The Seven Wonders of the Business Tech World

Just over 2000 years ago, Philo of Byzantium sat down and made a list of the seven wonders of the world at that time. Like any such subjective list, it was met with criticism in its own time. The historian Herodotus couldn’t believe the Egyptian Labyrinth was left off and Callimachus argued forcefully for the Ishtar Gate to be included.
At Gigaom Change in September (early adopter pricing still available), we will explore the seven technologies that I think will most affect business in the near future. I would like to list the seven technologies I chose and why I chose them. Would you have picked something different?
Here is my list:
Robots – This one is pretty easy. Even if you make your trade in 1’s and 0’s and never touch an atom, robots will still impact some aspect of your business, even if it is upstream. Additionally, the issue of robots has launched a societal debate about unemployment, minimum wage, basic income, and the role of “working for a living” in the modern world. We have dreamed of robots for eons, feared them for decades, and now we finally get to see what their real effect on humanity will be.
AI – This is also, forgive the pun, a no-brainer. AI is a tricky one though. Some of the smartest people on the planet (Hawking, Gates, Musk) say we should fear it while others, such as the Chief Scientist of Baidu say worrying about AI is like worrying about overpopulation on Mars. Further, the estimates to when we might see an AGI (artificial general intelligence, an AI that can do a wide range of tasks like a human) varies from 5 years to 500 years. Our brains are, arguably, what make us human, and the idea that an artificial brain might be made gets our attention. What effect will this have on the workplace? We will find out.
AR/VR – Although we think of AR/VR as (at first) a consumer technology, the work applications are equally significant. You only have to put on a VR headset for about three minutes to see that some people, maybe a good number, will put this device on and never take it off. But on the work front, it is still an incredibly powerful tool, able to overlay information from the digital world onto the world of atoms. Our brains aren’t quite wired up to imagine this in its full flowering, but we will watch it unfold in the next decade.
Human/Machine Interface – Also bridging the gap between the real world and the virtual one is the whole HMI front. As machines become ever more ubiquitous, our need to seamlessly interface with them grows. HMI is a wide spectrum of technologies: From good UIs to eye-tracking hardware to biological implants, HMI will grow to the point where the place where the human ends and the machine begins will get really blurry.
3D Printing – We call this part of Gigaom Change “3D Printing” but we mean it to include all the new ways we make stuff today. But there isn’t a single term that encapsulates that, so 3D Printing will have to suffice. While most of our first-hand experience with 3D printing is single-color plastic demo pieces, there is an entire industry working on 3D printing new hearts and livers, as well as more mundane items like clothing and food (“Earl Grey, hot”). From a business standpoint, the idea that quantity one has the same unit price as quantity one-thousand is powerful and is something we will see play out sooner than later.
Nanotechnology – I get the most pushback from nano because it seems so far out there. But it really isn’t. By one estimate, there are two thousand nanotech products on the market today. Nano, building things with dimensions of between 1 and 100 nanometers, is already a multi-billion dollar industry. On the consumer side, we will see nano robots that swim around in your blood cleaning up what ails you. But on the business side, we will see a re-thinking of all of the material sciences. The very substances we deal with will change, and we may even be said to be not in the iron nor stone age, but the nano age, where we make materials that were literally impossible to create just a few years ago.
Cybersecurity – This may seem to be the one item that is least like all of the others, for it isn’t a specific technology per se. I included it though because as more of our businesses depend on the technologies that we use, the more our businesses are susceptible to attacks by technology. How do we build in safeguards in a world where most of us don’t really even understand the technologies themselves, let alone, subtle ways that they can be exploited?
Those are my seven technologies that will most effect business. I hope you can come to Austin Sept 21-23 to explore them all with us at the Gigaom Change Leader’s Summit.
Byron Reese

How PayPal uses deep learning and detective work to fight fraud

Hui Wang has seen the nature of online fraud change a lot in the 11 years she’s been at PayPal. In fact, a continuous evolution of methods is kind of the nature of cybercrime. As the good guys catch onto one approach, the bad guys try to avoid detection by using another.

Today, said Wang, PayPal’s senior director of global risk sciences, “The fraudsters we’re interacting with are… very unique and very innovative. …Our fraud problem is a lot more complex than anyone can think of.”

In deep learning, though, Wang and her team might have found a way to help level the playing field between PayPal and criminals who want exploit the online payment platform.

Deep learning is a somewhat new approach to machine learning and artificial intelligence that has caught fire over the past few years thanks to companies such as [company]Google[/company], [company]Facebook[/company], [company]Microsoft[/company] and Baidu, and a handful of prominent researchers (some of whom now work for those companies). The field draws a lot of comparisons to the workings of the human brain because deep learning systems use artificial neural network algorithms, although “inspired by the brain” might be a more accurate description than “modeled after the brain.”

How DeepFace sees Calista Flockhart. Source: Facebook

A visual diagram of a deep neural network for facial recognition. Source: Facebook

Essentially, the stacks of neural networks that comprise deep learning models are very good at recognizing patterns and features of the data they’re trained on, which has led to some huge advances in computer vision, speech recognition, text analysis, machine listening and even video-game playing in the past few years. You can learn more about the field at our Structure Data conference later this month, which includes deep learning and artificial intelligence experts from Facebook, Microsoft, Yahoo, Enlitic and other companies.

It turns out deep learning models are also good at identifying the complex patterns and characteristics of cybercrime and online fraud. Machine-learning-based pattern recognition has long been a major part of fraud detection practices, but Wang said PayPal has seen a “major leap forward” in its abilities since it began investigating precursor (what she calls “non-linear”) techniques to deep learning several years ago. PayPal has been working with deep learning itself for the past two or three years, she said.

Some of these efforts are already running in production as part of the company’s anti-fraud systems, often in conjunction with human experts in what Wang describes as a “detective-like methodology.” The deep learning algorithms are able to analyze potentially tens of thousands of latent features (time signals, actors and geographic location are some easy examples) that might make up a particular type of fraud, and are even able to detect “sub modus operandi,” or different variants of the same scheme, she said.

Some of PayPal's fraud-management options for developers.

Some of PayPal’s fraud-management options for developers.

The patterns are much more complex than “If someone does X, then the result is Y,” so it takes artificial intelligence to analyze them at a level much deeper than humans can. “Actually,” Wang said, “that’s the beauty of deep learning.”

Once the models detect possible fraud, human “detectives” can get to work assessing what’s real, what’s not and what to do next.

PayPal uses a champions-and-challengers approach to deciding which fraud-detection models to rely on most heavily, and deep learning is very close to becoming the champion. “We’ve seen roughly a 10 percent delta on top of today’s champion,” Wang said, which is very significant.

And as the fraudulent behavior on PayPal’s platform continues to grow more complex, she’s hopeful deep learning will give her team the ability to adapt to these new patterns faster than before. It’s possible, for example, that PayPal might some day be able to deploy models that take live data from its system and become smarter, by retraining themselves, in real time.

“We’re doing that to a certain degree,” Wang said, “but I think there’s still more to be done.”

Hackers stole up to $1B from banks worldwide, Kaspersky says

A gang of hackers has, over the course of a year or more, stolen up to $1 billion from financial institutions around the world, including some in the U.S., according to a new report by cybersecurity firm Kasperksy Lab. 

The Carbanak gang — named after the malware they installed on computers at financial institutions — targeted marks in the U.S., Germany and Asia and possibly elsewhere, according to Kaspersky’s Threatpost blog. Instead of relying on phishing attacks that goes after end-user passwords, they targeted bank employees themselves, sending email messages containing malware that then recorded internal interactions to learn the banks’ procedures and processes, in some cases feeding video back to their mothership.

One reason the payoff may have been so big was that the gang was patient, waiting to make their move for months and also moving on from one bank to another after making their, um withdrawals, typically grabbing up no more than $10 million per institution. In some cases, ATM just started spewing cash without anyone requesting it. The money was then picked up by cash “mules.” In others, the banks network was used to move money out of the organization into the cybercriminal’s own accounts. And in some cases, fake accounts were created with high balances which were then tapped by mules.

From the Threatpost blog:

The hackers lived on the bank networks for months after successfully gaining a network foothold, generally through a spearphishing email laced with a malicious .CPL attachment, and in some cases, Word documents. The attachments contained the backdoor named Carbanak which is capable of many of the same data stealing capabilities as notorious APT-style attacks, including remote control.

carbanak targetsKaspersky posted its full report on Monday, an advance copy of which it provided the New York Times. Speaking with that paper, Chris Doggett, managing director of Kaspersky’s North America office characterized this as “the most sophisticated attack the world has seen to date in terms of the tactics and methods that cybercriminals have used to remain covert.” 

As is usually the case, no institutions were named because of non-disclosure agreements. It’s not exactly good advertising to admit that your customers funds are at risk, after all.

Kaspersky told the Times it worked with Interpol and Europol to gather information. Sanjay Virmani, director of Interpol’s digital crime center told BBC News that the “attacks again underline the fact that criminals will exploit any vulnerability in any system.”


Next up from the Obama Administration: A new cybersecurity agency

If you don’t think threats to private data are a problem, you’re not paying attention. Breaches occur seemingly by the day, although we often don’t always hear about them in real time as companies (Sony, Anthem, JPMorgan Chase) and government agencies (the unsecured White House network) scramble to patch their systems.

Now the Obama Administration is poised to create a new agency — the Cyber Threat Intelligence Integration Center — to fight back, according to the Washington Post. Lisa Monaco, President Obama’s assistant homeland security and counterterrorism advisor, will announce the news later Tuesday.

This is not the first time in recent history that world events have prompted a new agency. The 9/11 attacks spurred the creation of National Counterterrorism Center, for example.

Everyone is scrambling to deal with these threats. Of course the creation of another organization will spark discussion about whether we need yet another level of bureaucracy to deal with a problem. After all, silos of information held by different agencies are often blamed for security snafus.

I usually don’t quote from any of the myriad ambulance-chasing pitches that come in on stories like this, but this emailed statement attributed to Jeff Williams, CTO of Contrast Security, summed up the decentralized data problem pretty well:

How will the new center work with DHS, DISA, NSA, CIA, FBI … all of whom have some responsibility for cybersecurity.  In principle, having a single “belly button” is a nice idea.  But in reality, it’s just one more agency with cybersecurity responsibility.

But the problem is obviously also a private sector opportunity and tech companies are snatching up security expertise. The latest example being yesterday’s news that [company]Hewlett-Packard[/company] is buying encryption specialist Voltage Security. Last summer, FireEye bought Mandiant, a high-flying cyber forensics company, for $1 billion.

This story was updated at 11:08 a.m. PST with an additional quote.

Anthem breach: Vendors never let a good crisis go to waste

Given this week’s news of a potentially huge security breach at insurance provider Anthem, security vendors of all types are eager to give advice, and, oh, get their company names in front of affected consumers or (better yet) other big companies spooked by what happened to Anthem.

The [company]Anthem[/company] breach, in which hackers accessed names, addresses, birth dates, medical ID numbers and social security numbers of customers, could affect up to 80 million people.

So, what could Anthem do better going forward? According to what showed up in my inbox, it should apply file-level protection (Varonis), use fraud detection and behavioral analysis (NuData Security), apply cloud-based security (Zscalar) and speed up disclosure and response (Co3 Systems and Incident Response Management Systems). You get the picture.

Given that no one outside of Anthem, its vendors and maybe the hackers, actually knows what systems it had in place, it seems rather presumptuous for security vendors to insert themselves as would-be saviors, but such is the way of corporate PR.

And now for the real victims

So now that we know what security companies thinks other customer-facing vendors should do — which is basically, “buy our stuff” what about the  poor schlubs whose information was stolen? What are they supposed to do? Well there was the usual advice from the National Consumers League and others.

People should be more suspicious than usual of email from unknown people — bad guys use email to launch phishing attacks. Don’t open messages from anyone you don’t know; don’t click on links in email unless you’re sure where it will take you (hover over the link to see if the URL looks legit); don’t respond to odd email if you happen to open it. Stop reusing passwords across sites or, better yet, get a password manager. Use two-factor authentication. Yaddayaddayadda.

If you suspect credit card fraud, get your credit reports or credit score updates (Credit Karma is a good and free service), although, as NBC reported, the credit agencies will not catch medical identity theft. In that scenario, a person’s purloined medical ID number could be used at hospitals, ERs and pharmacies to get care and drugs, “racking up charges and wrecking victims’ medical records.”

The best way to detect medical ID theft is to scrupulously check your Explanation of Benefits documents each and every time. And make sure to shred all medical documents.

At this point, given all the breaches at Target, Home Depot, JPMorgan Chase and now Anthem, it’s probably safe to assume that some of your information is already “out there,” so do as much as you can yourself to protect your assets. No vendor is going to do it for you.

Another big data breach, this time at insurance company Anthem

Anthem, the nation’s second largest insurance provider, was hit by hackers who stole lots of customer data including names, birth dates, medical IDs, social security numbers, snail-mail and e-mail addresses, and employment information —  but allegedly no credit card or medical information, the company said. Although with all that other information out there, that may not be much comfort.

In a letter to customers, Anthem CEO Joseph Swedish acknowledged that his own information was stolen but said there is no evidence that credit card or medical information were compromised. [company]Anthem[/company], formerly known as [company]Wellpoint[/company], posted more information here for customers.

Little is known about which of the company’s databases or applications were hijacked, but Anthem said all of its businesses were affected. And there was the usual butt-covering: Swedish said the company “immediately made every effort to close the security vulnerability, contacted the FBI and began fully cooperating with their investigation.” Anthem also characterized the breach as a result of “a very sophisticated external cyber attack.” But, seriously, what else would they say? As a couple wiseguys on Twitter put it: “It’s better than saying you left the front door open.” Or the keys on the visor.

Anthem also said it hired Mandiant, a sort of cybersecurity SWAT team, to assess its systems and recommend solutions. Cybersecurity specialist Brian Krebs has more on the potential impact.

The topic of the breach came up during a call earlier today during which the White House discussed its interim report on big data opportunties with reporters. The gist was that Anthem appeared to have notified authorities within 30 days of finding the problem, which is what the White House would stipulate in bills it is formulating.

The security of healthcare data is of particular concern — and preserving patient privacy was the impetus behind HIPAA and other regulations. But, as Gigaom pointed out earlier this year, that data security may be as much fiction as fact.

The benefits of consolidating digital patient data in one place so that a patient or her doctors can access it spells convenience for authorized users, but that data conglomeration also offers a compelling target for bad guys.

At this point it would be natural for a given consumer to feel both spooked and jaded by these security snafus. Last year alone, there were major breaches at Target, Home Depot, and JPMorgan Chase, affecting hundreds of millions of people in aggregate.

Report: China wants backdoors in imported tech, but only its own

Western companies are doing big business in China, but storm clouds lie on the horizon. According to a New York Times report, new banking security rules approved in the People’s Republic at the end of 2014 require those selling hardware and software to Chinese banks to install backdoors for the benefit of Chinese security services.

The rules also state that companies must “turn over secret source code [and] submit to invasive audits.” While seriously problematic for many firms, this element isn’t particularly surprising.

In the wake of Edward Snowden’s NSA revelations and the U.S.’s indictment of Chinese army officials for industrial espionage, China’s authorities have repeatedly implied that U.S. products are themselves a threat to national security, because they track users and/or may contain NSA backdoors. Reports in May 2014 suggested that China was considering banning banks from using [company]IBM[/company] servers.

On the consumer side, [company]Apple[/company] for one has already reportedly agreed to let China’s security services screen its products to ensure their safety. However, many firms may find this demand impossible to meet, due to intellectual property and security concerns.

Of course, the U.S. is also pushing companies dealing in communications devices and services to install backdoors for its own intelligence and law enforcement purposes. Both administrations – and that of the U.K. — want firms such as Apple to hand over a key to users’ private communications, even though the companies have recently been moving to a more secure end-to-end encryption model where they don’t hold any keys. This is effectively a backdoor demand, though authorities generally prefer to call it “lawful intercept.”

Draft Chinese anti-terrorism laws are pushing for the same thing. This is one of the many problems with official policies that undermine genuinely strong encryption. Particularly in a globalized trade context where your nation’s companies want to make money in foreign markets, it’s a bit hopeful to think backdoor privileges can be reserved only for your own security apparatus.

However, the Times piece talked about China’s new banking regulations forcing equipment makers to build in “ports” for official monitoring purposes. This is where things get really complicated: the rules may require companies to create special versions of their products for China, and U.S. tech firms and the Chamber of Commerce are reportedly anxious that the move may be protectionist in nature.

Obama to target botnets and spyware as part of cybercrime agenda

President Obama, who this week announced plans to better protect American consumers and businesses from privacy breaches, will also propose new laws to go after those who use computer networks to commit crimes.

The details are to be announced Tuesday afternoon at a cybersecurity event in Virginia, but a White House fact sheet shown to Politico refers specifically to the overseas sale of spyware, and to cracking down on botnets:

The law enforcement proposal will contain provisions broadening prosecutors’ powers against cyber crime, for example by criminalizing the overseas sale of stolen U.S. financial information. It would also allow for the prosecution of the sale or rent of botnets, and would allow courts to shut down botnets engaged in criminal activity such as distributed denial of service attacks.

The recent White House focus on computer crime and privacy coincides with a spate of high-profile hacking episodes, targeting companies like Sony and Microsoft, that have increased public awareness of cybersecurity issues.

The Obama Administration has also indicated it will weave these themes into next week’s State of the Union address. Ordinarily, the topics included in the annual speech are a closely guarded secret, but this year the White House has decided to break with tradition and air some of them beforehand.

According to the New York Times, Obama will also propose laws to encourage companies to share security incidents with industry groups and with Homeland Security. The measures will also reportedly sweep more malicious computer activities, such as operating botnets, under a law known as RICO, which stands for the Racketeer Influenced and Corrupt Organizations Act.

RICO provides prosecutors with the power to seek harsh penalties against those who commit various other crimes as part of an organization.

While any proposed criminal measures Obama proposes are likely to be popular with Congress, which is likewise paying renewed attention to cybersecurity issues, there is also a risk that the new legal tools could be abused by overzealous prosecutors.

Many scholars and civil liberties organizations are already critical of how the federal government uses existing computer law statutes, perceiving the laws as overly broad and out-of-date. The White House, however, appears to be anticipating such criticism and is planning to reform the notorious Computer Fraud and Abuse Act to ensure “insignificant conduct does not fall within the scope of the statute.”

What’s big in venture capital: Security, security, security

Steve Herrod has seen a lot in the enterprise IT space, having spent 12 years at VMware — the last several years as CTO and vice president of R&D — before leaving in 2013 to join venture capital firm General Catalyst Partners. And right now, after seemingly dozens of high-profile cyberattacks in as many months, Herrod has security on his mind. He came on the Structure Show podcast this week to tell how he’s thinking about that space.

Here are a few choice quotes from the interview (including about Docker and the pace of tech innovation), but it’s definitely worth hearing the whole thing. Herrod offers up a lot more thoughts on the cybersecurity. as well as cloud computing, containers and the public appetite for tech IPOs.

[soundcloud url=”” params=”color=ff5500&auto_play=false&hide_related=false&show_comments=true&show_user=true&show_reposts=false” width=”100%” height=”166″ iframe=”true” /]

Download This Episode

Subscribe in iTunes

The Structure Show RSS Feed

Security as corporate strategy

“For me, it’s the first time that sort of infrastructure issues are coming up at board-of-director meeting for completely non-technology companies,” Herrod said. “Nobody wants to be in the news whatsoever, and the cost of these break-ins is obviously ridiculously high.”

There is no enterprise force field

“I think you should just assume bad things are going to happen, so let’s think about how to mitigate or restrict how bad they can be,” Herrod explained.

“Forget perimeter,” he added. “Let’s think about how do we wrap data, how do we write applications, how do we use identity as the very core, regardless of where we’re accessing things?”

Mobilize 2011: Stacey Higginbotham – Senior Writer, GigaOM; Stephen Herrod – CTO, VMware

Steve Herrod at Structure 2011.

It’s time to give the cloud it’s due on security

“If you meet the ops teams and the groups that are there building these clouds, I think they’re far more secure than what’s going on in the private data centers because they have much more-intensive staffs,” Herrod said. “These guys have gone through every audit — they’re the superset of every audit that their customers have to go through, and they see the most-sophisticated attacks and thus have to do a lot of work behind it.”

2014 was the year of the container; 2015 will be a year of awakening

“Last year was the year of Docker awareness. I think it was the most-publicized open source thing since OpenStack,” Herrod said. “… But I think this is the year you see the hype die down and kind of the realities of what it means to use these containers [and] the fighting that will go on between a bunch of different vendors offering the best approach to containers.”

Keeping up with new tools is a full-time job

“I actually see all the time the developer back channels on what is the most-productive toolset or what is the coolest way to build this new type of startup company,” Herrod said. “That travels super-quickly through conferences, through articles, through social networks, and thus I think you get this herd mentality moving to the next new thing very quickly.”

Yup, 2014 was a big year in cloud

2014 was the year in which both Microsoft and Google got serious about their public cloud options and taking on Amazon Web Services directly with their own Infrastructure as a Service and associated services.

That both of these companies have extremely deep pockets is not lost on the market leader AWS which continues to roll out new, and higher-level services frequently. If you’re a cloud deployer or would-be cloud deployer, AWS Re:Invent is a must-attend event.

Long story short: [company]Google[/company] and [company]Microsoft[/company] have made huge strides, but AWS, with its 8-year head start, remains the cloud to beat. It’s a good time to be a cloud customer provided you can track the dueling product releases and price cuts and can manage to keep yourself out of the vendor lock-in that afflicted many IT shops in the past few decades.

Cybersecurity fears grow

The counterpoint to all of the above is that 2014 was also a year that saw scary security breaches including the latest: Anonymous is claiming credit for filching 13,000 passwords and credit card data of users with [company]Sony[/company] PlayStation, Microsoft Xbox LIVE, and [company]Amazon[/company] accounts. And, if you don’t think these attacks don’t put even more fear of God (and cloud) in corporate IT buyers, you have another think coming.

Data security concerns remain the biggest inhibitor to cloud adoption. This is true even though most IT folks who, if they’re being honest, would admit privately that their own on-premises server rooms, are hardly paragons of security. But perception is reality and people are wary of putting valuable data in a cloud they can’t control. This is a problem that will only grow with the new year.

As [company]General Catalyst[/company] Managing Partner Steve Herrod wrote recently:

… As bad as 2014 has been, and it has been bad, we’re just seeing the tip of the iceberg. Given the steady increase in value going through our systems (credit cards numbers, personal information, IP), organized crime and nation-sponsored attacks will continue to rise in quantity and sophistication.

Cloud turf war

This is worrisome for Jane Q. Consumer, but even more so for big IT vendors. all of whom are trying to woo corporate customers to their respective clouds. Legacy giants [company]IBM[/company], [company]HP[/company], [company]Oracle[/company], [company]VMware[/company], [company]Dell[/company], Microsoft all want to keep their existing customers in house and (dare they hope?) win new customers as well. Their well-founded fear — other than that security fiascos will keep people away from cloud altogether — is that a ton of those jobs are flowing to AWS which is somehow both an IT upstart and the industry leader in cloud.

[company]Google[/company] is the wild card here. The company which knows a little something about building massively scaled services, is showing itself to be serious about wooing enterprise customers to its  cloud as well — although there was some skepticism on that front which it has allayed somewhat with new peering agreements and VPN options; the hiring of enterprise savvy execs most notably former Red Hat CTO Brian Stevens; and a Microsoftian-looking partner program.

Brian Johnson onstage at Google Cloud Platform.

Brian Johnson onstage at Google Cloud Platform Live.

The biggest personnel move in cloud this year was the ascension of Satya Nadella to Microsoft CEO after a very public and somewhat painful 6-month search. Now even some Microsoft haters see the company as an up-and-comer in cloud. To be fair most of that hard work was accomplished on former CEO Steve Ballmer’s watch but Nadella is seen as more pragmatic and much less doctrinaire than his predecessor, who exhibited an almost pathological hatred of all things Apple or Google. Nadella, after all, broke tradition to bring Office to non Windows devices, a huge departure for the company.

Microsoft CEO Satya Nadella

Microsoft CEO Satya Nadella

Microsoft already has enterprise customers and partners in spades which could help in its hybrid cloud push. Ditto VMware, HP, IBM. But public cloud kingpin AWS is making a push into that hybrid scenario with products targeting VMware admins their Windows counterparts.

Structure Show: Docker, Docker, Docker

We didn’t do a show on this holiday week, but check out our last podcast with Docker CEO Ben Golub if you haven’t already. Golub addresses how the competitive landscape has shifted with the CoreOS decision to launch Rocket, a container of its own.

[soundcloud url=”″ params=”color=ff5500&auto_play=false&hide_related=false&show_comments=true&show_user=true&show_reposts=false” width=”100%” height=”166″ iframe=”true” /]