, and building out clever new ways to secure cyberspace.
Anyone looking to found or invest in one of those small security companies destined for success should focus on the tsunami of change rocking the IT world known as cloud computing. In a transformation that eclipses even the advent of client–server computing in the 1980s, business are choosing to subscribe to services in the cloud over running software on their own physical servers. Incumbents in every category of software are being disrupted by cloud-based upstarts. According to Forrester, the global market for cloud computing will grow more than sixfold this decade, to over a quarter trillion dollars.
Cloud security, as it is known, is today one of the less mature areas of cloud computing, but it has already become clear that it will become a significant chunk of that vast new market. A Gartner report earlier this year predicted that the growth of cloud-based security services would overtake traditional security services in the next three years.
Just like other software products, conventional security appliances are being replaced by cloud-based alternatives that are easier to deploy, cheaper to manage, and always up-to-date. Cloud-based security protections can also be more secure, since the vendor can correlate events and profile attacks across all of its customers’ networks. This collaborative capability will be critical in the coming years as the private sector looks to government agencies like the National Security Agency for protection from cyberattacks.
The cloud also enables new security services based on so-called big data, which could simply not exist as standalone products. Companies like SumoLogic can harvest signals from around the Web for analysis, identifying attacks and attackers that couldn’t be detected using data from a single incident or source.
These new data-centric, cloud-based security products are crucial to solving the challenges of keeping mobile devices secure. Most computers shipped today are mobile devices, and they make juicier targets than PCs because they have location and payment data, microphones, and cameras. But mobile carriers and employers cannot lock down phones and tablets completely because they are personal devices customized with personal apps. Worse, phones and tablets lack the processing power and battery life to run security processes as PCs do.
Cloud approaches to security offer a solution. Software-as-a-service security companies like Zscaler can scan our mobile data traffic using proxies and VPNs, scrubbing them for malware, phishing, data leaks, and bots. In addition we see startups like Blue Cava, Iovation, and mSignia using Big Data to prevent fraud by fingerprinting mobile devices.Cloud security also involves protecting cloud infrastructure itself. New technologies are needed to secure the client data inside cloud-based services against theft or manipulation during transit or storage. Some security auditors and security companies already sell into this market, but most cloud developers, focused on strong customer growth, have been slow to deploy strong security. Eventually it should become possible for cloud computing customers to encrypt and destroy data using their own encryption keys. Until they do, there is an opportunity for startups such as CipherCloud and Vaultive to sell encryption technology that is used by companies over the top of their cloud services to encrypt the data inside.
Lastly, cloud security also includes protecting against the cloud, which enables creative new classes of attack. For example, Amazon Web Services can be used for brute force attacks on cryptographic protocols, like that one German hacker used in 2010 to break the NSA’s Secure Hashing Algorithm. Attackers can use botnets and virtual servers to wage distributed denial of service attacks; and bots can bypass captcha defenses by crowdsourcing the answers. Cloud-based attacks demand innovative defenses that will likely come from startups. For example, Prolexic and Defense.net (a company Bessemer has invested in) operate networks of filters that buffer their clients from cloud-based DDOS attacks.
Cloud computing may open up enormous vulnerabilities on the Internet, but it also presents great opportunity for innovative cybersecurity. In the coming decade, few areas of computing will be as attractive to entrepreneurs, technologists, and investors.
Subscribe to:
Posts (Atom)