SFGate: VERISIGN/On the Record: Stratton Sclavos

[David Farber <dave () farber net>]

------ Forwarded Message
From: "dave () farber net" <dave () farber net>
Organization: SFGate, San Francisco, CA
Date: Mon, 10 Jan 2005 08:08 -0800
To: "dave () farber net" <dave () farber net>
Subject: SFGate: VERISIGN/On the Record: Stratton Sclavos


 
----------------------------------------------------------------------
This article was sent to you by someone who found it on SFGate.
The original article can be found on SFGate.com here:
http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2005/01/09
/BUG22AFFKP47.DTL
 ---------------------------------------------------------------------
Sunday, January 9, 2005 (SF Chronicle)
VERISIGN/On the Record: Stratton Sclavos



   In 1995, Stratton Sclavos and RSA founder Jim Bidzos created VeriSign as
a
spin-off that issued digital certificates, acting as an Internet notary
public. Today, VeriSign secures online transactions and is branching out
into handheld entertainment, radio frequency ID tags and other up-and-
coming technologies. As VeriSign's chief executive officer, Sclavos has an
unparalleled view of the Internet, its strengths and weaknesses. We talked
with Sclavos about the rising sophistication of online crime, his
company's squabbles with the Internet oversight authority and the
challenges of being a parent in the digital age..
   Q: VeriSign is in a lot of businesses now. Is there is a vision that ties
all these things together?
   A: What we have really been about over the last five years is assembling
a
set of assets that all plug together to make what we call intelligent
infrastructure.
   If you look at the Internet, we're through the first 10 years of this
massive growth, (with) more people getting on and more messages being
sent. We think we're at an inflection point where there's too much
complexity and too much usage to do things just by adding more pipes. So
the intelligent infrastructure we do sits above the pipes and below the
applications and the services and makes things more efficient.
   We route .com and .net addresses 14 billion times a day. We secure 400,
000 Web sites so people can communicate with their customers. We process
credit cards for those same Web sites so they can take the money and put
it in a bank account.
   Five years from now, whether it's radio frequency ID tags on Gillette
razors or Web addresses for .com and .net or phone numbers that have
become voice-over IP as opposed to traditional telecom switches, we'll
have those big directories running inside VeriSign data centers that make
all that stuff connect and interoperate.
   Q: Why should such important infrastructure be handled by the private
sector?
   A: We are a regulated business in .com and .net service. We have over the
last five years invested $200 million in research and development and
capital equipment to completely rebuild that network. You need to fuel
innovation to keep this infrastructure growing, and I don't think the
government would be well suited to that.
   We were here before the Internet explosion. We're here after the burst of
the bubble. And in those nine years, the machines have never been down,
and we've taken the systems from being able to handle about 20 billion
interactions a day to now, (when) our top capacity is north of 200 billion
a day.
   There are people at VeriSign who will work 24 hours a day if even one bit
of the database that we manage gets corrupted. And we will do anything in
our power to fix it within seconds if we can and minutes if we can't.
   We have shared our technology and our software-monitoring tools with the
Department of Homeland Security since almost its first days. They can see
the network the same way we do. We just agreed to the same kind of
provisions with the European Union to give their new security-monitoring
center these kinds of tools. We're probably five to six years ahead of
where these governments would be in thinking about how to monitor the
network. And we're trying to bring them all up to that same level of
visibility.
   Q: What is your role in the Department of Homeland Security and are you
involved with the war on terrorism?
   A: We are an avid participant in their information-sharing private-public
partnership. We provide them tools that we have designed so that they can
see the network and its trouble the same way we can, and then we're
involved in certain forensic activities on an as-needed basis.
   Q: What would something like that entail?
   A: If we process 35 percent of North American e-commerce, we manage 14
billion Web connections a day. We manage the firewalls and intrusion
detection centers for some of the largest financial service companies in
the world. We see all the network traffic and all the network problems. So
we've become an early warning system in many respects for a lot of what
governments as well as commercial interests are looking for.
   Q: Is this about cyber-terrorism or helping the government when they're
looking for the source of terrorist money?
   A: It's really all of those things. You are looking at the digital
equivalent of money laundering and espionage and commercial competitive
information. All those things that we talk about in terms of physical
terrorism or just criminal financial activity we are now seeing on the
network.
   We're in the very earliest stages of understanding just how much of that
activity can be found quickly enough to do something about it.
   Q: Can you talk about the rise of common scams like phishing (scam e-
mails that trick people into revealing financial information)? Doesn't
that dwarf any other kind of crime online?
   A: It's a very real threat. It tends to be small economic value
multiplied
by potentially millions of people. So it's a big deal, and it undermines
confidence in going online. The thing I'm actually more interested in
watching is the fraud (we are seeing) on these networks at an escalating
rate. From what we can tell, (they) are coordinated attacks. If you watch
what's going on, the number of fraudulent transactions that are programmed
and automated from the Eastern Bloc, from Indonesia, from these various
places, it's just mind boggling. It's no longer teenage hackers in a
garage trying to rip off credit cards. It is coordinated, organized crime.
   Q: Can you explain how an automated fraud attack works?
   A: These guys are very clever. They will go out on the network and find
machines that are sitting there always on, generally broadband
connections, and they will deposit code that sits dormant. Then they will
build an application that tries credit card numbers. It's very easy to
build a program that knows that a Visa card has 12 digits. You start at
000 for all the digits, and then you move it up incrementally. And you
attack Web sites that have low- value digital goods and services. These
guys would attack the Web sites from the robotic machines they would take
over, and then they'd hit on a number that's good. Every time there's a
successful transaction they immediately use that number on some high-value
site. You can actually find Web sites that teach you how to do this stuff.
   Q: What do you mean by coordinated attacks?
   A: We didn't realize until we started doing some work that our credit
card
transaction-network service and our .com and .net service were actually
seeing the same fraud.
   They attack these machines on the network and take them over as robots,
and then those (computers) start sending tons of spam out. Then you start
to see credit card fraud. And lo and behold, there is a one-to-one
correlation between the IP addresses where the spam is coming from and the
IP addresses that are sending out the attacks.
   Q: What's the protection for that? Aren't there patterns you can detect?
Or do they just route it through so many machines there is no pattern?
   A: I actually thought we were going to be able stop it like this (snaps
his fingers). That we would be able to detect enough of what was going on
and through education and monitoring, we'd be able to see it.
   These guys are much better than I thought. One clue might be, you're told
to go to paypal.com and you click on a link in your e-mail, but the Web
browser address bar actually has some other string in it. We've seen them
write Java code that superimposes a string on top of the actual address.
   Q: How new is that?
   A: Six months.
   Q: What's your profile of the person doing this?
   A: I'm sure there's a lot of different types. In the Eastern Bloc and
some
Southeast Asia countries (there are) trained technicians from economies
that are no longer state sponsored, and legitimate economic activity or
criminal economic activity is probably a decision they make daily. There's
probably plenty of opportunity to be drafted into a black or gray market.
Not to be dramatic about it, (but) some of it is terrorism looking to
raise money. I would say that's a lesser percent of what we see today, but
something that we're certainly monitoring.
   Q: One of the most direct implications of this would be less money spent
online. What kind of role are major retailers from Wal-Mart on down taking
in addressing this, and are they doing enough?
   A: What we see the sites doing is promoting the security more
effectively,
more prominently displaying our (security) seal or others, and more
prominently talking about it in the purchase process. And the stats (on
online shopping) are way up again this year. Convenience, price and
availability are winning out over security concerns. The question becomes,
are we just one major event away from undermining all that confidence?
   Q: And what would your answer be?
   A: I think we probably are.
   Q: What would that major event look like?
   A: It's probably some site with multimillions of registered users, having
that credit card information or those user profiles stolen.
   I am not the fear monger. I am a huge believer that the amount of risk we
are facing on the digital side is manageable versus the rewards we get
from the convenience and the availability and the pricing models. Yet I
think like every society we sometimes take for granted how secure things
are because it's always worked. And if Sept. 11 taught us anything, it's
that once you take these things for granted is when you're most
vulnerable.
   Q: You're so deeply involved in this business, how do you deal with what
your kids can see online?
   A: Poorly. The reality is, this is their neighborhood. (Kids) are online
more than we could ever police.
   You could talk about parental controls and the rest of it. I'm not a big
believer in that. You just can't (monitor) effectively and think you're
going to plug every hole. I think it's more important to make the kids
aware and to have their education about technology include security and
privacy and the rest.
   We're working with a group that's congressionally funded called i-SAFE
(www.i-safe.org). We have a little security token you can plug into the
machine, and we are going to give this out for free. The goal is to have
AOL and MSN and Yahoo and others build chat rooms where you have to plug
this code in that gets generated into the log-in screen. And only kids
will be allowed in.
   Two weekends ago, my daughter said, "Dad, I opened up an e-mail I knew I
shouldn't have opened up, and now my machine is slow." I ran one of the
tools you can get online for free (and found) 937 instances of spyware or
pop-ups or something like that. And my kids, you would think, are aware of
this stuff.
   Q: How old are your kids?
   A: 16 and 14.
   Q: You clashed repeatedly with ICANN (the Internet Corporation for
Assigned Names and Numbers is the body that governs the Internet naming
system). What do you think of their leadership and the job that they're
doing?
   A: I think a strong ICANN, well run, would be a good thing. I think that
if you can create self-regulation, that is always the best model, versus
legislation or country-by-country mandates. But ICANN was created in a
time when the Internet was booming, domain names were growing fivefold a
year, there was just total chaos. And so the reasons for which it was
created no longer exist.
   At the same time, they have been, in our opinion, interfering with our
business, against what our contractual terms are, and so we're in a legal
dispute with them to get some clarity around what we can and can't do.
   Q: Site Finder -- your product that referred people who mistyped a domain
to a search engine that included advertising from which you could profit
-- that did generate a lot of consumer backlash.
   A: Let me stop you there. If there was true consumer backlash, we would
have taken it down in five minutes. We surveyed millions of consumers.
Eighty- four percent of them thought the service was much better than what
their experience had been without it, meaning that either you get an error
page because you typed in the wrong thing, or you get a very similar
service to ours, from Microsoft or AOL. So when people say there was a big
consumer backlash, that's really not quite true.
   There was an Internet technical community backlash to it because it
wasn't
what they were used to. It really was 200 people stepping in to try to
govern what 751 million people used. Quite frankly, we don't think it was
representative of what Internet (users) would have done.
   We've invested millions, if not hundreds of millions, of dollars in these
services and we'd like to build new services on top of them that have some
customer value. We believe Site Finder was one of those.
   I think we're still in the early stages of governance on the Internet,
and
I don't think ICANN has yet found a model that works well.
   In the three years since we started designing international domain names
and the three years since we started designing a wait-list service so
people could reserve names as other people give them up, two dozen
companies have gotten into those businesses, and we're still waiting to
launch the service, because ICANN has one more hoop for us to jump
through. So it's a very odd system where we're supposed to tell our
competitors everything we're going to do years before we get to launch a
service. It's not commercially reasonable.
   Q: This gets back to what we were talking about earlier: the role you're
playing in the huge infrastructure that's playing a giant role in society.
Why should this be in your hands?
   A: Let's put it in perspective. Eighty-five percent of the critical
infrastructure you know about is run by the private sector: the electric
grids, the phone companies, commercial aviation. Those things are as, if
not more, critical.
   Q: They're also much more highly regulated.
   A: Remember, the backstop for us is not ICANN. The backstop for VeriSign
is the Department of Commerce and the U.S. government. I don't think we're
any less or more problematic as a private- sector infrastructure provider
than the electric grid. If VeriSign were going to be sold in a hostile
takeover, that's where the Department of Justice steps in. There are other
outlets.
   Q: What is the right regulatory structure?
   A: Let me go off the record for a second.
   Q: It's all on the record.
   A: It's really more a personal opinion than it is a company policy. I am
very willing to be regulated by the federal government. Yet the Internet
is a borderless society, so that's not going to fly well internationally,
which is why ICANN was created. You can't get two countries to agree on
Internet policy to save their lives.
   There is no self-regulating model that has a backstop of either
legislative (authority) or law enforcement. So I don't think there is a
model that works. We have not figured one out yet that is durable. That's
why ICANN struggles through its mission. I think the International
Telecommunication Union (a United Nations organization) is making noises
that it should get involved. I don't think that's a good idea either
because you get too much of a bilateral country-by-country type of
arrangement there that really will stifle innovation.
   Q: Can I ask you about radio frequency ID tags (RFID makes it possible to
electronically track objects such as consumer products through the
shipping and sales process), what you might have expected in the adoption
of the technology, and where you might have expected us to be now?
   A: First let me give you the mea culpas and the lessons learned. When
(Internet telephone calls) hit in 2000 and all the wireless data stuff hit
in 2004, we were right there, saying, "Yep, this is going to change the
world overnight." What you learn out of all those things is that anything
that's got this massive a technology investment ahead of it is going to
take a long time.
   When we got involved in RFID, we took that lesson to heart, so we told
people (that) RFID is in its very earliest stages. It's going to take two
or three more years before you see any return on investment. And that
would be just at the beginning. So we won the contract to manage the back
end of the RFID system. The same way we handle domain names, we will
handle electronic product codes globally, 100 percent. We have 112 product
codes registered right now, out of a potential market of tens of millions.
So it's very early.
   And that's because we're still fighting the technology curve on the cost
of the tags. We're still fighting the technology curve on the quality of
the readers. I was reading something yesterday. It's a weird technology
fact, but radio frequencies going through liquid can get scrambled, so
cases of beer, the pallet on the outside will get read very accurately,
and the pallet in the middle might get all screwed up. So we've got to get
lower-cost tags, we've got to get better quality readers. Then we have to
get all this infrastructure built through VeriSign and others to make sure
that when this product goes from manufacturer in China to distributor or
warehouse in San Francisco to eventual customer in New York, I know
exactly where it is.
   VeriSign doesn't expect any revenue from RFID until 2007.
   People say gee, if it's going to take that long, why is it all that
interesting? If you do the math of the number of retailers and the number
of products they stock and the number of manufacturers and their
manufacturing plants, the numbers I have seen would suggest 7 to 8 percent
of the profits of a large manufacturer like a Gillette or a Procter &
Gamble are lost through poor inventory tracking, counterfeit products,
whatever may be out of stock on the shelf or out of stock in the back
room. That 7 percent apparently equals about $600 billion a year. So
that's why it's the holy grail for the supply chain.
   But I've sat in meetings with the Wal-Mart and the Kroger and the
Gillette
and the P&G people, and they told the technology industry to go faster.
It's the first time I've really seen the retail industry and the consumer
packaged-good industry (tell them that).
   This is really going to work. It's going to be the Internet of things, as
opposed to the Internet of people and addresses. Just a reminder, that in
'95 there were less than a million domain names, and now there's 35, 36
million. So, it will be a decade, but once we get to it, we'll have tens
of millions of product codes, and they'll be looked up hundreds of
billions of times a day.

ON INTERNET CRIME
   "It's no longer teenage hackers in a garage trying to rip off credit
cards. It is coordinated, organized crime."
   ON INTERNET GOVERNANCE
   "I think we're still in the early stages of governance on the Internet,
and I don't think ICANN has yet found a model that works well."
   ON RADIO FREQUENCY ID TAGS
   "It's going to take two or three more years before you see any return on
investment. And that would be just at the beginning."

BRIEFCASE
   Name: Stratton Sclavos
   Age: 43
   Job: Chairman and chief executive officer of VeriSign; Sclavos was
VeriSign's first CEO when it was spun off from RSA in 1995.
   Education: Bachelor of science in electrical and computer engineering
from
UC Davis
   Family: Wife, Jody; two children, 14 and 16

BEYOND THE BOARDROOM
   You grew up in San Francisco. What are your memories of the city, and
what
do you think of it now? The ballpark has been a great way to come back to
the city. I remember growing up being incredibly cold at Candlestick Park.
I used to take the bus to work through the Fillmore and up to Union
Street, and worked in a seafood restaurant on Union Street, and had a job
at the Exploratorium when I was in high school.
   What book is on your bedside table? It's funny. I read trade magazines
right and left. All I read about is technology. To me that's a way to
relax, to see what's going on in biotech or other technology. I don't read
a lot of management books. When we're on vacation, I read Robert Ludlum.
   What else do you do to relax? I've been a basketball player my whole
life,
and I still play in several leagues now, and I play on the weekend with
friends. And I do a lot with the kids. The kids are athletic, so watching
their games is even more fun.
   Participating in this interview were Chronicle Business Editor Ken Howe,
Deputy Business Editor Alan Saracevic, Technology Editor Marcus Chan,
staff writers Carrie Kirby, Verne Kopytoff and Jenny Strasburg, and
editorial assistant Steve Corder.
----------------------------------------------------------------------
Copyright 2005 SF Chronicle


------ End of Forwarded Message


-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/