Blockchain dreams and beyond - Why security technologies fail in the marketplace

Blockchain. It's the latest computer security technology craze. Everybody is trying to build on the Bitcoin story, get funding, and start the next great security company.

The math is cool. Anonymity, distributed ledgers.

All conceptually very, very neat.

Lots of attention and some funding.

Lots and lots of hype.

Don't hold your breath.

Because we've been here before.

I've been here before.

My Sad, Sad Story of SecurePlay - somewhat short version

Back in the 1990s when the Internet was new, Nova on PBS had a special on this "new thing"... the Internet (I don't remember quite when). Near the end of the show, there was a short piece on Internet Gambling and how "there was no way to protect against cheating".

It stuck in my head. I'm a crypto guy and a game guy.

I thought I could solve the problem.

And I did.

I came up with a set of cryptographic protocols to secure games against cheating. I didn't quite know what to do with them... shared it with some friends who knew a patent attorney.... and the fun began.

So, we filed patents and thought we could sell the patents to people (foolish us).

So, we built software (SecurePlay) that implemented the patents (and more) to try to become "the SSL of online gaming". Heck, we even won a startup business contest in DC.

We had one problem that a lot of security technologies don't have... the questionable legality of Internet gambling (in the US), but that really wasn't the thing that killed us.

And we were probably dead from the day we started.

No one cared (or cares) enough.

Because we thought that game companies (both computer games and gambling) would buy security technology that would make their product better (more secure).

But they don't need to be better (more secure) to get more customers.

... or, rather, the customers who they would get by being more secure were (and are) in the distant future.

... they were better off spending money on just getting more customers.

... or making better games.

... and they could always just say they were secure (which they do...even if they've been caught with serious security problems).

After all, consumers (and most businesses) can't tell the difference.

If I was doing this today, I'd call SecurePlay "blockchain for online gaming"... and I might even get a bit of money... but, I suspect, if I tried to sell "game security middleware" again... it would fail, again.

Because security technologies face some real challenges in the marketplace.

Back to the future

There are other hot new security technologies. They do come in waves... "Threat intelligence" and "AI for security" definitely are up there today.

But, if it's your money,

Consider the following

* No legal framework

This has been a particular problem for cryptographic security technologies since the digital signature days (at least). Back in the day, I spoke at the First NIST Public Key Invitational Workshop (sometime in the mid 1990s). We worried about the legal risks of digital signatures, potential for fraud, heck, we worried about the storage costs for signing email (2000 bits per email- horrifying)!

One topic I raised was how much money we were all going to make as expert witnesses on how easily digital signatures could be undermined in practice and therefore digitally signed contracts were going to be meaningless.

Totally wrong of course.

Digital signatures "exist" but they mean little.

I've bought digital signatures for $8 per year. Free ones exist now. The only reason to buy one is customer expectation.

Basically, consumers have been trained to "trust" those silly little lock logos on their browsers. While your data may be encrypted to the store where you  buy stuff or site where you share your personal information... hacking that encrypted link isn't today's security problem at all.

No one has adequately worked out building a true digital signature system with all of its implications. For example, I just "digitally signed" a contract to buy a property - using Comic Sans Serif to "sign" my name as my "digital signature".

The system uses a "trusted third party" with a site with lots of security rhetoric - emphasis on the "quotes" around "trusted".

And that's OK... but it sure isn't based on cryptography.

It's easy and it's cheap.

Basically, "digital signatures" have knocked out the market for fax machines for contracts.

Woo hoo.

* Greed

Everyone has tried to WAY overmonetize the value of computer security technologies. Once upon a time, Verisign wanted us all to buy $50 personal digital signatures and the banks got greedy with SET... and interesting (and potentially market changing) technologies went nowhere.

The killer app in most of these markets is lowering intermediary or operational costs and mostly security tech vendors RAISE costs and die.

Charles Schwab and Etrade changed the stock brokerage business by radically lowering transaction costs (using vanilla tech smartly - - first phone based ordering and then basic Internet browsers).

If you find a way to radically lower transaction costs, you will often find that the security technology is largely unnecessary - people will live with you as a vanilla trusted third party - because you are cheap(er).

* Security Suicide

Suppose they buy your security solution. If they sell to their customers based on your security, they are a slave to you... after all, if you sell to their competitors as well, then the industry becomes a commodity wrapped around your security tech.

So, it is irrational to license from you as their marketing becomes marketing for you instead of them.

But if they buy you, then they still incur the same marketing costs... so why buy you?

So, you are forced to become a competitor to the incumbents in the industry. Except you are starting at zero... and they can simply assert or build "good enough" security.

(Read about Sawstop's attempts to radically improve safety for table saws. They've succeeded somewhat)

* Switching costs

Switching an industry over to a new platform is hard and expensive. And, since in many cases the incumbents can simply lower costs (see the credit card processing industry), it is difficult to be a new entrant.

(Square and such have done well with small companies as the switching costs are low and they've been r*ped by the processors for years, so a lot of businesses were happy to be rid of them for any number of reasons).

* Who pays

Often, the incumbent operators (especially if there are separate infrastructure companies) simply pass on their costs to their end users.... so they don't see any benefit and the end users don't have enough leverage to push a change (credit card security being a pretty easy example again - merchants basically absorb all of the liability in the system).

In short... the problem isn't tech or security, no matter how cool, it is the real business...

... and the history of cool security tech - from encryption to digital signatures to .... pretty much everything is that we forget the business side.

No comments:

Post a Comment