🎨 Cybersecurity, The Human Element, and $69.3 million DRM
We're back with the 27th edition of Techonomics. We hit a milestone and now have 5,036 subscribers who get tech analysis delivered to their inbox!
🔊 Join Techonomics on Clubhouse here
Arun and I are planning to host discussions soon in the new Techonomics Club on Clubhouse*! To get informed on the next scheduled events, follow the club at the above link.
*Note: Clubhouse is currently only available on iOS.
🎧 Subscribe and rate the podcast on Apple Podcasts, Google Podcasts, and Spotify
Arun and I have had some amazing guests on the Techonomics podcast and have more on the way! If you haven’t taken a listen, you can find it on Apple Podcasts, Google Podcasts, or Spotify.
We’d love to ask your help in spreading the good word -- please subscribe and rate the podcast on any of those platforms. It would really help us out.
Thank you, and now onto the newsletter.
Cybersecurity and the human element
New hacks have been covered in the news over the past year, and while this isn’t breaking news for most of us, the stories point not just to extremely sophisticated cyberattacks, but social engineering. As a result, I don’t love the sensational headlines and articles we see today around large scale cybersecurity incidents and ‘hacking’ because they talk about hacks without highlighting that most of them are caused in part by the error of the human element. Most of the time, these hacks are the product of a leak rather than, or in addition to, an exploit hack -- typically a credential leak or disclosure of a known vulnerability.
For instance, if you remember the Twitter ‘hack’, that was actually the hackers gaining access to Twitter’s administrative tooling by way of username and password shared to them from Twitter’s own employees. And if you look at the most recent security hack of Verkada, a surveillance company who provides services like cloud storage, facial recognition, and identity analytics, it was caused by a super admin password and username discovered on the web. Even the recent Microsoft Exchange hack, while much more sophisticated in that it exploits a security vulnerability, has a human element angle being investigated ($). The hackers may have been tipped off about a security vulnerability.
It’s important that we understand that these types of hacks aren’t always solely sophisticated cybersecurity exploits and can also include simple username/password leaks caused by an easier fault in our systems -- us humans. Defense in depth, or multiple layers of security built out in the case of a failure in a preceding layer, is key to help us maintain defenses against all kinds of attacks, including the less technical leak. An example could be the use of two-factor authentication with a phone number, yubikey, or authenticator app in addition to defense mechanisms built within the authentication layer like IP address verification. Another example on a technical level is ensuring that critical data stores are isolated in secure environments from more publicly available data.
While there will always be risks to having humans involved due to perverse incentives, having defense in depth is important. In fact, if you do need to rely on humans for critical security, two might be better than one. Similar to a missile launch that requires two separate keys and a push of the button, for important systems and their entry, using two secure keys from multiple employees for a super admin login may have prevented issues seen in the Verkada hack. Additionally, alerting systems and human monitoring of said alerting systems may let others know when someone logs into a sensitive area. This could also prevent the depth of the attack by allowing someone to cut off access to said credentials.
These ideas aren't ground breaking and won’t work in all scenarios, but they help. Every solution has its own vulnerabilities that can be exploited, but when talking about risk, doing what we can to mitigate will go a long way to preventing cybersecurity issues while improving consumer trust. This is not to say that there are also issues with technical and highly sophisticated attacks on our security, but these ideas can help raise some awareness to steps those who work with technology and account credentials can take — yes, that’s all of us.
Again, this does not excuse the fact that real, sophisticated security breaches occur. In fact, there are some gnarly stats that show the depth of cybersecurity needs. Sophisticated breaches require that defense in depth to be taken seriously by the companies who manage our data. Our actions like setting up multi-factor authentication, using a password manager, and randomizing passwords per account are small steps we can take within our control as consumers. It’s now up to the companies to take cybersecurity seriously, particularly platforms like cloud products that are used by other software.
If the foundation isn’t secure, neither will be that which is built on top. With software built using other software, the house of cards is real. Even more so when one of us humans can take away one of the cards.
Analysis and in-depth reads
⛓ Art DRM 2.0: When I first heard of the concept of an NFT, or Non-Fungible Token, I couldn’t help but think about the concept of DRM. DRM stands for Digital Rights Management, and is the mechanism used on the internet for copyright protection by preventing unauthorized distribution of digital media. There are a few differences between the two concepts. NFTs use blockchain that uses a network of ledger verification nodes to ensure the validity of the token in the chain while DRM is usually enforced by a format encryption and entity like Apple’s FairPlay. NFTs also don’t prevent the distribution or copying of the digital media, but is a certificate of authenticity. That being said, I can see how there may be companies starting to spin-up to build DRM type protection of online media using an NFT style blockchain. DRM 2.0.
In any case, the news that prompted this was the fact that the jpeg above sold for $69.3 million. Yes, million. As you can see, anyone has access to the image itself, but it’s not the original. If you don’t have the NFT, you cannot verify its bitwise authenticity. Some humans are driven by the concept “I can have something and you can’t.” Will NFTs continue to capitalize as authenticity certificates? With digital assets being extremely easy to copy, it all depends on if people are willing to pay for uniqueness. (link)
🌏 Roblox as a Platform: Though I felt like the last part of the argument was a bit of a stretch, Ben Thompson’s piece last week on Roblox was a great one to read. It ties together the power of Roblox and the inevitability of the Apple App Store and Google Play Store as tax collectors of the internet. While I do believe that the app stores are here to stay, Roblox’s pseudo app store that somehow lives within the bounds of the App Store’s guidelines is not a de facto reason that they are here to stay. Rather, the inevitability rests in the creation of seemingly arbitrary guidelines allowing microverses like Roblox stick around in exchange for the 30% rake. One that is worth it for distribution’s sake and that they are very aware of. (link)
🛒 Amazon’s Antitrust Paradox: I have been writing about antitrust over the course of Techonomics newsletters, but came across a really great read from Lina Kahn in 2017 -- Amazon’s Antitrust Paradox. The main crux is that of which we discussed in 🤖 Big Tech and Antitrust: The Capitalism Paradox and 👩⚖️ Section 230, the Senate, and Understanding the Internet: that Amazon is great for consumers, but that the fundamental model of the internet and platforms changes the antitrust law. In the spirit of hard goods sold in stores, lower prices and larger selection within the limits of physical proximity drove antitrust. If those were interrupted, by either lack of choice or price control, the Sherman act came into play. In the world of nearly unlimited internet scale, you can prioritize losses for growth, edging out competition while maintaining the status as “good for consumers” and being bad for other businesses. (link)
☁️ Speaking of Amazon: One additional item not mentioned above is that Amazon is also extremely diversified in their business offerings. This makes it even harder for existing antitrust law to keep up. Take AWS for instance. AWS is the leader in the public cloud market at 32% over overall market share with Microsoft’s Azure coming in second at 20%. AWS is the internet’s infrastructure. It powers a lot of our favorite services like Netflix and Airbnb, and while Multicloud is a large trend in Cloud computing, it means those services built on top of Amazon are reliant on Amazon. This deepens their diversified moat while giving them more market control. Antitrust law hasn’t quite figured out how to evolve and cover this type of diversified growth -- but they really need to. Even the EU is having trouble parsing algorithmic data ($) they asked for. (link)
📈📉 Tale of two charts: Barron’s published an article looking at the booming IPO market and how it doesn’t look like it’s slowing down any time soon. There have been lots of articles with this same type of analysis, but I did find two charts particularly valuable (see below). Given Tech dominance in the recent IPO listings, like in these articles, it’s interesting to compare and contrast the previous 2000 market crash and now. The thing I find fascinating is that, like most attempts to compare and contrast, the data is different. Here we see that the number of overall IPOs is much smaller than the years leading up to the 2000 crash, but the loss-making IPOs are greater. I’m old school, have a longer investment horizon, and like to see profit being made in companies in order to truly feel confident in their sustainability, so this is troubling. However, knowing that percentage is built on top of a lower absolute number of total IPOs makes me feel a bit more confident in our market. (link)
Bites to make you smarter
💡 How about this for an AI chip? It works using light, not electrons. (link)
👑 Technoking: Me writing this is playing into Elon’s ideals, but it’s too ridiculous to omit. (link)
🚕 Uber is classifying drivers in the EU: as Workers, which is somewhere in the middle. (link)
🐻 The bear case for Clubhouse: I like Clubhouse, but can’t disagree with parts of this. (link)
Check out essays from previous weeks and head to techonomics.news to subscribe.
- ✍️ How to Win Independent Publishing: A Substack Story
- 🇪🇺 The Brussels Effect: Thoughts on the Digital Services Act and Digital Markets Act
- 📲 Everyone’s a Chip Designer
- 💬 Slackforce
- 📈 Ubiquity and Bitcoin's Return
- 💳 Visa & Plaid: The DOJ Applying Learning from Tech
- 🍿 Thoughts on Quibi and Consumer Product
- 🏭 What's in a chip? Breaking down the Semiconductor Industry
- 👩⚖️ Section 230, the Senate, and Understanding the Internet
- 🍪 Upending the Internet’s Free Business Model
- 💸 Productization & Platforms