Interview with Dr. Robert Arn, CTO of Itiva

Introduction

Table of Contents

• What is a Security Thought Leader - Updated November 18th, 2009
  
• Framework for Security Thought Leader Interview - August 26th, 2009
  
• Lance Spitzner, Securing The Human, founder - Updated November 29th, 2012
  
• Bill Pfeifer, Juniper Networks - March 4th, 2011
  
• Chris Pogue, Senior Security Analyst - July 8th, 2010
  
• John Kanen Flowers - May 26th, 2010
  
• Kees Leune, Leune Consultancy, LLC - February 13th, 2010
  
• Joel Yonts, CISO - February 12th, 2010
  
• Maury Shenk, TMT Advisor, Steptoe & Johnson - January 31st, 2010
  
• Chris Wysopal, CTO, Veracode - January 27th, 2010
  
• Amir Ben-Efraim, CEO, Altor Networks - November 25th, 2009
  
• Ed Hammersla, COO, Trusted Computer Solutions - Updated November 19th, 2009
  
• Amit Klein, CTO, Trusteer - September 27th, 2009
  
• An Interview with Ron Gula from Tenable about the role of a vulnerability scanner in protecting sensitive information - Updated August 13th, 2009
  
• A. N. Ananth, CEO, Prism Microsystems, Inc. - August 7th, 2009
  
• Jeremiah Grossman, Founder and CTO of WhiteHat Security - Updated April 24th, 2009
  
• Mike Yaffe, Director of Product Marketing, Core Security Technologies. - April 15th, 2009
  
• Chris Petersen, Chief Technology Officer, LogRhythm - March 13th, 2009
  
• John Pirc, IBM, ISS Product Line & Services Executive: Security and Intelligent Network - February 17th, 2009
  
• Leigh Purdie, InterSect Alliance, co-founder of Snare: Evolution of log analysis - January 28th, 2009
  
• Bill Worley, Chief Technology Officer, Secure64 Software Corporation - December 9th, 2008
  
• Doug Brown, former Manager of Security Resources, University of North Carolina at Chapel Hill - October 30th, 2008
  
• Amrit Williams, Chief Technology Officer, BigFix - June 30th, 2008
  
• Andrew Hay, Q1 Labs - May 13th, 2008
  
• Gene Schultz, CTO of High Tower - April 4th, 2008
  
• Tomasz Kojm, original author of ClamAV - April 3rd, 2008
  
• Bill Johnson, CEO TDI - April 2nd, 2008
  
• Gene Kim, Tripwire - March 14th, 2008
  
• Kevin Kenan, Managing Director, K2 Digital Defense - March 14th, 2008
  
• Leigh Purdie, InterSect Alliance, co-founder of Snare - March 7th, 2008
  
• Marty Roesch, Sourcefire CEO and Snort creator - February 26th, 2008
  
• Dr. Anton Chuvakin, Chief Logging Evangelist with LogLogic - January 28th, 2008
  
• Kishore Kumar, CEO of Pari Networks - Updated January 28th, 2008
  
• Interview with Dr. Robert Arn, CTO of Itiva - November 1st, 2007
  
• Interview with Charles Edge - September 15th, 2007
  
• Ivan Arce, CTO of Core Security Technologies - Updated May 6th, 2009
  
• Mike Weider, CTO for Watchfire - Updated July 23rd, 2007
  
• Interview with authors of The Art of Software Security Assessment - Updated July 9th, 2007
  
• Ryan Barnett, Director of Application Security Training at Breach Security, Inc. - June 29th, 2007
  
• Dinis Cruz, Director of Advanced Technology, Ounce Labs - June 11th, 2007
  
• Brian Chess, Chief Scientist for Fortify Software - June 9th, 2007
  
• Caleb Sima, CTO for SPI Dynamics - Updated May 29th, 2007
  
• An Interview with David Hoelzer, author of DAD, a log aggregator - May 1st, 2007
  

Interview with Dr. Robert Arn, CTO of Itiva

November 1st, 2007
By Stephen Northcutt

The Leadership lab came across an interesting company, Itiva. Their CTO, Dr. Robert Arn, was kind enough to share his time and thoughts with our readers, and we certainly thank him for his time.


Thank you for taking the time to speak with us, Dr. Arn. How did you first get into IT?

I started in university at Oxford and Cambridge studying computational linguistics, which turned out to be useful to me later in life. I then briefly taught in several universities but decided that environment was a bit constrained for my tastes, so I started founding startup companies. The first one was in satellite communications, and another used language recognition to structure documents so I was able to use my university training.


Did you found Itiva?

Yes, it came after another company I started was acquired. I got together with an old friend, Tom Taylor. We felt it was inevitable that the Internet would become the primary delivery mechanism for video, so we laid the foundations for Itiva. It was not really a very good time for investment or the markets, so we had some time to develop our technology.


What exactly is your technology?

We had looked at ways of delivering video; the problem is basically that the whole model of the Internet and server structure could not work if video got to be a big market. One server talking to one user simply cannot scale, you add users and soon you need another server or another cluster. That limited video to a small scale, but if it was a phenomenon like television, you could never install enough servers. That whole model, the only one available, just did not make any sense if we were correct that the Internet would become the de facto distribution. So, you start to think about decentralized parallel systems and getting around the problem of one server to one user. So, now you can have mesh architectures. We got into the early use of peer to peer, it was already popular for sharing music, and thought it might work for video. Peer to peer as we first looked at it had a large scale problem that was not very promising; the problem was that the ISP infrastructure, with backbones of high speed fiber, was fine for static pages, but they were never designed to be used for video. Further, they were designed with an asymmetry of upstream requests that were small and downstream requests that were hundreds of times larger. When you buy a high speed connection, they tend to only tell you what the downstream side is. As long as I am downloading, that is no problem, but peer to peer requires the end user to upload things to give to someone else and so peer to peer is stressing out the upload side. It works for small files, but video files are huge and you can't push a huge file up a narrow pipe. So the problem, the real heart of the problem, is that there is not enough upstream bandwidth to use peer to peer for video.


I read the following on your web page, "making clever use of servers, proxies and managed peers to reliably sustain a high quality of service at the lowest possible cost resulting in a high definition, full-screen experience for the viewer and a scalable and capital efficient solution for the content owner." How do you do that?

Having seen that there were problems with servers and problems with peers, we asked if there other sources of bandwidth we could use. The answer was yes, every corporation and many ISPs are installing proxy servers. A proxy server saves a copy of everything it sends, so it can reduce the cost of bandwidth if more than one person uses it.


Is this like Akamai?

These proxies are put in by the corporation or university in their own network, not external proxies like Akamai uses.

There are three ways to get content to the user:

• I can send things from the server
• I can send them from one peer to another, if I have already delivered something to one user, I could get them to help send it to other people
• If I can identify the corporate and university proxy servers, I can use them to help deliver content, there are massive numbers of these proxy servers across the Internet. If they were optimized to store something other than HTTP (video does not use HTTP) and it was originally too big to get stored in proxies …

This is where Itiva (Patent Pending) comes in. What would happen if we broke the video into chunks and make the video look like HTTP web pages, then we could get a boost in delivery from these proxy servers. These get distributed from multiple points - servers, users, proxies - and our job is to optimize and manage the traffic. Given the state of the network, how do we give this person what they request? And, we focus on the cheapest sources, proxies, then users, and, finally, I can rely on our own servers in our own data centers. This has to be dynamic for every request. When a request is made, we have to make quality of service decisions and then continually get feedback.


Since this is HTTP, you are using TCP. Is TCP the control protocol?

We also use DNS. There are other parts of this where we are experimenting with UDP. Most of the Internet is optimized for TCP/HTTP. Now, as Akamai and Limelight learned early on, this is not just about bandwidth, you also have the problem of latency. The further you are from source to destination, the less data you can send. Akamai created an edge network, their solution was to put the servers out as close as possible to the end users. This is a very expensive solution as they have about 25,000 servers distributed around the world. If I want to have a thousand times the traffic, I would need 250,000 servers, and that will not scale. Akamai got over latency by pushing the servers to the edge; that is effective, but it just will not scale.


Are you using any of the standard protocols like BitTorrent?

No, we have our own protocol for discovering the endpoints and managing them. We need more controls than P2P protocols tend to have. For example you might limit connections so that you can only use peers in a particular corporation or in a particular ISP. If we are doing a corporate private network, the corporation will not want us to use peers outside our network. They probably would not want proxies outside their network either. The proxy we often use in corporations is the firewall. And, corporations tend to have a symmetrical LAN, so using peers in a corporation works very well since you have so much more upstream capacity than you have with a subscriber ISP.


From a software perspective, how does this work?

We use parallelism: instead of one server pointing at an endpoint, I have ten sources pointing to an endpoint so, that way, I attack latency. With parallelism, the servers do not have to be close to the end user. Another thing to focus on is the demand cycle: the demand is higher in the daytime, then after midnight it starts to drop, and at two AM is very low, so I can use servers in one time zone to service another time zone. This reduces operating costs. A server in Tokyo can be used to service the east coast of the US while people in Tokyo are sleeping. This can lead to significant cost reductions.


Who do you see as your biggest competition over the next five years?

In terms of technology, it is likely to be other small startup companies similar to Itiva that are finding creative solutions to get past the present model. That model simply cannot survive, so look for other ways of introducing parallelism.


So, about security, your software might be attackable and there is also the risk of someone inserting other content?

Obviously, everyone can be attacked, and we need to be careful. When we break the video (or any other data) into component parts, we hash it, then encrypt and sign each chunk. Secondarily, there is an encrypted meta data that is added. This also helps us with Digital Rights Management. If we are sending copyrighted material, in order to reassemble the chunks you need a dictionary to reassemble them into the original file.


What is your vision for the Internet five years from today?

I am a little more conservative than some others. Many people think it will be like television, mass entertainment. I don't think that can happen in five years, but perhaps ten. I do think that the use of video will be ubiquitous. Also, it will have unique characteristics; it will be more interactive than current television. Most people just do not realize how massive mass television is - it is an overwhelming amount of data.


What have you learned about leadership while working for Itiva, and what tips can you share with other people looking at startups?

Getting the right balance between crystal clear goals that everyone can understand while leaving room for creativity is the biggest challenge. One notch off and you fall into the ditch on either side. If you micromanage, you do not get the benefit of intelligent people and you can assume too much, delegate too much and not get the results. As a tip for anyone interested in startups, if you cannot internalize and visualize the product, if it doesn't live inside you, don't bother.


Do you have any message for a potential investor? I clicked on the link and there was not much information.

We are well financed and are not soliciting investors at this time


Well, I guess that explains why there isn't much information. A tradition of the Security Lab is to give folks a bully pulpit, a chance to "preach" on whatever is burning in their heart. What message would you like to share with the Security Lab readers?

The thing that excites me now is that we are in a time where communication is being radically transformed, more than we realize. You can see it in social networks; anyone that looks closely at what is happening in human communication will see that everything we know is in radical flux, and it is going to penetrate communication. It is way beyond just user content; expect video and other forms to be interactive. And, it is exciting to participate and be a part of these changes.


And finally, can you tell us something about Robert Arn? When you are not in front of a computer, what do you like to do?

I am known as somewhat of an art critic, but I also enjoy contemporary music. In fact I’ve been known to play the saxophone, and I financed my university education working as a musician.

1. http://www.itiva.com/
<< Thought Leader Home