Category Archives: startups

SmartHippo Launches

Posted on by

Have you ever wondered how banks make so much money in the mortgage business? If you stop to think about it, mortgages are the ultimate commodity product these days. The bank collects information from you, gives you a loan, outsources the customer service to a loan servicing company, and securitizes your loan.

So how do banks make money? It’s ‘easy.’ They sell you a loan at a higher rate than they’d be willing to settle for. A mortgage is a big, unpleasant, complex process that includes some stranger pawing through your financial life. Making a bad choice is worrisome. Most people apparently get very few quotes, and are told that their rate depends on their credit score.

There’s a strong imbalance in the information that each side has, and my friends at SmartHippo have just launched a site to help correct that imbalance.

If you’re getting a mortgage, or just want to compare, check these folks out. I really like what they’re doing and where they’re going.

What would it be like if buying lemonade was as complicated as shopping for mortgage rates? See what happens when little Jenna opens a lemonade stand and tries to maximize profit at the expense of her customers.

“Whatever happened to Zero-Knowledge Systems?”

Posted on by

zeroknowledgeprivacyad.JPGZero-Knowledge Systems was one of the hottest startups of the internet bubble. Unlike internet companies selling pet food or delivering snacks to stoners, Zero-Knowledge was focused on bringing privacy to all internet users. We had some fantastic technology which was years ahead of its time. And people often ask me “whatever happened to them?”

The company has re-focused its business model, changed its name to Radialpoint, become profitable, and become the fastest growing company in Quebec (based on 5 year revenue growth). As Austin Hill writes in “Radialpoint gets some Prophetic Love:”

I want to congratulate my brother Hamnett, father Hammie and the entire team at Radialpoint who were just honored by Profit Magazine as the fastest growing company in Quebec (measured in 5 year revenue growth) and the 32 fastest in Canada.

I’ll join Austin in sending the entire Radialpoint team congratulations.

It’s a great team, and they’ve done a fantastic job transitioning from promise to a reality for their partners and customers.

Carole King said it best

Posted on by

“It’s too late, baby”
Yeah, I’m dating myself, but Tapestry was huge, and she and Goffin had some serious songwriting chops.
Anyway, the “it” about which it’s too late is, yes, a relationship. An important relationship. A relationship which, while admittedly not exclusive, is “open” in a hopefully honest, fulfilling, respectful way. That relationship is the one you have with your personal information.
Well, bad news. That info is all over town, for anybody who can pay the bills, and you don’t know the half of it. That, at least, is the opinion of David Cowan, a VC at Bessemer Venture Partners, blogging about Lifelock:

It would be quite a stretch for you to imagine that somehow your data remain safely stored among all the vendors, doctors, banks, web sites, and government agenices[sic] whom you’ve engaged in your lifetime. More likely, your personal credentials are all for sale in black market exchanges like this one.
In other words, the horses are out of the barn. There’s little point trying to re-tool or regulate the world’s IT infrastructure to contain consumer data. Even if your concern is future generations whose identities are still safe from thieves, there are so many ways for data to leak that it’s futile to expect brittle secrets like our social security numbers to be both useful and sustainably confidential.

Here, Cowan echoes the response I got over a beer when I asked a knowledgeable observer of the financial industry how he’d estimate the number of compromised identities (I figured he’d know about fraud detection and so on). I knew I was in for some fun when his response began with “You’re not going to like the answer…”. It seems that in his opinion all our PII belongs to them. It’s merely a question of monetizing it. (Listen closely — that sound you hear is Lindstrom saying “Yessss!!!”)
I am not qualified to assess whether Lifelock or Debix, or any other player in this space is a sensible investment. I will say that, as I understand it, their value proposition could be obliterated with a stroke of the pen, which leads me to a conclusion, and to a question.
That smart people are willing to attach their names and wallets to these enterprises shows me that US consumers won’t have true control over access to their personal information for the foreseeable future because legislation providing it is seemingly not forthcoming.
To those who argue that the data are already all out there, my question is “Is that a falsifiable hypothesis?”

How to Treat Customers

Posted on by

My friend Austin Hill has a new blog, Billions With Zero Knowledge. He’s got a really good post up “Crowdsourcing or Community Production – An Interview with Hugh McGuire from Librivox.”

What’s most interesting to me is how new companies are trying to tap into customer enthusiasm to build not only value for their customers, but a community. The companies that really succeed at building a community will find it a double edged sword–their communities will be their biggest asset, and the hardest thing to change. At the same time, it’s done great things for companies like Flickr, and it’s a welcome change to be treated as a person, rather than as a monetizable eyeball.

Congratulations to Counterpane and Bruce Schneier

Posted on by

Even though Chris got the news before me, I wanted to add my congratulations. I was involved in Counterpane very early, and made the choice to go to Zero-Knowledge Systems. I stayed involved on the technical advisory board, and was consistently impressed by the quality of the many Counterpane employees and executives who I met. I had to leave the TAB when I joined Microsoft, but, regardless, I’m really happy for everyone involved.

Long Term Impact of Youthful Decisions

Posted on by

risk-evolution.jpgThere’s a fascinating article in the New York Times last week, “Expunged Criminal Records Live to Tell Tales” about how companies like Choicepoint which collect and sell public records don’t pick up orders to expunge those records.

I didn’t have much to add, and figured the Times doesn’t need me to pimp their articles (they get a few more readers each day than we do), so I let it alone.

Then I saw Gunnar Peterson discuss “Brian Chess on Evolving Risk Models:”

When a company starts its life it wants to take on as much risk as it possibly can, do something hard and prove it in the marketplace. If it is not too risky then a big company may take you out or there may be no market. Over time a successful company’s market risk should go down as it gains market share.

Where this becomes interesting from a security standpoint is that early in the company’s lifecycle, the business has high market risk, but little security risk, there is not much in the way of assets to target. But over time as the business gains market share its security risks grow. This puts security in a very interesting position where there have to make up for a lot of lost time even if the decisions to delay security made sense at the time, the risk profile have readjusted to the point where more mature businesses who are established in the market and have relatively little residual market risk, at the same time the business takes on more and more security risk. In general this means the code, the config, data and identity architectures all must play catch up to deal with the risk profile over time.

These design and implementation choices also live to tell tales. I expect over the next few years, a rise of highly effective testing tools will act as a force multiplier for elite researchers, making it less and less possible to expunge evidence or records of security choices made. We’re going to have to start asking questions about security activity during the procurement process. Think of it as background checks for your software.

Debix Launches

Posted on by

debix-logo.jpgI’m also really excited to share the news that my friends at Debix have launched their service, and it’s now available to the public. It is, in my opinion, the best identity theft preventative measure available today, and you should seriously consider signing up.

The way it works is that they put a lock on your credit file, so that creditors opening new accounts need to contact you, through Debix, in order to open a new account. This is better than a standard fraud alert because Debix maintains records. So if someone opens an account and you weren’t contacted, it’s not a matter of he said/she said. There’s a neutral party who can vouch for what didn’t happen. This is better than credit monitoring because you prevent problems, rather than try to clean them up.

As Bo Holland, the CEO, says, there’s nothing like putting the person who knows–you–at the center of your credit transactions.

Disclosure: I have a financial relationship with Debix.

10-second MBA, por favor?

Posted on by

I have read repeatedly, most recently at Bejtlich’s blog, that with the IBM-ISS and now Secureworks/LURHQ deals, Counterpane “must” be looking to get bought out. Why? As with management consultancies, could there not be room for a boutique that does one thing really well? Help me out, here.

Fu-Sec, Dunbar Numbers, and Success Catastrophes

Posted on by

gummi-zombies.jpg
In “I Smell a Movement,” Chris talks about the City-sec movement, of security people getting together for beer, and about groups like ISSA.

So the question I’d like to ask is why do these groups keep emerging so chaotically? Why can’t the extant groups, usually formed for the same reasons, succeed?

I think there are two main reasons, the first involving group dynamics, and the second involving group dynamics success catastrophes.

As a group grows, there are lots of dynamics. One of those is that functional groups can get more done than individuals. There are also communication and alignment costs, which is why adding more programmers to a late project makes it later. Christopher Allen has written extensively about this in his posts on Dunbar numbers, such as “The Dunbar Number as a Limit to Group Sizes.”

As a professional networking group hits some critical mass of interested early adopters, those early adopters put in work and get lots of value. Since a goal of the group is networking, they excitedly invite more people, telling them how great it is. The group grows. Newcomers may not invest the same level of energy (after all, things are working great, let’s drink more!) As that happens, the selection functions that controlled early membership: Did you find out about it because you read the right blogs? Did you make time to attend?


As the group grows, the activities and energy that made it work may no longer suit what the group has become. This is why lots of startup founders leave: They’re great in the early stages, but as they build the company, the very skills that made the early days work become dysfunctional. Startups often do this, at great cost, because there’s a board of directors who are focused on a financial outcome. Professional societies, who take their boards from the enthusiastic membership, may not have that same focus. These groups want more of what made them valuable early on.

Thus, the habits and skills that make a group successful can end up holding it back. It’s the catastrophe that follows success, and its why we have a growing list of professional organizations that don’t do quite what some people want. When the groups don’t serve the purpose, some enthusiastic people will set out to fill that gap, either in a market or in a social setting.

So what can you do about it? Me, I plan to drink lots of beer at the next SeaSec.

Photo: Zombarmy06 by Father.Jack.