Wednesday, October 22, 2003
Reading List, 10/03

My reading has been a bit spotty over the last month or so, due to work and family pressures.  But here�s what�s going on.

Current List

On Deck

  • Neil Stephenson, Quicksilver (a massive and daunting project, but worth it)
  • Alastair Reynolds, Redemption Ark (on the queue for awhile, haven�t gotten to it yet)
  • Stephen Baxter, Evolution (also on the queue for awhile)
  • Christopher Hitchens, Letters to a Young Contrarian
  • And a coffee table stacked with other stuff I can�t even remember�


5:01:26 PM  #   comment [] trackback []
Bruce Schneier's new book

I'm finishing up Bruce Schneier's new book, Beyond Fear:  Thinking Sensibly about Security in an Uncertain World.  It's fabulous, and more generally useful than Secrets and Lies.  The latter is specifically about networked security, whereas the new book is much more about how to think about and analyze, security.  As I've said (see a recent repost) previously, the "all or nothing" or "absolute" security models you see bandied about are uninteresting in the real world.  No security is absolute -- in Schneier's terms, security is always relative to the assets being protected, the countermeasures available, and the threats expected.  I'm sure I'll have more comments after I've assimilated the rest of this terrific book.

4:21:15 PM  #   comment [] trackback []
Why investing in security technology is tough (repost)

For quite some time, I've been interested in adding a strong security company to Pinpoint's portfolio.  My thinking is that security today is an "either-or" proposition:  either we create seamless "under the covers" security technologies (like SSL/TLS in browsers) that people don't have to know much about, or enhanced security just doesn't happen.  But I'm not seeing early stage companies doing security the way I believe it should be done.  A catalyst in thinking about why we've been unsuccessful in finding a strong security investment was a recent paper by Andrew Odlyzko, titled "Economics, Psychology, and Sociology of Security," available in PDF on his website.  I recommend it strongly.  He discusses the reasons why security needs to focus on providing "speed bumps" and stop chasing the notion that systems can be "secure."  I agree completely.

Most business plans I've seen in the last two years along security lines involve end-users having a piece of software or changing their habits.  Clearly, our track record in getting users to jump through hoops for better security isn't good.  In fact, it's terrible.  Email encryption has been around for well over a decade (via PGP), and how many people use it?  I've been a PGP user for nearly a decade on Unix systems, and I've managed security-oriented engineers, and I even own the latest PGP plug-in for Outlook.  Yet, I only encrypt those few email messages whose disclosure would cause real problems.  Why?  Because it's a pain in the butt.  Today, we seem to have two levels of security:  "fortresses" and nothing at all.  Where is the middle ground?  

The middle ground -- Odlyzko's "speed bumps" -- is missing in many areas of technology because technologists have focused on absolutes.  The industry focuses on creating "secure" systems, when we could use a lot more focus on creating "more secure" systems.  The usual analogy here is the lock on your house's front door.  Door locks aren't "fortress" security, and it's common knowledge that their purpose is mostly to keep honest people honest and raise the bar for the dishonest.  If I locked the door, and you're in my house, I can be pretty sure that your intentions aren't honorable and act accordingly.  Door locks are "speed bumps."  And in most cases, for most purposes, speed bumps are enough.

I would encourage security entrepreneurs to think carefully about how to add graded levels of security to existing systems.  We need more speed bumps and less fortresses.  I need a fortress to protect my company's payroll and transaction processing.  Or to set up a new automatic bill payee within my bill paying software.   The process of getting into the fortress and moving around inside can and should be difficult.   On the other hand, I need speed bumps to make sure that it's more trouble than it's worth to read my email.  Or to create a $100 fictitious expense report.  Or to pay a bill I've already set up in the system and authorized. 

If you're an entrepreneur in the Pacific Northwest and you have an idea along these lines -- if you're creating speed bumps that ordinary people can use without changing their habits, without understanding "how it all works," let me know.  Come talk to us at Pinpoint.  We're looking for a good investment in the next quarter or so. 

1:05:24 PM  #   comment [] trackback []