and here I thought this post was going to be about the Internet madness surrounding Rep Anthony Wiener’s underwear photos, but this was much more exciting! I can’t wait for the movie version to come out!
You’ve done a good job explaining a scenario where knowing whether or not we are in a tech bubble seems silly, but I’m not sure that will convince people that we are in a tech bubble (but maybe that we shouldn’t be scared).
At the start of Y2K, a 15 year old kid in Canada took out eBay, Amazon, Yahoo, CNN, Dell, and other industry giants “just for the lulz”, in the parlance of our times. The Internet was not safe for business, and even the largest global carriers struggled to handle the onslaught of DDoS attacks that were fashionable at the time.
We started Arbor Networks just as the bubble burst, going into the telecom nuclear winter of the early decade (but eventually protecting 80% of all carriers and service providers worldwide, and over $100 million in annual revenue). This wasn’t rocket science (although we were a tech transfer company backed by years of DARPA research) – just coordinated plumbing at a scale never seen before (think of traffic lights at onramps to the 101 and you’ve mostly got the idea :-)
Today, the hardest problem in computer security isn’t resource-based denial of service. It’s account takeover, by attackers who have figured out that the easiest path through any door isn’t to pick the lock or break it down, but to simply copy a key or tailgate someone in. Users, not systems, are the new target, and no amount of education or training can defeat a well-executed con (e-mail from a trusted coworker containing an Office attachment, drive-by malware hosted on a major website or ad network, etc.).
Google, Yahoo, Dow, Adobe, Juniper, RSA, BP, Exxon, Shell, Citibank, Sony, NASDAQ, and countless others have been seriously breached this way in the past year. Traditional perimeter security has been rendered totally impotent by the failure of endpoint security – if your attacker is indistinguishable from a legitimate user (because they’ve 0wned the user’s computer and can impersonate them digitally), it’s game over.
We’ve always lived with some degree of infrastructure compromise on the Internet (and previously, X.25), but until an open black market emerged for the data gained by illicit access, it was mostly harmless. Zero day exploits are trading on the open market for hundreds of thousands of dollars, with various state actors now the major buyers. Popular open-source projects (arguably critical Internet infrastructure) including Fedora, Apache, MySQL, PHP, Sourceforge, GNU Savannah, BerliOS, WordPress, Atlassian, etc. have been compromised (and in some cases backdoored – DARPA, bring back the CHATS program!). And the so system rots from the inside.
It seems the threat is more subtle, though. China wouldn’t bring down America informational infrastucture because no one wants to exchange nukes. But what if it’s a kid from Peru? It’s important to remember, within all the promise of technology: The key to the gates of heaven, is also the key to the gates of hell.
“A bubble is simply the redistribution of wealth from Marks to the Smart Money and Promoters.”
It is also access to copious amounts of inexpensive capital for the few gazelles that emerge from the bubble, and sometimes the creation of assets (think dark fiber) that provide value to customers and financial return to the vulture investors who pick them up for pennies on the dollar after the fall.
“A bubble is simply the redistribution of wealth from Marks to the Smart Money and Promoters. I hypothesize that unlike bubbles in other sectors – tulips, Florida land prices, housing, financial – tech bubbles create lasting value.”
This is pretty much true by definition, since it’s better for society to have Smart Money in charge of investing all that money.
But this sounds a lot like “God made sheep to be fleeced,” and that similarity suggests these definitions could be challenged a little. Not everyone who gets rich in a bubble is either a smart investor or a good promoter. Some are swindlers, and some are just lucky. Opinions vary about the fraction of these elements, and I have no good numbers, but I know they’re higher than I like.
And I don’t think it’s good for society to have the wealth of Marks (some of whom, conversely, are really just unlucky) redistributed to people who are lucky or unscrupulous.
For me, the bottom line is that bubbles create less lasting value than steady, genuine growth… in tech, or in any other sector.
Dug is absolutely right in saying that our present difficulties in computer security lie not with brute-force flooding of pipes (i.e., DDoS), but rather with targeted, strategic attacks on smaller subsets of systems (think Stux).
However, I would disagree with the statement “users are the new target”. Indeed, it is far easier to gain access to resources by attacking the users who control those resources. But I think it is far more damaging (and therefore lucrative to the adversaries) to attack infrastructure systems on a wide-scale. People may be the initial entry point of the attack, but I still think the greater target is technology behind our infrastructure.
Steve, you have addressed the very important point that much of our infrastructure (economic, transportation, military, …) is based on on solid systems operating securely and reliably. Let us call these critical systems. These are the ones that are vulnerable to crippling cyberattacks.
I posit that our infrastructure should not be based on these systems at all.
Any critical system should have no connection to the Internet. In fact, it should have no *concept* of the Internet. One might go so far as to say that any critical system should have no I/O with the rest of the world. (Recall that Stuxnet was thought to be propagated initially by USB.) This would help ensure that infrastructure-crippling cyberattacks do not propagate. Though preventing a system from communicating with the outside world will drastically reduce its value in controlling our infrastructure. This is the unfortunate nature of the security-versus-usability problem.
How do we secure ourselves? Let us hope that we will simply enjoy a “new spring”.
I read your posts religiously it seems, but I’d like to comment here for the first time that I too have gone down the security breach path and what it means to the future of human virtual existence and ironically the panic feeling seems to be synonymous with my reaction to a loss of physical existence. I reflect back on the first time I heard of the internet as a young adult and what comments/opinions were shared at the time, seems they were half right. As a species, humans have this innate ability to ‘insure’ our future existence through various means; medicine, home owners insurance, food supplements…etc. and as in the past, you’re exactly right, we’ll figure out a solution to this potential issue as well. Regardless if/when it occurs. Thanks for sharing your perspective and inner dialogue.
[…] While the 1999 bubble left the groundwork and hardware for Web 2.0 to build upon, the (potential) bubble of today will leave behind a vast network and cache of data for startups and entrepreneurs to innovate with. In retrospect, the amass of data is truly astounding. Facebook and Google+ records our photos, status updates, and social interactions with our multiple networks, Twitter captures our minute thoughts, Google captures our search histories, trackers such as FitBit, MyFitnessPal, and Ibwie amass data on our daily eating and exercising habits. The aforementioned does not even begin to discount the amount of data cread as infrastructure ranging from banking to the military become increasingly reliant on the Internet (see Steve Blank’s analysis that the internet is going to kill us all) […]
[…] at valuations we have never seen before. Back in June Steve Blank stated that we were seeing the beginning of a bubble but it was not necessarily a bad thing because we see investments in new technologies. Six months […]
I have to smile, as I worked in several corporate IT environments I got some experience how the actually look like.
I doubt that there could be a logical bomb planted that destroys every record, because those IT systems are hugh, enormous complicated and interconnected, they are not secure by design they are secure or robust by unintended obfuscation.
I do have another concern. As I studied computer science in the 90ties two fields of study was underdeveloped security and user interfaces. Both of them are costing productivity. Especially troubling for me is that the majority of developers does not have the right mindset for UI and security. Both of them are focused on interfaces, how systems are interacting with other systems and people.
In other words the most developers are too introverted, that is my observation.
It is difficult to make an insecure system secure, a secure system if the whole architecture of the system has not a security philosophy from the beginning, like Windows.