Demetrios James Bidzos (born 1955)

Source -


Mar 21 '55


James Bidzos, Mr Jim Demetrios Bidzos

Source : 1995 (March edition) of "PGP : Pretty Good Privacy"

1995-03-pgp-pretty-good-privacy-garfinkel.pdf /

So, who was this Jim Bidzos, anyway?

Jim Bidzos says he was born in 1955 in a small mountainous Greek village near the Albanian border. The Italians invaded the village during World War II; then the Germans invaded. During the Greek civil war, the village was alternatively a home to rebels and to the Greek militia. "It wasn't a good place to raise a family," recalls Bidzos, "There was nothing there but farmers and soldiers." So Bidzos' father moved to the United States to find a new life. Starting without any money or knowledge of English, Bidzos Senior worked for a year and a half, sending what little earnings he had to Greece. Finally there was enough money for his wife and son to join him. The family settled in Ohio—"A good place to come from," says Bidzos.

Bidzos speaks numerous languages: English, Greek, Macedonian, German, and quite a bit of Japanese. He has a green card but has no intention of becoming a U.S. citizen. "I can see three benefits to becoming naturalized," he says. "One is that I could vote. The second is that I could leave the country for more than a year without jeopardizing my resident status. And the third reason," he says with a smile, "is that it is harder to get thrown out if you are a U.S. citizen. . . . But the down side is that Greece doesn't allow you to have dual citizenship. If I became a naturalized American citizen, I would have to give up my Greek passport and all the privileges of citizenship." For Bidzos, losing Greek citizenship would mean losing his membership in the European Community, which allows him to work and travel freely within Europe. "Why should I give that up? There's no difference with a green card: you pay taxes, you can be drafted, you can be jailed." And Bidzos is dedicated to his guest country—so much so that he enlisted in the U.S. Marine Corps.

In January 1986, RSA Data Security was on the verge of failing. "The company had no products, no customers, no revenue. It had taken some money from investors, and it had all disappeared," says Bidzos. Fewer than five people worked for the company. One of them, Bart O'Brien, was an old friend that Bidzos had worked with at Paradyne in Florida. Both were marketing executives. In 1983, they split up, with Bidzos going off to create an international technology marketing company, and O'Brien going out to California and eventually joining RSA Data Security. O'Brien called Bidzos and said that RSADSI needed help. O'Brien described the RSA technology and the patent. Bidzos started working there on February 1, 1986.

What saved RSADSI was a little company in eastern Massachusetts, Iris Associates, that was writing a program called Notes for the Lotus Development Corporation. "They didn't know that RSA was patented," says Bidzos. "They had played around with it and had finally gotten it to work, but [their implementation] was too slow. So they were actually delighted to know that there was a company called 'RSA.' They said, 'Gosh, maybe you can help us.'"

Bidzos committed to build an RSA encryption toolkit that Iris could drop into Notes. The toolkit was written mostly by Rivest and other members of the MIT faculty. Rivest also started work on MailSafe: a program that would serve two important purposes. It would supply RSADSI with a small revenue stream, and it would demonstrate the power of public key encryption. "It was perfect for showing people that it could work, how it worked, and that it could run fast enough on a personal computer," says Bidzos.

By the time that Bidzos met with Merritt and Zimmermann in Denver, things had already turned around for RSADSI. The deal with Lotus was closed in June 1986, giving RSADSI a large amount of prepaid royalties. The next big deal, with Motorola, used RSA for commercial secure telephones. The third deal, with Digital Equipment Corporation, involved the development of a secure network system. (The project was later killed because Digital couldn't export its secure software.) Next was Novell, which built RSA encryption into NetWare.

By 1991, says Bidzos, RSADSI was making substantially more money on toolkit royalties than it was on the sales of enduser programs. Bidzos boasts that even if RSADSI never licensed another company, RSADSI could have stayed in business indefinitely at its current strength. Of course, that didn't happen. New licenses continued to pour in. By 1993, more than 100 companies were incorporating RSADSI's toolkit into their products. By this time, Bidzos had also learned that a large, secret, and incredibly powerful government agency wanted him out of business.

Working with Big Jim

Bidzos is a strong man and a strong negotiator, and he drives a hard bargain. It's a style that might not work in some businesses. But RSA Data Security had a monopoly on public key cryptography: the MIT patent on RSA. Anyone in the United States who wants to use the RSA algorithm has to either make a deal with Bidzos or change their plans.*

Bidzos has a simple negotiating technique; no matter how well-informed the customer might be, Bidzos doesn't give a price until after he spends at least an hour educating his potential business partner about cryptography, public key, what a business can do with it, and various royalty models that RSA Data Security has for license fees. Finally he names a price. It's his goal, he says, for both RSADSI and the company that licenses the technology to make money with cryptography.

''Everyone wanted it more or less for free," says Bidzos. "I believed it had more value, and I could be persuasive." Indeed, the fact that customers made deals with RSA to license the algorithms or software is a strong testimony to the truth of Bidzos' words.

"I put our customers into one of three categories," says Bidzos. "There are those like Lotus Notes users, who I think benefit immensely from the security that is there, and generally are aware of it. The second category really doesn't understand at all that it is there, and I think really doesn't need to, like Novell. And it is still for the benefit of the users. And then there is the case where [the users] don't know it, and our direct customer doesn't want their customers to know, or at least they don't want to broadcast the fact." An example of the third category, says Bidzos, is Atari, which uses RSA as the basis of its protection scheme on video game cartridges. Only cartridges that have been signed by the company's public key work in the company's video game machines.

* In 1987, representatives from Stanford University began to claim that RSA's patent rights could not be exercised without infringing on the Merkle-Hellman patent owned by Stanford. Eventually, MIT licensed the patent rights from Stanford. MIT, in turn, passed the rights to RSADSI. In exchange for the rights, MIT pays a portion of RSADSI's patent royalties to Stanford.

Bidzos says that many people who don't contact him grossly overestimate the price of an RSA license. Newspaper accounts confirm this statement. According to an article by John Markoff in the New York Times, RSADSI's income is between $5 and $10 million a year on the sale of products, while between 2 and 4 million end-user software packages in the world include one of the company's algorithms. Court documents in a recent lawsuit imply that RSADSI's licenses might cost as little as a dollar per user for high-volume applications. Generally, Bidzos refuses to do deals in which RSA is sold to the end user as an option: he wants it embedded as part of the application program. "Users want absolute security, zero overhead, and no cost," says Bidzos. "We usually find a way to do that."

But patents aren't forever. RSADSI has been doing well, but an outside observer might wonder if RSADSI's reliance on its patents means that the company may face hard times. After all, patents last only 17 years; the RSA patent expires in the year 2000.

The reason that Bidzos isn't worried is that he isn't basing his company's future on the patents. In fact, RSA Data Security doesn't even license the patents anymore.

On April 6, 1990, RSADSI and Cylink (holder of the Diffie-Hellman and Hellman-Merkle patents) formed a partnership called Public Key Partners, whose sole purpose is to acquire the rights to cryptography patents, write licenses, and collect license fees.

RSADSI has turned its attention to the development of cryptographic toolkits. The company's BSAFE 2.1 product, introduced in the summer of 1994, included implementations of many cryptographic algorithms: Bloom/Shamir Secret Sharing, RC2 Symmetric Block Cipher, RC4 Symmetric Stream Cipher, Pseudorandom Number Generators, RSA, DES, DESX, Triple-DES, MD5-With-XOR,-RC4-With-MAC, Diffie-Hellman, and support for Privacy Enhanced Mail (PEM) by RFC 1422. The kit is designed for developers, costs $290 ($750 for a five-user license, $950 for a ten-user license), and includes a license for all of the relevant patents.

Run-time fees are separately negotiated. (As mentioned, license fees for large customers might be as low as one dollar per user.)

"We have no unhappy customers," boasts Bidzos. "If they are unhappy, we give them their money back." So far, he says, he's never had to cancel a license agreement and refund a customer's money.

A Pretty Good Program

Although Zimmermann kept in touch with Bidzos on and off during the years following their meeting in Boulder, most of his time was spent devising his own solution to the problem of public key encryption on microcomputers. First Zimmermann wrote a paper describing standards and data structures for representing encryption keys, encrypted text, and signatures. The paper was eventually published in IEEE Computer. The paper gave Zimmermann the legitimacy in the eyes of the cryptography community to be able to call other cryptographers and not be instantly dismissed as a crank. Zimmermann next turned his attention to writing a working program that implemented the RSA public key system. He called his program PGP—short for Pretty Good Privacy. (Why? Zimmermann was a fan of Garrison Keillor's "Prairie Home Companion" radio program, in which one of the "sponsors" was "Ralph's Pretty Good Groceries.'')

According to Bidzos, sometime during 1990, Phil Zimmermann called RSADSI asking for "a free license" to the RSA algorithm. "When I told him 'no,' he was really upset. He told me that he was behind on his mortgage payments and that he had invested years in writing this piece of software and needed to make money from it."

"I told him that what he should do is go find some larger company," recalls Bidzos. "He said that he was trying to help us by recommending RSA to companies. I said, 'Great! If you are working with them, they'll buy a license! It will be perfectly fine that you made something for them, and they buy the license. We won't try to keep you from making money. We don't begrudge anybody a living. We just can't give you a free license to go make money with.'"

Zimmermann went back to his keyboard. By the spring of 1991, the basic structure of PGP was beginning to take shape. Zimmermann's main interest was in distributing the program as "shareware." (People could freely copy the shareware program, but some critical component of it would not operate correctly unless the user sent the author a check to "register" his copy.) Shareware programs had taken off during the late 1980s; some people had become millionaires using the concept.

Zimmermann's first attempt at shareware was a terminal program called PGT—Pretty Good Terminal. It was not very successful. But there was one hitch with either scheme: Zimmermann's PGP program violated the RSA patent held by RSA Data Security and later by Public Key Partners.

In April 1991, Zimmermann sent Jim Bidzos a one-page letter. "Dear Jim," the letter started, "Well, I'm finally getting around to writing you about requesting a royaltyfree

license for your RSA algorithm. We talked about this a few times since your 1986 visit to Boulder, when I developed my own RSA math library in C. Both you and Ron [Rivest] said then and later that you would grant me a free license to make and sell products with your algorithm. I appreciate that a lot. When we last spoke, you said you would need a letter telling you what products it's for. It was unclear whether this meant highly detailed firm product plans or just general fuzzy plans."

Zimmermann's letter goes on to describe two projects. The first project is a low-cost secure telephone, based on encryption and voice compression. The second project is a program to do RSA/DES encryption on a personal computer. "This would be somewhat analogous to your MailSafe or ComSafe products. I guess it would sort of compete with these products. I suspect these products are not the backbone of your company's cash flow, anyway. I just think they would be fun for me to do. I probably would not be developing that jointly with another company, but I may sell it through another company's marketing channels."

Bidzos was shocked by Zimmermann's letter: despite what Zimmermann thought, Bidzos maintains that he had never promised Zimmermann a "free license" of any kind.

"I said, 'We don't give those. It is not consistent with our business, and not consistent with licenses already granted,'" Bidzos recalls telling Zimmermann. "I promised to talk to our attorneys to explore the possibility, and did. I then wrote him a letter saying 'Nope, can't do it.' He later lied, claiming in some vague statement that I promised him a license."

Without the license, a shareware version of public key encryption wasn't possible. Zimmermann wasn't sure what to do. Then something happened that would change cryptography in the United States forever: the U.S. Senate discovered data encryption.


#39th weathiest American in 2013


D. James Bidzos

Made Money InInformation Technology

Wealth $275 Million (TNHE)

Described as a “father of cybersecurity,” D. James Bidzos, 62, is Founder, Chairman of the Board, President, and CEO, of Verisign, Inc., which provides domain name registry services and Internet security worldwide, Bidzos’ companyoffers a range of security services, including managed DNS, Distributed Denial of Service (DDoS) mitigation and cyber-threat reporting. Bidzos served as [Verisign's] first CEO from 1995 to 2001. In 2010 the company’s authentication services were purchased by Symantec for $1.28 billion. Bidzos returned to the CEO job in 2011. The following year, he was named Fortune’s 2012 Businessperson of the year for reviving Verisign’s income, growth, and stock performance, which previously had flagged. His compensation increased by 46 percent in 2013 to $8.5 million, including his bonus and stock awards.

Born in Greece, Bidzos he came to the United States as a boy. His father worked as a barber, and his mother managed a restaurant. A former computer programmer, he is credited with foreseeing the need for online security in the early 1990s. Bidzos is an Internet and security industry pioneer, whose accomplishments include building RSA Security, an Internet identity and access management solution provider, into the early standard-bearer for authentication and encryption, and launching Verisign as a spin-off in 1995 to develop the digital certificate infrastructure for Internet commerce. Verisign operates infrastructure services that enable and protect billions of interactions every day across the world’s voice, video and data networks.

The Mountainview, CA-based Verisign (now moved to Reston, VA) offered a variety of Internet and communications-related services in its global affiliate network. Verisign managed two of the world’s 13 Internet root servers, and, considered national IT assets by the federal government. Since 2007, the company has been focusing on its core business and whittling away less profitable side efforts. In 2009 it sold its security service business to SecureWorks and its security consulting business to AT&T. Verisign focuses now on its Internet infrastructure services. Among the company’s services are providing .com, .net, .cc, .tv, .name and .jobs domain names for websites. Bidzos served as president and CEO of RSA Security from 1988 to February 1999, and then served as RSA’s vice chairman from 1999 to May 2002.

He has been named one of Time magazine’s “Digital 50,” and is in CRN’s “Computer Industry Hall of Fame.” In September 2013, the Federal Aviation Administration named Bidzos, who is a certified pilot, to the FAA Airmen Certification Database.

Bidzos told an audience in Naples, FL in April that “apathy and ignorance are the biggest threats to your bank account today.It’s a jungle out there. We’ve got to live with the odds, and odds are, you’re going to get hacked,” the Naples Daily News reported. He is a realist, but has an extensive plan for addressing that reality.

1977-06-indiana-marriage-record-bidzos-okonski.jpg /