Interesting People mailing list archives
SFGate: VERISIGN/On the Record: Stratton Sclavos
From: David Farber <dave () farber net>
Date: Mon, 10 Jan 2005 11:13:17 -0500
------ Forwarded Message From: "dave () farber net" <dave () farber net> Organization: SFGate, San Francisco, CA Date: Mon, 10 Jan 2005 08:08 -0800 To: "dave () farber net" <dave () farber net> Subject: SFGate: VERISIGN/On the Record: Stratton Sclavos ---------------------------------------------------------------------- This article was sent to you by someone who found it on SFGate. The original article can be found on SFGate.com here: http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2005/01/09 /BUG22AFFKP47.DTL --------------------------------------------------------------------- Sunday, January 9, 2005 (SF Chronicle) VERISIGN/On the Record: Stratton Sclavos In 1995, Stratton Sclavos and RSA founder Jim Bidzos created VeriSign as a spin-off that issued digital certificates, acting as an Internet notary public. Today, VeriSign secures online transactions and is branching out into handheld entertainment, radio frequency ID tags and other up-and- coming technologies. As VeriSign's chief executive officer, Sclavos has an unparalleled view of the Internet, its strengths and weaknesses. We talked with Sclavos about the rising sophistication of online crime, his company's squabbles with the Internet oversight authority and the challenges of being a parent in the digital age.. Q: VeriSign is in a lot of businesses now. Is there is a vision that ties all these things together? A: What we have really been about over the last five years is assembling a set of assets that all plug together to make what we call intelligent infrastructure. If you look at the Internet, we're through the first 10 years of this massive growth, (with) more people getting on and more messages being sent. We think we're at an inflection point where there's too much complexity and too much usage to do things just by adding more pipes. So the intelligent infrastructure we do sits above the pipes and below the applications and the services and makes things more efficient. We route .com and .net addresses 14 billion times a day. We secure 400, 000 Web sites so people can communicate with their customers. We process credit cards for those same Web sites so they can take the money and put it in a bank account. Five years from now, whether it's radio frequency ID tags on Gillette razors or Web addresses for .com and .net or phone numbers that have become voice-over IP as opposed to traditional telecom switches, we'll have those big directories running inside VeriSign data centers that make all that stuff connect and interoperate. Q: Why should such important infrastructure be handled by the private sector? A: We are a regulated business in .com and .net service. We have over the last five years invested $200 million in research and development and capital equipment to completely rebuild that network. You need to fuel innovation to keep this infrastructure growing, and I don't think the government would be well suited to that. We were here before the Internet explosion. We're here after the burst of the bubble. And in those nine years, the machines have never been down, and we've taken the systems from being able to handle about 20 billion interactions a day to now, (when) our top capacity is north of 200 billion a day. There are people at VeriSign who will work 24 hours a day if even one bit of the database that we manage gets corrupted. And we will do anything in our power to fix it within seconds if we can and minutes if we can't. We have shared our technology and our software-monitoring tools with the Department of Homeland Security since almost its first days. They can see the network the same way we do. We just agreed to the same kind of provisions with the European Union to give their new security-monitoring center these kinds of tools. We're probably five to six years ahead of where these governments would be in thinking about how to monitor the network. And we're trying to bring them all up to that same level of visibility. Q: What is your role in the Department of Homeland Security and are you involved with the war on terrorism? A: We are an avid participant in their information-sharing private-public partnership. We provide them tools that we have designed so that they can see the network and its trouble the same way we can, and then we're involved in certain forensic activities on an as-needed basis. Q: What would something like that entail? A: If we process 35 percent of North American e-commerce, we manage 14 billion Web connections a day. We manage the firewalls and intrusion detection centers for some of the largest financial service companies in the world. We see all the network traffic and all the network problems. So we've become an early warning system in many respects for a lot of what governments as well as commercial interests are looking for. Q: Is this about cyber-terrorism or helping the government when they're looking for the source of terrorist money? A: It's really all of those things. You are looking at the digital equivalent of money laundering and espionage and commercial competitive information. All those things that we talk about in terms of physical terrorism or just criminal financial activity we are now seeing on the network. We're in the very earliest stages of understanding just how much of that activity can be found quickly enough to do something about it. Q: Can you talk about the rise of common scams like phishing (scam e- mails that trick people into revealing financial information)? Doesn't that dwarf any other kind of crime online? A: It's a very real threat. It tends to be small economic value multiplied by potentially millions of people. So it's a big deal, and it undermines confidence in going online. The thing I'm actually more interested in watching is the fraud (we are seeing) on these networks at an escalating rate. From what we can tell, (they) are coordinated attacks. If you watch what's going on, the number of fraudulent transactions that are programmed and automated from the Eastern Bloc, from Indonesia, from these various places, it's just mind boggling. It's no longer teenage hackers in a garage trying to rip off credit cards. It is coordinated, organized crime. Q: Can you explain how an automated fraud attack works? A: These guys are very clever. They will go out on the network and find machines that are sitting there always on, generally broadband connections, and they will deposit code that sits dormant. Then they will build an application that tries credit card numbers. It's very easy to build a program that knows that a Visa card has 12 digits. You start at 000 for all the digits, and then you move it up incrementally. And you attack Web sites that have low- value digital goods and services. These guys would attack the Web sites from the robotic machines they would take over, and then they'd hit on a number that's good. Every time there's a successful transaction they immediately use that number on some high-value site. You can actually find Web sites that teach you how to do this stuff. Q: What do you mean by coordinated attacks? A: We didn't realize until we started doing some work that our credit card transaction-network service and our .com and .net service were actually seeing the same fraud. They attack these machines on the network and take them over as robots, and then those (computers) start sending tons of spam out. Then you start to see credit card fraud. And lo and behold, there is a one-to-one correlation between the IP addresses where the spam is coming from and the IP addresses that are sending out the attacks. Q: What's the protection for that? Aren't there patterns you can detect? Or do they just route it through so many machines there is no pattern? A: I actually thought we were going to be able stop it like this (snaps his fingers). That we would be able to detect enough of what was going on and through education and monitoring, we'd be able to see it. These guys are much better than I thought. One clue might be, you're told to go to paypal.com and you click on a link in your e-mail, but the Web browser address bar actually has some other string in it. We've seen them write Java code that superimposes a string on top of the actual address. Q: How new is that? A: Six months. Q: What's your profile of the person doing this? A: I'm sure there's a lot of different types. In the Eastern Bloc and some Southeast Asia countries (there are) trained technicians from economies that are no longer state sponsored, and legitimate economic activity or criminal economic activity is probably a decision they make daily. There's probably plenty of opportunity to be drafted into a black or gray market. Not to be dramatic about it, (but) some of it is terrorism looking to raise money. I would say that's a lesser percent of what we see today, but something that we're certainly monitoring. Q: One of the most direct implications of this would be less money spent online. What kind of role are major retailers from Wal-Mart on down taking in addressing this, and are they doing enough? A: What we see the sites doing is promoting the security more effectively, more prominently displaying our (security) seal or others, and more prominently talking about it in the purchase process. And the stats (on online shopping) are way up again this year. Convenience, price and availability are winning out over security concerns. The question becomes, are we just one major event away from undermining all that confidence? Q: And what would your answer be? A: I think we probably are. Q: What would that major event look like? A: It's probably some site with multimillions of registered users, having that credit card information or those user profiles stolen. I am not the fear monger. I am a huge believer that the amount of risk we are facing on the digital side is manageable versus the rewards we get from the convenience and the availability and the pricing models. Yet I think like every society we sometimes take for granted how secure things are because it's always worked. And if Sept. 11 taught us anything, it's that once you take these things for granted is when you're most vulnerable. Q: You're so deeply involved in this business, how do you deal with what your kids can see online? A: Poorly. The reality is, this is their neighborhood. (Kids) are online more than we could ever police. You could talk about parental controls and the rest of it. I'm not a big believer in that. You just can't (monitor) effectively and think you're going to plug every hole. I think it's more important to make the kids aware and to have their education about technology include security and privacy and the rest. We're working with a group that's congressionally funded called i-SAFE (www.i-safe.org). We have a little security token you can plug into the machine, and we are going to give this out for free. The goal is to have AOL and MSN and Yahoo and others build chat rooms where you have to plug this code in that gets generated into the log-in screen. And only kids will be allowed in. Two weekends ago, my daughter said, "Dad, I opened up an e-mail I knew I shouldn't have opened up, and now my machine is slow." I ran one of the tools you can get online for free (and found) 937 instances of spyware or pop-ups or something like that. And my kids, you would think, are aware of this stuff. Q: How old are your kids? A: 16 and 14. Q: You clashed repeatedly with ICANN (the Internet Corporation for Assigned Names and Numbers is the body that governs the Internet naming system). What do you think of their leadership and the job that they're doing? A: I think a strong ICANN, well run, would be a good thing. I think that if you can create self-regulation, that is always the best model, versus legislation or country-by-country mandates. But ICANN was created in a time when the Internet was booming, domain names were growing fivefold a year, there was just total chaos. And so the reasons for which it was created no longer exist. At the same time, they have been, in our opinion, interfering with our business, against what our contractual terms are, and so we're in a legal dispute with them to get some clarity around what we can and can't do. Q: Site Finder -- your product that referred people who mistyped a domain to a search engine that included advertising from which you could profit -- that did generate a lot of consumer backlash. A: Let me stop you there. If there was true consumer backlash, we would have taken it down in five minutes. We surveyed millions of consumers. Eighty- four percent of them thought the service was much better than what their experience had been without it, meaning that either you get an error page because you typed in the wrong thing, or you get a very similar service to ours, from Microsoft or AOL. So when people say there was a big consumer backlash, that's really not quite true. There was an Internet technical community backlash to it because it wasn't what they were used to. It really was 200 people stepping in to try to govern what 751 million people used. Quite frankly, we don't think it was representative of what Internet (users) would have done. We've invested millions, if not hundreds of millions, of dollars in these services and we'd like to build new services on top of them that have some customer value. We believe Site Finder was one of those. I think we're still in the early stages of governance on the Internet, and I don't think ICANN has yet found a model that works well. In the three years since we started designing international domain names and the three years since we started designing a wait-list service so people could reserve names as other people give them up, two dozen companies have gotten into those businesses, and we're still waiting to launch the service, because ICANN has one more hoop for us to jump through. So it's a very odd system where we're supposed to tell our competitors everything we're going to do years before we get to launch a service. It's not commercially reasonable. Q: This gets back to what we were talking about earlier: the role you're playing in the huge infrastructure that's playing a giant role in society. Why should this be in your hands? A: Let's put it in perspective. Eighty-five percent of the critical infrastructure you know about is run by the private sector: the electric grids, the phone companies, commercial aviation. Those things are as, if not more, critical. Q: They're also much more highly regulated. A: Remember, the backstop for us is not ICANN. The backstop for VeriSign is the Department of Commerce and the U.S. government. I don't think we're any less or more problematic as a private- sector infrastructure provider than the electric grid. If VeriSign were going to be sold in a hostile takeover, that's where the Department of Justice steps in. There are other outlets. Q: What is the right regulatory structure? A: Let me go off the record for a second. Q: It's all on the record. A: It's really more a personal opinion than it is a company policy. I am very willing to be regulated by the federal government. Yet the Internet is a borderless society, so that's not going to fly well internationally, which is why ICANN was created. You can't get two countries to agree on Internet policy to save their lives. There is no self-regulating model that has a backstop of either legislative (authority) or law enforcement. So I don't think there is a model that works. We have not figured one out yet that is durable. That's why ICANN struggles through its mission. I think the International Telecommunication Union (a United Nations organization) is making noises that it should get involved. I don't think that's a good idea either because you get too much of a bilateral country-by-country type of arrangement there that really will stifle innovation. Q: Can I ask you about radio frequency ID tags (RFID makes it possible to electronically track objects such as consumer products through the shipping and sales process), what you might have expected in the adoption of the technology, and where you might have expected us to be now? A: First let me give you the mea culpas and the lessons learned. When (Internet telephone calls) hit in 2000 and all the wireless data stuff hit in 2004, we were right there, saying, "Yep, this is going to change the world overnight." What you learn out of all those things is that anything that's got this massive a technology investment ahead of it is going to take a long time. When we got involved in RFID, we took that lesson to heart, so we told people (that) RFID is in its very earliest stages. It's going to take two or three more years before you see any return on investment. And that would be just at the beginning. So we won the contract to manage the back end of the RFID system. The same way we handle domain names, we will handle electronic product codes globally, 100 percent. We have 112 product codes registered right now, out of a potential market of tens of millions. So it's very early. And that's because we're still fighting the technology curve on the cost of the tags. We're still fighting the technology curve on the quality of the readers. I was reading something yesterday. It's a weird technology fact, but radio frequencies going through liquid can get scrambled, so cases of beer, the pallet on the outside will get read very accurately, and the pallet in the middle might get all screwed up. So we've got to get lower-cost tags, we've got to get better quality readers. Then we have to get all this infrastructure built through VeriSign and others to make sure that when this product goes from manufacturer in China to distributor or warehouse in San Francisco to eventual customer in New York, I know exactly where it is. VeriSign doesn't expect any revenue from RFID until 2007. People say gee, if it's going to take that long, why is it all that interesting? If you do the math of the number of retailers and the number of products they stock and the number of manufacturers and their manufacturing plants, the numbers I have seen would suggest 7 to 8 percent of the profits of a large manufacturer like a Gillette or a Procter & Gamble are lost through poor inventory tracking, counterfeit products, whatever may be out of stock on the shelf or out of stock in the back room. That 7 percent apparently equals about $600 billion a year. So that's why it's the holy grail for the supply chain. But I've sat in meetings with the Wal-Mart and the Kroger and the Gillette and the P&G people, and they told the technology industry to go faster. It's the first time I've really seen the retail industry and the consumer packaged-good industry (tell them that). This is really going to work. It's going to be the Internet of things, as opposed to the Internet of people and addresses. Just a reminder, that in '95 there were less than a million domain names, and now there's 35, 36 million. So, it will be a decade, but once we get to it, we'll have tens of millions of product codes, and they'll be looked up hundreds of billions of times a day. ON INTERNET CRIME "It's no longer teenage hackers in a garage trying to rip off credit cards. It is coordinated, organized crime." ON INTERNET GOVERNANCE "I think we're still in the early stages of governance on the Internet, and I don't think ICANN has yet found a model that works well." ON RADIO FREQUENCY ID TAGS "It's going to take two or three more years before you see any return on investment. And that would be just at the beginning." BRIEFCASE Name: Stratton Sclavos Age: 43 Job: Chairman and chief executive officer of VeriSign; Sclavos was VeriSign's first CEO when it was spun off from RSA in 1995. Education: Bachelor of science in electrical and computer engineering from UC Davis Family: Wife, Jody; two children, 14 and 16 BEYOND THE BOARDROOM You grew up in San Francisco. What are your memories of the city, and what do you think of it now? The ballpark has been a great way to come back to the city. I remember growing up being incredibly cold at Candlestick Park. I used to take the bus to work through the Fillmore and up to Union Street, and worked in a seafood restaurant on Union Street, and had a job at the Exploratorium when I was in high school. What book is on your bedside table? It's funny. I read trade magazines right and left. All I read about is technology. To me that's a way to relax, to see what's going on in biotech or other technology. I don't read a lot of management books. When we're on vacation, I read Robert Ludlum. What else do you do to relax? I've been a basketball player my whole life, and I still play in several leagues now, and I play on the weekend with friends. And I do a lot with the kids. The kids are athletic, so watching their games is even more fun. Participating in this interview were Chronicle Business Editor Ken Howe, Deputy Business Editor Alan Saracevic, Technology Editor Marcus Chan, staff writers Carrie Kirby, Verne Kopytoff and Jenny Strasburg, and editorial assistant Steve Corder. ---------------------------------------------------------------------- Copyright 2005 SF Chronicle ------ End of Forwarded Message ------------------------------------- You are subscribed as interesting-people () lists elistx com To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- SFGate: VERISIGN/On the Record: Stratton Sclavos David Farber (Jan 10)