 Well, I think most of us realize that security and entrepreneurship go hand in hand. All the major players in the industry are venture backed. Mostly those companies are too young to vote or drink, let alone screw with their customers. So if you're in security at some point, you're going to work for a startup, or you're going to buy products from a startup, or you're going to invest in a startup, or you're going to acquire one. So you want to know what's going to happen to all these startups. Is there room for more of them? Which ones will succeed? Today I'll discuss the long-term role of startups in the security ecosystem. But rather than speculate on the industry's future successes, because that's something I think that many of you are probably more capable to do than I am, or rather than hype my own investments, I think it's more instructive to highlight mistakes of the industry. Because unfortunately security doctors don't swear a Hippocratic oath to do no harm. And so far the results have been disastrous. So these are some of the questions that people ask me that I'll try to address today. So next question is why dwell on the mistakes? Well, ten years ago Dan Farmer popularized the notion that we can't secure our networks if we don't openly err our vulnerabilities and errors. And just this week Michael Lin reminded us of the same thing. A lesson that I think applies not only to information security, but also I believe to all challenging pursuits including venture capital. And in case you think that I can only dish it out but I can't take it in, you're welcome to take a look at the anti-portfolio that we at Bestomer published on our website. It's the only one of its kind in the industry. You can read in gory detail if you like about the frankly stupid reasons why we passed on the first investment rounds in Intel, FedEx, Apple, eBay, Google, many others. Good lessons there for us. So this presentation is for investors who don't want to lose their capital. Entrepreneurs who want to navigate the landmines. Engineers who don't want to make the wrong career choice. Chief information security officers and their staff who don't want to buy the wrong product. Also anyone with money in the bank who wants to keep it safe. And if that doesn't just about cover all of you then I guess it's also for anybody who's looking to kill an hour between the two Fed presentations. So still I expect that many of you came here looking for more positive direction on tomorrow's great inventions. I feel obliged to offer something inspirational here. So I've injected into my presentation some interstitial slides here and there offering up some great examples of entrepreneurial innovation. You'll see them popping up now and then. So I told you about some things that Bestomer Venture Partners has done wrong. Please give me just 30 seconds to tell you some things we've done right in an effort perhaps to lend some credibility to my ravings about the industry. So here's the background. As the oldest venture capital practice in the nation, Bestomer has for nearly a century invested the family fortune of Henry Phipps, a 19th century entrepreneur who decided to reinvest his proceeds from the sale of Carnegie Steel into other tiny startups like WR Grace and Ingersoll Rand. More recently, Bestomer has funded the early stages of parametric, Staples, Sienna, Cascade, VMX, Maxim, Veritas, Gartner Group, Perceptive Biosystems, and Skype. We have about 60 employees with offices in California, Massachusetts, New York, Bangalore, and Shanghai. We are the most active early stage venture firm in information security. You can see here we've invested in 17 security companies. Some of them are ones that I'm sure you know, some you may be less familiar with, but one thing that's uncommon is that we work early on with experts in the security field to start these companies. Folks like Paul Machopetris at Nominem and Dan Farmer at Elemental, Bruce Schneier at Counterpane, Mark Mayfrit at EI, Gene Kim and Gene Spafford at Tripwire, and of course Ron Rivest at Verisign. All but the recent three early stage investments that we've made here of the 17 are all doing well. They all have run rates above $10 million. Five of them have gone public. One of them was acquired by Cisco, and among the 17 investments we've made, there hasn't been a single realized or unrealized loss. We have a dedicated security team at the firm, including myself. Devesh Gaurd, who ran Broadcom's security business unit. Chini Krishnan, who founded Valisert. Chris Risley, who was CEO both of Nominem and previously of On Technology, which after going public, Symantec acquired. And just a broad, strong team of security professionals. In this team, we commit ourselves, we commit our time and our resources to maintaining a very rich dialogue with chief information security officers in the industry. Many of you are probably here, and you know firsthand that we do this, and we do that really to maintain a good pulse on the marketplace on behalf of our companies. Easier to spread. Let's see. Okay, so the biggest challenge for startups is that nobody wants to buy from startups. People want to buy products from big companies. They want to buy suites. And there are some very good reasons for this. Very valid reasons. Product suites from big companies offer integration at the console level. They offer integration at the appliance level, making security easier to deploy in a scalable fashion. These companies promise event correlation. And I think one day they might even deliver it. And of course they do offer better vendor viability than what a startup can do. So I'm just going to run through some slides that show you the product footprint of the major companies in the industry. And you know, you can just, this is a taxonomy that we've developed internally to map out security products. And the data for each company are probably about six months old. We last updated at the end of 2004. But you get a feel for how the different companies have staked out their turf across the security landscape. Here you have Symantec and of course McAfee. Here's ISS. And as you can see the large vendors, each of them offer suites that cover different aspects, more than point solutions, but still they can't cover the whole landscape. And so what happens is that they really need to, enterprises really often pick one suite and then fill in all the holes around the products that are offered by that suite vendor. So this is an inventive cold remedy so then these big companies, they have these great suites and enterprises want to buy from them. So the question is why, what are we smoking? We keep funding all these startups out there to compete against them and have a hard time selling. And why do we do that? And here's our thinking. Our thinking is that there are two major reasons why the startups have to exist. And in the long run as a group at least have to thrive, at least some of them. And the first reason is that there are constantly new protocols, applications and platforms that are being deployed in the network. And every time a new one comes along, then enterprises have to completely rethink their security so that the security has to actually keep up with the new technology as quickly, it has to be the fastest changing element of the network because it has to move as quickly as everything else that's going on. And these are just some examples of protocols that enterprises are adopting now or have started to adopt last year and every one of these things introduces important new vulnerabilities that change the way enterprises have to think about security. And then the second element is captured in this image here and that is that security is very different from other elements of infrastructure. In other types of infrastructure, you're trying to basically, it's basically a battle of man versus nature. You're trying to iron out the wrinkles, trying to get the products to work better and asymptotically, these products approach perfection. The way that, you know, the way that routers and switches today basically work. They don't crash, we have enough bandwidth, they basically, they work fine. But security isn't like that because in security, every time a company releases a product, you've got people who are, you've got many people who are actively trying to render it obsolete right away. They're creative and adaptive people. And, you know, if that's not enough, more recently, the nature of that adaptation has changed now that the enemy is motivated less by ego, mischief, and politics and motivated more by profit, profit from spamming, profit from extortion, profit from ID theft. The enemy now has the patience, the resolve, and the resources to continually escalate and continually adapt to the new products as they come out. And for this reason, we believe that it's absolutely imperative that we continue to have startups, entrepreneurial teams, who are innovating new defenses against the tax. This is why I believe we've seen so much venture investment in startups. In the last two and a half years, we've counted, and we may not know all of them, but we've counted 477 distinct companies that have received venture funding during that time. Obviously, these companies aren't all going to be successful, but this level of innovation that's coming out of these 477 companies absolutely eclipses anything that's going on among the larger companies. So that's the role of the startup, and that's the role that we try to fund. Now, with all these companies that are being funded, I'm sad to say that there aren't any public, there aren't any IPOs in the security industry since the beginning of 2003. There's a lot of money going in, and nothing really coming back to the hard-working employees and the not-so-hard-working investors in those companies. But what we do see is that, as we all know, mergers and acquisitions have really accelerated in the last couple of years, even beyond the peak of the bubble in terms of the number of deals and the number of dollars going to security companies. And that's because we have two types of companies in the ecosystem. We have the sweet vendors who are great at integrating, integrated consoles, integrated appliance. They offer, that's their value to the enterprise. Then you have the small companies who are the innovators. They produce the new defenses. These are their point solutions, but these are the new defenses. In order for the integrators to remain competitive, they have to assimilate the innovative solutions. And so, although journalists like to talk about what's happened in the last year as a consolidation in the industry, we don't view this as a phase of consolidation. We view this as a permanent fixture. This is going to persist. It's going to persist longer than the M&A string of Cisco 3 Common Lucent, all acquired networking companies. Because again, those networking companies, eventually those products worked and they matured, but the best you can ever hope to do with a security product is tread water. No mess, no waste. So, now let me start to talk about why it is that we see some major bloopers and blunders in the industry. And it starts off with an analysis of people's state of minds when they buy products. And so, I'm going to talk about reasons why people buy security technology, why they pick one product or another. And the first reason, and this is one that I think we all agree is a very good reason, and one that a lot of attention has spent to here at DEF CON, I understand how this technology will likely secure important assets from entire classes of attack at a reasonable cost. And here, we like to think that this is the only reason that people choose one security product over another. But wait, there are more reasons. Here's one. Lots of other people seem to think that this technology works. I guess that means I need it. This common, weak-minded disposition to suspend skepticism explains a lot of the problems in our world beyond information security. Not only might others be wrong, and I'll point out some doozies today, but there simply is no one-size-fits-all security mix. Nonetheless, this kind of thinking does drive a lot of purchasing from the big security companies. Here's another brain malfunction that drives sales for Symantec and Cisco. If an attack brings our network down, I'll be okay so long as it brings everyone else's network down as well. So I'm just going to hide in the safety of the herd and buy whatever seems to be selling well, market it attacks today, or more importantly that the consequences of an attack to my enterprise are pretty much the same regardless of whether it hits others. Okay, why else do we see people flocking to Symantec and Cisco? Well, I got a good deal on a bundle. I bought that big router or appliance over there, and the vendor threw in some cheap or maybe even some free licenses. It might not work. It might inconvenient my users. It might even be another vector of attack. But it was cheap. My favorite example of this cheap bundle nonsense is antivirus licenses for servers. You know, the computers that nobody ever uses for email or browsing and the signature AV companies actually charge extra for putting their AV products on those servers. Let's see. What's another reason? Oh, yes. Okay, we need to convince somebody it might be our chief security officer or a chief information officer or a chief executive officer or maybe the board or our auditors or the regulators or our customers or maybe Congress. We have to convince somebody that we've got best practice security. Of course, best practices have been defined by somebody else. Those practices might imply working technology, but then again, they might not. Let's see. Our startups can also exploit as well as big companies. A nasty attack crashed our network and so I've got budget to deploy a defense. And you can always spot these folks because they don't want to hear about how the product works. They just want to run a battery of attacks against the product to see if it defends against them. And these are the attacks that they suffered several months ago. And they seem to suffer the next quarter's attack is going to be exactly the same as last quarter's attack. And so as long as this product stops last quarter's attack, they somehow think that they're protected. I can't believe how often I see this in accounts. It's rather frustrating. And then finally, the last reason is that there's always relationship selling. You know, the vendor threw a wild party and so I should buy the product. Okay, well maybe that one's not such a bad reason. I'm going to move that up to the plus category. Let's see. Alright, so we see a lot of poor reasons why people choose security technology that doesn't work. So now what I'd like to do is really explain what I mean by bloopers, blights and blunders. And to do so I'm first going to define two distinct classes of security technology. There's let's call it the security technology that works and the security technology that sells. Now for those reasons we saw in the previous slide these sets are not equivalent. Now you know, my job at Bessemer is to find teams that have technology that works and fund them into companies that have technology that sells. And of course that intersection is where all the great security companies thrive. But we also see a lot of security businesses with technology that doesn't work and technology that doesn't sell and those all still get funded and those are what I call bloopers. And I think, you know, blooper is a good name because it's sort of an innocent mistake. You know, maybe they blow about 100 million 200 million dollars of venture capital but at least they didn't actually cost any customers any money because nobody ever bought it. Okay, then the next category of disaster is on the industry. These are the technologies that don't work but for one reason or another everybody's buying them anyway. Right, and we'll talk about those. Now these cost the venture industry hundreds of millions of dollars developing these products but more importantly they cost, they can cost the industry a billion dollars a year buying these products not to mention the costs that they incur trying to mop up the mess when the products don't actually work. And I'll talk about some of those. And then, I'm going to spend actually more time on the third category because the third one is actually something that maybe we can do about something we can do about and those one thing I should mention is that the blights inevitably, the good news is that the blights inevitably stop selling eventually people figure it out but it takes a long time and a lot of money is wasted. Now the next category are the blunders. These are the ones that really scare me. These are the ones that the technology doesn't work but these are hot products. These are the ones that everybody's talking about and these are the ones that even some big companies are bringing into accounts and everybody thinks are next year's products and I would call them next year's blights and I think we're going to see them on our landscape for quite some time because there's a lot of momentum behind these technologies. My hope is that by illustrating some of these disasters and exposing the blights and blunders I hope to assist you in avoiding the mistake of making a bad investment, a doomed career choice, a wasted product purchase or even a dangerous choice of online bank. Here's another invention but this one might be a blooper. This is a mobile computing invention of some sort. Okay, so I think I have to move a little quicker through these slides. I'll start with the bloopers. So I think many of you may think this is wrong and I look forward to some hardy debate but the first and these are, by the way, these are past. I think these are proven. These companies tried to make it go a bit and they failed. First they're startups who tried to build universal consoles and universal console is all about integration, not innovation. It's hard enough for the big companies to do it. It's really difficult for HP. It's impossible for a startup and no start and no enterprise is going to buy a universal console from a startup. Another area is enterprise DRM. So there's been some great work done here. Companies like Authentica and Alchimedia which Fingin acquired. They built some great tools that allow you to understand what can happen and you can revoke the rights later and it's really great technology but what the industry has learned is that people just will not change their behavior in order to curb rights on a document further down. Tumbleweed learned this, Slam Dunk Networks learned this and now more startups are continuing to learn this and I think it's safe to bet that Microsoft is going to provide good enough DRM in office but what happens is that enterprises because the pain of an embarrassing leak is episodic and difficult to quantify in terms of damage this category of product never stays in the top three concerns very long and if you're not in the top three then you ought to go home and figure something else to do. So next area is enterprise DDoS protection. It may be sorely needed but the truth is that when you stop the traffic when it gets to the edge it's too late and you know the only way that DDoS is the only way you can protect yourself against DDoS is in the network there are services you can buy like the prolexic service that counter pain sells but you know MAZU and others they've figured out that they need to do something different than DDoS protection at the edge again these are all big venture capital investments here's another one, PKI you know benefits just never justify the expense sure there are some applications like SSL but in terms of trying to build applications on top of PKI yourself it's just really not worth it and personally I'm really pleased that Verisign managed to buy network solutions and other businesses and diversify away from this so and then finally there's applet signing and I'll talk a little bit more about this later but basically applet signing is an example of just too much useless information you know other than the people in this tent most people who look at the name on an applet have no idea whether that's someone they can trust or not and so it really doesn't do any good so there we've gone through the bloopers now the blights these are the ones that are still doing well on the market still selling well and first there's IDS and we all know the problems with IDS they generate alerts every year they get improved which means they generate more alerts and more alerts and they generate so many alerts that speaking of too much useless information that's what these things generate and you know companies who use these are forced to either hire 24 by 7 teams of expensive experts to go through these or outsource them to companies like and manage all the alerts that are coming out of these IDS's the second category is what I would call unmanaged firewalls so you know managed and monitored firewalls those are great but what we've seen at counter pain where they manage and monitor hundreds of enterprise networks is that when they take over these networks most of the firewalls as you all know are not configured about half of them still have the default passwords in place so you know half of the half of the firewall industry is wasted money and then you know there's my favorite the server based signature AV because you know in case somebody comes along and wants to start doing email on your web sphere application server blade now on to the blunders and I have really just sort of two slides on this the first one is the oh I'm sorry I forgot single sign on there's another blight so single sign on sounds great it seems like a really good idea but it turns out that it's really hard to integrate all your old apps and then keep all your new apps integrated and actually try to get the single sign on which seems to work a little better companies like Incentuate that are like in these things to the universal remote control that I bought from my you know from my media system you know it seemed like a good idea but you know after a month or two it ends up being just one more remote control on the table to worry about just too hard to keep programmed right so now by the way there are some promising glimmers companies like Incentuate that are making this a little easier but I'm still very skeptical so now the blunders so the first one is the supposed successor to intrusion detection and everybody said okay intrusion detection doesn't work we need something that doesn't just generate alert it can actually stop the attack in real time because it takes too long for the people to sort through the alerts so intrusion prevention is the answer and we saw a whole generation of these systems proliferate and we even saw Cisco and Intercept Cisco and McAfee buy Okina and Intercept from some very very lucky investors and they're bringing these things to market with a lot of gusto the fundamental the fundamental premise behind these products which I find just laughable is that every attack creates a visible anomaly and every anomaly indicates that there's an attack going on if you don't believe that that's true then it's inevitable that anomaly based intrusion prevention systems will cause false positives and if they cause false positives then you can be sure that the very first thing that's going to happen when some customers block from a website is that intrusion prevention system is going to be turned into monitor only mode guess what now it's an IDS again generating alerts for somebody to look through now there's some other problems with these things too that I mentioned they're really slow because they have to look at all the traffic they require weeks of training so you can't deploy them right away if anything changes on the server that you're watching like the number of users or the applications or the configuration then you have to retrain it all in all a very non-scalable solution but the big killer is the fact that it has false positives just doesn't make sense and it's not going to be in line what's required here are intrusion prevention systems that have zero false positives there are some on the market that use signature based approaches those of course have zero false positives but they don't provide zero day protection we believe this is a big area of opportunity we funded a company called Determina that we believe has the solution to this space and I expect that there will be other companies who tackle this as well okay now my favorite so this one this one is a set of technologies that I see coming strong into the market raising lots of venture capital and getting a lot of money mostly from banks to deploy them and the damages from these these blunders I think are going to be are going to be more costly than any others that we've seen so I'm going to start with a list the first one is the desire of vendors the belief that people have that somehow there's some client software that people can give you or some inbox software that people can give you that will prevent fishing at the inbox a red yellow or green light that knows which sites are fishing and which ones aren't well the bottom line is that software doesn't know that you think you're talking to city group and so unless you're only going to browse on a whitelist which nobody wants to do these these red yellow green lights are not going to work they assume that fishers are not going to adapt that they're not going to change their IP addresses that they're not going to figure out ways to they're not going to use zombies in the United States that have IP addresses that don't look like they're coming from Russia you know it's these are quite naive defenses people sometimes think that they can apply rules to look at it and tell whether it's fishing well the whole point of fishing is that it looks like a real email it looks like a real site or a real email there's just no way for technology to be smarter than a human being in terms of seeing those patterns then there are simple mechanisms that vendors come out with that defeat very certain fishing mechanisms like URL masking again these assume absolutely zero creativity or adaptation on the part of the fishers they'll just get URLs that look like they're real URLs if I saw the URL citygrouponline.com I have no idea if that's a real that's a valid URL or not and none of these fishing can be used from new kinds of fishing attacks like the bogus camera store that collects people's credit card information for selling cheap cameras and the way they get the traffic is by buying the keyword on google for camera they get the top placement and they get all this traffic coming and people looking oh look at these cheap cameras and then of course they use the credit cards they steal to actually pay google for the keyword that's my favorite part of it so you know we're looking at okay next one there's this idea that we want to empower the user give the user more information you're about to go to an on SSL page you're this certificates about to expire there's a license agreement that you should read and sign then you'll know what you're getting into there's you know this is the person who signed this applet this is the person who owns this domain this is the person who's behind this email address all these are attempts to give the user information and thereby empower the user to make decisions the problem is again outside this tent no one knows what to do with that information some window pops up and says the certificate expired or they're about to browse somewhere else what do they do they don't know what to do so they just go browse the information becomes useless here's another last resort of the clueless you see a lot of banks talking about this the answer is educating the users we just have to train people not to click on the bad stuff and that's going to solve the phishing problem or the ID problem how does that solve farming where the DNS is redirecting your traffic or how does it solve malware that redirects your browser somewhere else or the bogus camera store educating the users is again a very naive and really negligent answer to protecting our bank accounts here's another thing we see this is another attempt hopefully to stop phishing is authenticating the email source sender ID and de-kim the other standards worse here well again you're authenticating the source but as we know most of the people who register for those systems are actually spammers so it doesn't really tell you anything about the behavior of the email you might see some name behind the email source but it doesn't give you any real good information okay so what are the banks thinking they're thinking okay we have to provide stronger authentication passwords aren't good enough we have to authenticate everybody who comes to our site and we're going to have to do it with real strong authentication well everyone knows that there are tradeoffs between security convenience and cost and you can't apply the most inconvenient and the costly security to everybody who comes to your website you have to profile about it if you've ever flown LL Airlines you know how they do it the only inconvenience a few people not everybody this is going to be an unscalable solution it's going to be too expensive here's another mistake they're focusing all their authentication efforts on the login the login is the least dangerous part of the session what about the part where I withdraw cash or where I change my address those are the risky things and it turns out that those are a very small number of sessions if you focus the authentication on the risky transactions as opposed to the login then again you have a much better way of focusing the security resources the cost and the inconvenience on the sessions that matter banks think okay we're going to use strong authentication because passwords aren't good enough we'll use smart cards like the secure ID card or time based codes I'm going to loop the next three together we're going to use biometrics fingerprints to authenticate or we're going to use watermarks to educate the user so that they know that this is not this is not they know that this is a real site of course if you're logging in from a new computer then we have to ask you some challenging questions and we have to authenticate you and you know we'll do that and then show you the watermark well these last three these are all really expensive not the last one so much but those first two two factor authentication has a total cost of ownership of twenty dollars per user per year that would be okay maybe if they worked but all three of these defenses are all defeatable by either man in the middle attacks so all the fishers have to do is while they're collecting your data your timecode or your biometric information they're turning around and logging into your bank at the same time and they can do the same thing with the watermark sit in between and get the watermark or they're also subject to malware based slip streamers so malware that sits on your computer and then waits for you to log in using all of this expensive technology and then just you know takes over your session does something on your PC or hands it over to somebody else so and you can and those attacks are out there they may not be very common but you can be sure that when Bank of America deploys these defenses that those attacks are going to become a lot more common no reason why not so this is why I've stopped banking online my money's not safe now I feel like I want to give some prescription as to how I think this is going to get better I think the landscape is going to be blighted for some time but eventually what banks are going to learn to do is they're going to learn to authenticate the transaction not the login they're going to learn to profile the transaction profile the user profile the session where is this coming from is this an IP address we've seen before the customer to be doing is this just a dangerous transaction is this a change of address transaction which is dangerous or is this just somebody looking at his or her balances and then depending upon how dangerous it is we're going to escalate the response we're going to have costlier and costlier and more and more inconvenient security based upon the risk with the penultimate authentication being not two factor authentication but multi-channel authentication because two factor authentication doesn't work if the channel itself has been compromised which is what malware does to a PC smart cards biometrics the reason the reasons they don't stop malware or slip streaming is because the channel has been compromised but if you do multi-channel authentication then you defeat those mechanisms unless the attacker is able to compromise identify the two simultaneous channels and compromise them which is many many years out from now they're actually and I'll say there actually is there actually are a set of startups that are now starting to deliver this kind of technology although I think it's going to be a while before banks recognize it Authentify and Sciota have joined together to provide a service to banks so that they can do this for their online banking a very cheap scalable solution so the question is what does it mean to authenticate the transaction I'll just take the Authentify Sciota solution for a second and illustrate somebody comes to the bank and logs in just let them use a password it's not the most secure thing in the world but it's okay let them use the password by the way keep track of how many times it took them to get in if it took them a long time because they had to do many passwords that increases the risk of course then see what are they doing in the bank account if they're just looking at their balances then maybe the password security is enough but if they're trying to do something else then you want to escalate the security maybe you want to ask them some challenge and response questions before they look at their balances maybe they're doing something more dangerous like changing their address in which case you want to ask them more challenge and response questions maybe they're trying to actually move cash out of the account at which point you say okay because this transaction is a risky transaction we're going to give you a code 3174 and now we're going to say we know three telephone numbers that you've got on record home, cell and work which one do you want us to call you don't say the number you just identify which one your phone rings a computer calls you up and says do you want to do you want to do you want to authorize the transfer of $50,000 to the Boys and Girls Club of Belfast and then you know if so enter the code on your web session and if you enter 3174 then that authenticates that very specific transaction so you're authenticating the transaction you're showing this is what I wanted you to do rather than authenticating the session and then allowing somebody else to wreak havoc on the session and it also limits the security focus to just the risky transactions so answer the question okay so more advice for email providers restore credibility to email not through domain authentication but through behavior tracking and I think this is going to be the domain of some interesting startups like maybe Goodmail and habeas where they actually track the behavior of email senders and then use that reputational data in order to make judgments as to whether somebody is a spammer or a fissure you know there's a the major there's a bigger downside to spam and fiss than the fact that our email is untrustworthy and that's the fact that our trusted relationships banks and e-commerce partners can no longer use email to talk to us two years ago if city banks sent me a message I would have responded of course today who would respond to a message from city group or fidelity on their email email is a lost cause we have to somehow fix that question does behavior tracking step far beyond the boundaries of privacy that's the question well yes just in the same way that questions at the airport intrude upon your privacy for that as well you know I think that people who want to send you email like city bank or amazon they're going to be okay with the idea that somebody is tracking their behavior and there may be situations where it steps beyond the bounds but you know if somebody I don't think any I can't imagine where a company is going to have a problem if it's tracking phishing activity and somebody overseas and saying this is an IP address that you want to be careful about are there legal loopholes that weaken the business model yeah well there it's possible those would have to be you know litigated okay let's see last one end user security tools we have to get over this idea that the answer to security is to give the user more information and empower them we have to start thinking about what we can do to help the user make judgment calls is this a license agreement you want to click on is this an email form that you want to put your email address in or is this going to generate a lot of spam is it okay to navigate to this site we're going to see more and more we're going to see companies coming out with warnings that help us make those decisions that highlight links that are going to bring us to a site or warn us when we're going to do something that maybe we want to think twice about that is much more useful end user security another idea we're always trying to think about where there are opportunities to make the security industry better I can share with you these are some of the questions that we ask ourselves these days about whether there are opportunities and these are things I'd love to hear from people here at DEF CON about questions like do we build accurate and reputational services for email, for IP addresses for ISP behavior so that you know which ISPs are good internet citizens and which ones aren't are there security vulnerabilities to RSS and ATOM that require some kind of security mechanisms I don't know what those would be but my guess is that there are some vulnerabilities there and then one that I'm very concerned about and that is SPAM on my VoIP phone SPAM on my inbox that's sort of a hassle but SPAM on my VoIP phone that is just downright obnoxious because my phone is going to ring every time somebody wants to sell me something and I can't apply Bayesian rule filters like I can with SPAM because you don't know what the message is until the phone rings this is an area where I think there's room for some great reputational services or something to solve this problem I put here on the slide my coordinates for contact you can hear me blather more in my blog at whohastimeforthis.blogspot.com where I love to discuss blights and blunders and so please visit my blog and then I'd like to close with a little anecdote this by the way in case it's not clear this is an indoor sundial let's see so that one's my favorite okay so you know so to a large extent venture capitalists like me we play a role in the ecosystem of being gatekeepers for capital as to which of these security projects are going to get funded and so it's our job to try to spot these blunders before they happen to initiate the market that exists out there and all the innovation that's there and so I am not cynical about the number of startups that are being funded I think it's a good thing and what I want in the story I wanted to tell you happened the Saturday night after I made my 12th security investment in a company called CYOTA my wife Natalie took me out to the movies that Saturday night to see born supremacy and we were going to this theater in Mountain View with a lot of movie theaters in it and thanks to Fandango we righteously walked right past the long lines of teenagers and we go into the lobby and I'm trying to explain to Natalie why it is that these companies I'm investing in they're not the same company over and over it looks like you just keep investing in the same thing over and over again she saw those same 17 companies I put up on the page and when I tell her what they do they all sound exactly the same to her and she said why do you do this I'm trying to figure out how to explain to her why I keep doing this in this movie theater they implemented a security mechanism to prevent movie theft instead of collecting tickets at the front like they used to well they had a problem that people would go see a movie then they'd come out in the lobby then they'd go see another movie so they moved the ticket collection out to the hallways coming off the lobby and then after a movie they usher everybody out to the lobby so if you want to go back in you need to give a ticket no ticket, no movie that's the security mechanism so I thought okay there's got to be vulnerability here so I said watch this I walked over to the front door and then I preferred my hand out and muttered as nonchalantly as I could tickets, tickets and a bevy of teenagers approached and the first one gave me his ticket that was the riskiest but then the rest of them were cake I mean they were jabbering on about football games and SAT prep and meanwhile their tickets were just accumulating in my hand not looking at me so a good five minutes as they wafted over to one of the ticket stands and they got to the ticket stand and then literally they spent another two minutes among them trying to figure out which one of them had the tickets because they forgot that they gave me the tickets at the door and then by then they figured out that they'd been fished they turned around and I was there, I returned their assets and unfortunately they didn't kick mine so you know my wife understood that security is hard and that's why I like most of the people in this room I imagine really find it so intriguing as we we should all keep in mind that as we craft new technologies we're all going to make mistakes now and then but that's okay so long as we critically assess our bloopers before they bloom into full-blown blunders thank you very much we have time for a question no one question yes I mentioned I didn't say verisign was a blight the question is why did I mention verisign as a blight oh why didn't die oh PKI is a blight there are certain aspects of PKI by the way like SSL that work great I mean SSL is terrific SSL you know there wouldn't a lot of e-commerce would have been stalled if it weren't for SSL verisign those in a lot of other businesses besides PKI you know they're in the registry business they're in the wireless building business they're in a lot of business and also in a lot of security businesses a lot of outsourced security services so verisign is a lot of good things I think PKI is just was just a technology that was just you know never justified it justified the the hassle okay thank you