Sneak peeks at my new startup at RSA

Confusion

Many executives have been trying to solve the problem of connecting security to the business, and we’re excited about what we’re building to serve this important and unmet need. If you present security with an image like the one above, we may be able to help.

My new startup is getting ready to show our product to friends at RSA. We’re building tools for enterprise leaders to manage their security portfolios. What does that mean? By analogy, if you talk to a financial advisor, they have tools to help you see your total financial picture: assets and debts. They’ll help you break out assets into long term (like a home) or liquid investments (like stocks and bonds) and then further contextualize each as part of your portfolio. There hasn’t been an easy way to model and manage a portfolio of control investments, and we’re building the first.

If you’re interested, we have a few slots remaining for meetings in our suite at RSA! Drop me a line at [first]@[last].org, in a comment or reach out over linkedin.

Open Letters to Security Vendors

John Masserini has a set of “open letters to security vendors” on Security Current.

Everyone involved in product or sales at a security startup should read them. John provides insight into what it’s like to be pitched by too many startups, and provides a level of transparency that’s sadly hard to find. Personally, I learned a great deal about what happens when you’re pitched while I was at a large company, and I can vouch for the realities he puts forth. The sooner you understand those realities and incorporate them into your thinking, the more successful we’ll all be.

After meeting with dozens of startups at Black Hat a few weeks ago, I’ve realized that the vast majority of the leaders of these new companies struggle to articulate the value their solutions bring to the enterprise.

Why does John’s advice make us all more successful? Because each organization that follows it moves towards a more efficient state, for themselves and for the folks who they’re pitching.

Getting more efficient means you waste less time per prospect. When you focus on qualified leads who care about the problem you’re working on, you get more sales per unit of time. What’s more, by not wasting the time of those who won’t buy, you free up their time for talking to those who might have something to provide them. (One banker I know said “I could hire someone full-time to reject startup pitches.” Think about what that means for your sales cycle for a moment.)

Go read “An Open Letter to Security Vendors” along with part 2 (why sales takes longer) and part 3 (the technology challenges most startups ignore).

Adam’s new startup

A conversation with an old friend reminded me that there may be folks who follow this blog, but not the New School blog.

Over there, I’ve posted “Improving Security Effectiveness” about leaving Microsoft to work on my new company:

For the last few months, I’ve been working full time and talking with colleagues about a new way for security executives to measure the effectiveness of security programs. In very important ways, the ideas are new and non-obvious, and at the same time, they’re an evolution of the ideas that Andrew and I wrote about in the New School book that inspired this blog.

and about a job opening, “Seeking a technical leader for my new company:”

We have a new way to measure security effectiveness, and want someone who’ll drive to delivering the technology to customers, while building a great place for developers to ship and deploy important technology. We are very early in the building of the company. The right person will understand such a “green field” represents both opportunity and that we’ll have to build infrastructure as we grow.

This person might be a CTO, they might be a Chief Architect. They are certainly an experienced leader with strong references from peers, management and reports.

Lessons from Facebook’s Stock Slide

So as Facebook continues to trade at a little over half of their market capitalization of 3 months ago, I think we can learn a few very interesting things. My goal here is not to pick on Facebook, but rather to see what we can take away and perhaps apply elsewhere. I think there are three key lessons that we can take away:

  • The Privacy Invasion Gnomes are Wrong
  • Intent Beats Identity
  • Maximizing your IPO returns may be a short term strategy

Let me start with the “Privacy Invasion Gonmes.” The short form of their strategy is:

  1. Gather lots of data on people
  2. ???
  3. Profit

This is, of course, a refinement of the original Gnome Strategy. But what Facebook shows us is:

The Privacy Invasion Gnomes are Wrong

Gathering lots of data on people is a popular business strategy. It underlies a lot of the advertising that powers breathless reporting on the latest philosophical treatise by Kim Kardashian or Paris Hilton.

But what Facebook shows us is that just gathering data on people is actually insufficient as a business strategy, because knowing that someone is a a Democrat or Republican just isn’t that valuable. It’s hard to capitalize on knowing that a user is Catholic or Mormon or Sikh. There’s a limit to how much money you make being able to identify gays who are still in the closet.

All of which means that the security industry’s love affair with “identity” is overblown. In fact, I’m going to argue that intent beats identity every time you can get it, and you can get it if you…keep your eye on the ball.

Intent beats Identity

The idea that if you know someone, you can sell them what they need is a powerful and intuitive one. We all love the place where everyone knows your name. The hope that you can translate it into an algorithm to make it scale is an easy hope to develop.

But many of the businesses that are raking in money hand-over foot on the internet aren’t doing that. Rather, they’re focused on what you want right now. Google is all about that search box. And they turn your intent, as revealed by your search, into ads that are relevant.

Sure, there’s some history now, but fundamentally, there’s a set of searches (like “asbestos” and “car insurance”) that are like kittens thrown to rabid wolves. And each of those wolves will pay to get you an ad. Similarly, Amazon may or may not care who you are when they get you to buy things. Your search is about as direct a statement of intent as it gets.

Let me put it another way:
Internet company revunue per user

The graph is from Seeking Alpha’s post, “Facebook: This Is The Bet You Are Making.”

So let me point out that two of these companies, Facebook and LinkedIn, have great, self-reinforcing identity models. Both use social pressure to drive self-representation on the site to match self-representation in various social situations. That’s pretty close to the definition of identity. (In any event, it’s a lot closer than anyone who talks about “identity issuance” can get.) And both make about 1/9th of what Google does on intent.

Generally in security, we use identification because it’s easier than intent, but what counts is intent. If a fraudster is logging into Alice’s account, and not moving money, security doesn’t notice or care (leaving privacy aside). If Alice’s husband Bob logs in as Alice, that’s a failure of identity. Security may or may not care. If things are all lovey-dovey, it may be fine, but if Bob is planning a divorce, or paying off his mistress, then it’s a problem. Intent beats identity.

Maximizing your IPO returns may be a short term strategy

The final lesson is from Don Dodge, “How Facebook maximized the IPO proceeds, but botched the process.” His argument is a lot stronger than the finger-pointing in “The Man Behind Facebook’s I.P.O. Debacle“. I don’t have a lot to add to Don’s point, which he makes in detail, so you should go read his piece. The very short form is that by pricing as high as they did, they made money (oodles of it) on the IPO, and that was a pretty short-term strategy.

Now, if Facebook found a good way to get intent-centered, and started making money on that, botching the IPO process would matter a lot less. But that’s not what they’re doing. The latest silliness is using your mobile number and email to help merchants stalk find you on the site. That program represents a triumph of identity thinking over intent thinking. People give their mobile numbers to Facebook to help secure their account. Facebook then violates that intent to use the data for marketing.

So, I think that’s what we can learn from the Facebook stock slide. There may well be other lessons in an event this big, and I’d love to hear your thoughts on what they might be.

Calyx and the Market for Privacy

So there’s a new startup in town, The Calyx Institute, which is raising money to create a privacy-protecting ISP and phone company. I think that’s cool, and have kicked in a little cash, and I wanted to offer up some perspective on the market for privacy, having tried to do this before.

From 1999 until 2002, I was Director of Technology and Most Evil Genius at Zero-Knowledge Systems, a Montreal-based startup devoted to delivering privacy-enhanced internet services. Zero-Knowledge raised approximately $71 million dollars to deliver internet privacy, and then had to pivot its business model (before pivoting was trendy). Because management pivoted and found value in what we had built, it didn’t deliver on the privacy dream, but the company did make good money for shareholders.

It’s my hope that Calyx can deliver more privacy to more people over a longer time, and make money for shareholders as it does so. To do that, they’ll need to move from the excitement accompanying their announcements to delivering products in the market. So let me turn to:

The market for privacy
There’s a lot of excitement. Nearly a thousand people have donated cash. They’ve put together a nice advisory board. That’s because people care about privacy. A lot of folks claim that there’s no market for privacy (pointing to things like Zero-Knowledge), but I believe that they’re wrong. There is a market, and it’s hard to tap into.

One of the key reasons it’s hard to tap into the market is because privacy means different things to different people. It means so many things that there’s a good book on “Understanding Privacy.” (My review.) So, does privacy mean the same thing to consumers as it will to Calyx? Resisting demands from 193 national intelligence services is great, but what about protecting me from advertisers? The disjointed things people mean by privacy make it challenging to ensure that you line up with people’s concerns.

Another issue is that privacy is rarely a thing sold in and of itself. Privacy is an aspect of some service, either by providing a privacy-protecting version of the service, or privacy protection against the service. A privacy-protecting ISP has to offer me ISP service equivalent to what I get today, or some bundle that makes sense for me. For example, I pay extra because Speakeasy didn’t demand my SSN, and had technically competent people answering the support phones. They’re less awesome since Megapath bought them, but they’re not Comcast, and they’re not running for most infuriating company in the country. Tor is an example of privacy protection against your ISP. You have to get the whole bundle right, which is likely going to be harder than getting the bundle right without privacy. Of course, sometimes it’s easier. By billing my credit card, Speakeasy doesn’t need to collect my SSN, doesn’t need to protect it, and doesn’t need to pay for a credit check. (They do have to pay a monthly cut to the credit card company, but Comcast probably also pays that for most of their customers.)

That said, consumers do care about privacy, and do spend money on it when they can understand the threat and defense. It requires entrepreneurs and hackers willing to experiment. and eventually someone’s going to make a boatload of money doing so.

For more in-depth comments on this, see my home page, especially the end of 2002 and the start of 2003.

With that, let me turn to some questions about…

What Calyx is doing
Let me start with two quotes, which is the sum of my knowledge:

This project’s goal is to raise funds for my nonprofit organization, Calyx Institute, which will launch a privacy-focused Internet Service Provider and mobile phone service using end-to-end encryption technology.

and

Through other partnerships, we are poised to offer Internet service in 70 markets in the US using wireless spectrum which we will bundle with end-to-end encrypted Virtual Private Network (VPN) technology in order to keep the customer’s data as private as possible. The next products on the roadmap include hosted email and cloud storage/sync systems that utilize public key cryptography so that only the user possesses the key required to decrypt their email or files. This means that the provider (Calyx) will not be able to read your email or files even if it wanted to. And if Calyx can’t read it, it can’t be targeted by unconstitutional surveillance tactics. (Both quotes from “The Calyx Institute fundraising page“)

So running a privacy-preserving ISP is great. And again, I want what I have to say to be heard in the context that I’ve given them money to help them get going.

My first questions are around the ISP part of the business. Is this an ISP in the form of “I can buy a DSL line from them?” (or otherwise, get internet service directly?) If it’s a partnership, how are we protected from the partner? Encryption is all well and good, but if I don’t have cover traffic, then my use or non-use of the service gives out information. Someone at the entry node (say the partner) who choses to collaborate with someone who can watch the exit node (say the NSA, or the FSB/KGB) can figure things out over time. This issue is fundamental to all low-latency internet-based privacy systems, including the Freedom Network that Zero-Knowledge operated, Tor, etc. The fix is approximately sufficient and continuous cover traffic that exceeds the bandwidth in use.

The second comment, which derives from that is “if Calyx can’t read it, it can’t be targeted by … surveillance tactics.” That is simply untrue. An observer which can see more can apply more clever analysis. I’m willing to forgive this as an aspirational statement today, but it’s important for privacy providers to ensure that they don’t over-promise.

My next question is why New York? Because the founder is there? The NYPD has done some bad things in the civil liberties camp, including for example surveillance of mosques without cause, kettling and rounding up protesters and bystanders without cause during the 2004 Republican Convention. Does New York have the most favorable laws in the US for this sort of thing?

When we get to the phone company idea, I’m in favor of the idea, but operating a nation-wide mobile phone service is expensive. If you don’t do so yourself, you can operate a “Mobile Virtual Network Operator.” But if Calyx does so, then the network operator from whom it leases bandwidth can see IMEI numbers and otherwise fingerprint phones. There are some interesting challenges here, and we need to know more to understand what Calyx can deliver.

In conclusion
There is a market for privacy, and there is a market for private internet services. Calyx has an opportunity to tap into such a market, but it’s tricky and complicated to do so successfully. There are a lot of hard questions to be addressed along the way. However, it’s important to remember that privacy is an important and cherished value for excellent reasons. Calyx is unlikely to be either perfect, or as bad as the main players in today’s market. So they deserve your support, your attention, and perhaps even your money. Why not go donate?

Fascinating Storyline around Instagram & Facebook

First, congratulations to the folks at Instagram, who built something that was so valuable to Facebook and managed to get a great exit.

Me, I suspect that Facebook did it so they can gradually sepia-tone all your photos, but that’s not important right now.

I was struck by the nature of this article by the fine folks at Petapixel: “Instaport Lets You Download All Your Instagram Photos as a Zip File.” The article starts “Unhappy with Facebook’s acquisition of Instagram and want to flee the photo sharing service?”

Wow.

Fleeing Facebook is no longer something for the digerati and the privacy nuts. Now it’s presented as a reasonable response to Facebook acquiring Instagram.

That’s a good sign for the theory that all general purpose social networks eventually get overwhelmed with people you don’t care about, and perhaps a bad sign for those who bought Facebook stock at a $100 Billion valuation.

Lady Ada books opening May 11

Ada’s Technical Books is Seattle’s only technical book store located in the Capitol Hill neighborhood of Seattle, Washington. Ada’s specifically carries new, used, & rare books on Computers, Electronics, Physics, Math, and Science as well as hand-picked inspirational and leisure reading, puzzles, brain teasers, and gadgets geared toward the technically minded customer.

From the store’s blog, “Grand Opening: June 11th

I’ve been helping David and Danielle a little with book selection because they’re good folks and I love great bookstores. I encourage Seattle readers to stop by.

Facebook, Here’s Looking at You Kid

The last week and a bit has been bad to Facebook. It’s hard to recall what it was that triggered the avalanche of stories. Maybe it was the flower diagram we mentioned. Maybe it was the New York Times interactive graphic of just how complex it is to set privacy settings on Facebook:

facebook-privacy.jpg

Maybe it was Zuckerberg calling people who trust him “dumb fucks,” or the irony of him telling a journalist that “Having two identities for yourself is an example of a lack of integrity.” Or maybe it was the irony that telling people you believe in privacy while calling them dumb fucks is, really, a better example of a lack of integrity than having two identities.

Maybe it was the Facebook search (try ‘my dui’), or Facebook: The privatization of our Privates and Life in the Company Town. Maybe it was getting on CNN that helped propel it.

It all generated some great discussion like danah boyd’s Facebook and “radical transparency” (a rant). It also generated some not so great ideas like “Poisoning The Well – A Response To Privacy Concerns… ” and “How to protect your privacy from Facebook.” These are differently wrong, and I’ll address them one at a time. First, poisoning the well. I’m a big fan of poisoning the wells of mandatory data collectors. But the goal of Facebook is to connect and share. If you have to poison the data you’re trying to share with your friends, the service is fundamentally broken. Similarly, if you’re so scared of their implicit data collection that you use a different web browser to visit their site, and you only post information you’re willing to see made public, you might as well use more appropriate and specialized sites like Flickr, LinkedIn, Okcupid, Twitter or XBox Live. (I think that covers all the main ways people use Facebook.)

But Facebook’s problems aren’t unique. We’ve heard them before, with sites like Friendster, MySpace, Tribe and Orkut. All followed the same curve of rise, pollution and fall that Facebook is going to follow. It’s inevitable and inherent in the attempt to create a centralized technical implementation of all the myriad ways in which human beings communicate.

Play it Sam…once more, for old time’s sake

I think there are at least four key traps for every single-operator, all-purpose social network.

  1. Friend requests The first big problem is that as everyone you’ve ever had a beer with, along with that kid who beat you up in 3rd grade sends you a friend request, the joy of ‘having lots of friends’ is replaced with the burden of managing lots of ‘friends.’ And as the network grows, so does the burden. Do you really know what that pyronut from college chemistry is up to? Do you want to have to judge the meaning of a conversation in light of today’s paranoia? This leads us to the next problem:
  2. Metaphors Facebook uses two metaphors for relationships: friend and network. Both are now disconnected from their normal English meanings. An f-friend is not the same as a real friend. You might invite a bunch of friends over for drinks. Would you send the same invite to your f-friends list? Similarly, if I were to join Facebook today, I could join a Microsoft network, because I work there (although I’m not speaking for them here). Now, in the time that Facebook has been open to the world, lots of people have gained and lost Microsoft email addresses. Some have been full time employees. Some have been contractors of various types. Some have been fired. Is there a process for managing that? Maybe, we have a large HR department, but I have no idea. One key point is that membership in an f-network is not the same as membership in a real network. The meaning of the words evolve through practice and use. But there’s another issue with metaphors as made concrete through the technical decisions of Facebook programmers: there aren’t enough. I think that there’s also now “fans” available as an official metaphor, but what about salesguy-you-met-at-a-conference-who-won’t-stop bugging-you? The technical options don’t match the nuance with which social beings handle these sorts of questions, and even if they do, telling a computer all that is too much of a bother. (See the chart above for an attempt to make it do something related.)
  3. Privacy means many things Privacy means different things to different people. Even the same person at different times wants very different things, and the costs of figuring out what they will want in some unforeseen future is too high. So privacy issues will keep acting as a thorn in the side for social network systems, and worse for centralized ones.
  4. Different goals Customers & the business have different desires from the system. Customers want fast, free, comprehensive, private, and easy to use. They don’t want to worry about losing their jobs or not getting one. They don’t want to worry about stalkers. They don’t want their sweetie to look over their shoulder and see an ad for diamond rings after talking to their friends about engagement. But hiring managers want to see that embarrassing thing you just said. (Hello, revenue model, although Facebook has not, as far as I know, tapped this one yet.) Stalkers are heavy users who you can show ads to. Advertisers want to show those diamond ring ads. Another example of this is the demand to use your real name. Facebook’s demand that you use your real name is in contrast to 4 of the 5 alternatives up there. Nicknames, psuedonyms, handles, tags are all common all over the web, because, in fact, separating our identities is a normal activity. This is an idea that I talk about frequently. But it’s easier to monetize you if Facebook has your real name.

So I’m shocked, shocked to discover that Facebook is screwed up. A lot of other shocked people are donating to Diaspora ($172,000 of their $10,000 has been pledged. There’s interesting game theory about commitment, delivery on those pledges, and should they just raise a professional round of VC, but this post is already long.) There’s also Appleseed: A Privacy-Centric Facebook Slayer With Working Code.

Now, before I close, I do want to say that I see some of this as self-inflicted, but the underlying arc doesn’t rely on Zuckerberg. It’s not about the folks who work for Zuckerberg, who, for all I know are the smartest, nicest, best looking folks anywhere. It’s about the fundamental model of centralized, all-purpose social networks being broken.

To sum it all up, I’m gonna hand the microphone to Rick:

If you don’t get off that site, you’ll regret it. Maybe not today, maybe not tomorrow, but soon and for the rest of your life. Last night we said a great many things. You said I was to do the thinking for both of us. Well, I’ve done a lot of it since then, and it all adds up to one thing: you’re getting off that Facebook. Now, you’ve got to listen to me! You have any idea what you’d have to look forward to if you stayed here? Nine chances out of ten, we’d both wind up with our privacy in ruins. Isn’t that true, Louie?

Capt. Renault: I’m afraid that Major Zuckerberg will insist.

How to Make Your Dating Site Attractive

bookio.jpg

There’s a huge profusion of dating sites out there. From those focused on casual encounters to christian marriage, there’s a site for that.

So from a product management and privacy perspectives I found this article very thought provoking:

Bookioo does not give men any way to learn about or contact the female members of the site. Men can join for free, if they have been invited—and if a current Bookioo member can vouch for their information. They can then post a profile for the perusal of the female—and paying—members of the site. It’s those paying women, however, who get to call the shots.

As interesting as the approach is, what’s more interesting is how they came to it. They focused on a set of female customers, and asked what is it that they worry about, and what do they want? Co-founder David Olmos:

We think that women don’t feel comfortable with the current dating sites. The latter are too masculine: they were designed by men and they fundamentally address men’s needs. We know that many women prefer a different approach: they’re eager to socialize, to meet new people, and we propose to do that through activities. It may lead them to find a partner, of course, but they may as well enjoy an afternoon in a museum with a new girl friend whom they met Bookioo! So we propose to socialize through activities, common hobbies and common tastes.

As you can see, we actually want to revamp the “dating” concept, taking the perspective of women. The key issue for us is to make sure that women enjoy the level of privacy they wish and that the males’ profiles are fully validated. (“Bookioo: dating and social networking site gives women full control.”)

It’s also a very different approach to “creep management,” which we’ve covered in past posts like “Emerging dating paranoia,” “Dating and Background Checks in the UK” or “Dating & Background Checks in China

Ten Years Ago: Reminiscing about Zero-Knowledge

zks-logo.jpgTen years ago, I left Boston to go work at an exciting startup called Zero-Knowledge Systems. Zero-Knowledge was all about putting the consumer in control of their privacy. Even looking back, I have no regrets. I’m proud of what I was working towards during the internet bubble, and I know a lot of people who can’t say that.

We struggled with the tremendously hard problem of privacy. We did it for something bigger and more important than ordering your groceries online. We didn’t succeed at the first business plan, or the second, but we plugged away at it, listened to prospective customers and partners, and the company is still in business and going strong as RadialPoint.

We learned an awful lot. We learned that people are awfully passionate about privacy. Hundreds of thousands of people signed up to try our software. We had a guy who called support after buying a new computer to get privacy. I remember the woman who took his call telling me how sad she was she had to get off the phone and take other calls. And we learned that what we meant when we said privacy wasn’t what other people meant.

I think too much of today’s privacy debate is wrapped up in a similarly nebulous term, identity theft. It’s hard to address a problem that’s so vague. But that’s a post about today, not about ten years ago.

We hired a lot of great people who I knew. I met a lot of great people, too. Went to work with one of them, Dave Clauson at another startup, Reflective. Work with some of them again (Hi Christian! Hi Stefan!).

For me, the key lesson was to really drink deep of your prospective customer’s pain. To accept that they may have a label that you really understand better than them (“privacy”) and that it doesn’t matter. What matters is how they see it, and how they understand your solution. Zero-Knowledge made me skeptical of great technology as a problem solver, when the customer is asked to understand it or care. Your customers never care about your technology anymore. They care about what pain it solves.

I’d love to go back and tell myself ten years ago to love the customer better. There’s other lessons. I’d love to seized the day and some of its opportunities better. But in the end, that flight to Montreal put me on the path to where I am today.

So a huge thank you to all of our customers and prospective customers. Thank you to Ian for introducing me to Austin. Thank you, Austin and Hamnett for offering me the job. Thank you to all of my co-workers, employees and friends of the company.