My last startup was an information security company — SiteAdvisor — that was acquired by McAfee, where I then worked for a while. I am no longer working in security, but have many friends that do and I try to stay in touch with what’s going on in the area.
The widespread sense I get is that we are going through a period of unusual calm, especially on the consumer side. Instead of repeating the historical pattern where new types of threats emerge every few years, we’ve seen the opposite: threat types have actually gone away or been seriously mitigated. Spyware/adware is basically gone, as most of the businesses that were pushing it (yes, it was mostly driven by legal, US-based businesses) have gone bankrupt. Spam has been mostly controlled, at least if you use Gmail or a good spam filter like Postini. If you use a Mac you don’t have to worry about viruses or malware. Mobile security hasn’t ever really become an issue, mostly because the telecom carriers (and now Apple) carefully screen the installation of 3rd party apps. Identity theft is a real issue but not really something consumers can do anything about – most of it happens offline or through enterprise data center breaches.
On the enterprise and government side, things are more turbulent. Distributed denial of service attacks using botnets remain almost impossible to defend against. There have been a number of breaches of sensitive consumer information and those will likely only get more common, especially as more information gets centralized in the cloud. Military and terrorist computer attacks also seem to be a likely future threat.
All in all, though, the good guys have been keeping the bad guys down. This relative calm is generally great news for the computer users, but – let’s be honest – bad news for the computer security industry and venture capital investors. As an investor, I’ve only made one security investment in the last few years — in a cloud security startup called Vaultive. Everything else I’ve seen seems to be trying to solve non-problems or rehashing solutions that were developed years ago.
Inevitably, the calm will end and new classes of threats will emerge. But for now we should enjoy the relative peace.
Related posts:
View Comments ↓
do you think social media and the fact that the web has given end users more power has anything to do with this?
Hmm, interesting question. I think inasmuch as Twitter and Facebook are replacing things like email that is good. SMTP is an antiquated protocol where you can basically fake anything. Twitter opt in asymmetric following model makes spamming basically impossible (DM's excepted but those aren't really core). Facebook's opt in friend model has as similar effect.
I would also think richer AJAX web apps replacing the need for downloads helps a lot since the browser has a pretty good security model (certainly much better than Windows).
One thing I think you could argue is that security threats have moved higher “up the stack” along with most other interesting innovation on the web. Instead of the threat being people breaking into your computer, it's more about the online pharmacy site not being legitimate. That was part of the thesis of SiteAdvisor and I think the trend has only gotten greater.
i was also talking about users telling each other about scams as fast as
they happen
I could be way off on this, but my intuition is the people telling each other about scams via social media are not the people most in need of being told about scams.
true
I think there is an inevitable tension between security and functionality, especially in web apps.
For example, the “single site rule” was created to plug cross-domain scripting attacks, but developers are actively trying to find ways around it so as to make their applications be able to dialog with multiple data sources.
It almost feels like the calm before the storm on the consumer side, particularly in mobile. No doubt that will be a big time target by the bad guys. On the enterprise and govt side, I would say the state of affairs is pretty bad and attacks are getting much worse in both size and severity, but we haven't been hearing much about it. What scares me are initiatives like smart grid where new devices are coming online, and the effects of hackers could be devastating (e.g. shutting off your electricity). Perhaps, the good news is that there will be plenty of opportunity for startups b/c we know the bad guys won't be resting any time soon.
Not sure if you're seeing the 60 minutes tonight but it sounds like the gov't is certainly not experiencing Pax Romana. I don't keep up on this stuff, but I was surprised at some of the examples they shared (hackers staying in war systems for multiple days, Brazil going black, etc).
Didn't see it. I'm always skeptical of MSM coverage of computer security – at least in my experience it's almost always wrong. That said, I should see this episode before commenting on it
Definitely. Always tension between security and functionality.
from what i can see, the threat has shifted from consumers to companies. every social media company deals with spam, abusive behavior, chargebacks, etc, on a daily basis. many of this does not trickle down to the user. imho, there is a larger opportunity to build moderation infrastructure to help companies deal with the human problem.
That's a good point. I've heard similar things from social media sites.
I meant to disclose above that I am biased because I am working on something
in this area.
I have experienced this first hand. There was a long period of time at
stocktwits where I was dedicated 50% of my day to spam.
SPAM is an interesting case. I agree that it has mostly been mitigated as far as email is concerned, but it still plagues blogs and budding social web sites. Services like Akismet and TypePad provide some relief, but what they block feels marginal compared to what gets through. Ryan Bates' Railscasts blog has tutorials for setting up those services as well as things like Captcha. But despite using these tools on his own site, he often tweets about how much spam still finds its way through to his comments section.
I work at oneforty.com, and we have seen the problem first hand. Lots of “people” have submitted spam-like reviews of Twitter apps along these lines:
1) The review contains nothing except a link to the author's web site.
2) “If you like this app you will love <some other app/url>”
3) “Get cheap viagra cialis here”, etc.
Some of these — notably #2 — are difficult to detect. Nothing seems to catch them. But what is frustrating is that our tests with Akismet and TypePad almost always fail with #1, and usually fail with #3! In fact the comment “cheap viagra http://cheapviagra.com“ did not get caught by Akismet in our tests (interestingly, it did work when we omitted the URL). We have a home-brewed solution that helps with #1 and #3, but it's not perfect. And more importantly, we want to spend our time building our web site, not anti-spam tools.
There's a final category that we have to deal with, which we call “crap content.” This consists of the useless and unhelpful submissions we receive that don't quite fall under the “spam” umbrella. For instance, we have received hundreds of reviews that consist of a single word: “wow!!!”, “nice”, “hi”, “whoa”. Even more along the lines of “cool app” or “I like it.” Even if this is not spam by definition, it reflects very poorly on us if a user comes to our site and this is what he or she sees in the reviews section.
So if the security industry is experiencing a Pax Romana of sorts, perhaps they could lend their talents to this area. If they build it, we'll gladly buy it.
SPAM is an interesting case. I agree that it has mostly been mitigated as far as email is concerned, but it still plagues blogs and budding social web sites. Services like Akismet and TypePad provide some relief, but what they block feels marginal compared to what gets through. Ryan Bates' Railscasts blog has tutorials for setting up those services as well as things like Captcha. But despite using these tools on his own site, he often tweets about how much spam still finds its way through to his comments section.
I work at oneforty.com, and we have seen the problem first hand. Lots of “people” have submitted spam-like reviews of Twitter apps along these lines:
1) The review contains nothing except a link to the author's web site.
2) “If you like this app you will love <some other app/url>”
3) “Get cheap viagra cialis here”, etc.
Some of these — notably #2 — are difficult to detect. Nothing seems to catch them. But what is frustrating is that our tests with Akismet and TypePad almost always fail with #1, and usually fail with #3! In fact the comment “cheap viagra http://cheapviagra.com“ did not get caught by Akismet in our tests (interestingly, it did work when we omitted the URL). We have a home-brewed solution that helps with #1 and #3, but it's not perfect. And more importantly, we want to spend our time building our web site, not anti-spam tools.
There's a final category that we have to deal with, which we call “crap content.” This consists of the useless and unhelpful submissions we receive that don't quite fall under the “spam” umbrella. For instance, we have received hundreds of reviews that consist of a single word: “wow!!!”, “nice”, “hi”, “whoa”. Even more along the lines of “cool app” or “I like it.” Even if this is not spam by definition, it reflects very poorly on us if a user comes to our site and this is what he or she sees in the reviews section.
So if the security industry is experiencing a Pax Romana of sorts, perhaps they could lend their talents to this area. If they build it, we'll gladly buy it.
[...] From cdixon.org [...]
Hello webmaster! i am really appreciating you for your kindness that
you have made a really interesting blog,We Reccomend only the
best Male Enhancement ,
Best Penis Enlargement ,
Penis Enlargement ,
Cheap viagra tablets ,
Buy Viagra Online ,
Buy Viagra Pills from across the globe Cheap Viagra
and Real Penis Enlargement in market.