Wednesday, June 15, 2016

#empotuulwey In which Chris Brogan, Jesse Stay, and I use the "B" word

WARNING: While I will try to redact a particular offensive word that begins with the letter B, there is a chance that I may slip up and forget to redact it on one or two occasions. Sensitive people should avoid this post.

Not too long ago, I made a change to my LinkedIn profile. My profile lists my Empoprises work in addition to my day job, but the profile does not describe me as a Freelance [REDACTED]ger. Instead, it describes me as a Freelance Writer/[REDACTED]ger.

Why is writing listed before [REDACTED]ging?

Well, duh!

I was reminded of the [REDACTED]ging controversy earlier this month when I saw this item (note that I saw it on Facebook). It's something shared by Chris Brogan.

Brogan's original written product, found at, makes the point that content is still being created. It's just that people aren't going to the [REDACTED]s directly, but getting there via avenues other than direct visits or Google Reader.

Going back to the Facebook share of Brogan's written content, Jesse Stay offered the following comment:

It's not what it used to be though

This reminded me of something - namely, the fact that the [REDACTED]ging is dead debate has been going on for years - possibly even BEFORE Google Reader starting pining for the fjords. In fact, I wrote about it back in 2012, back when Chris Brogan was writing "Never Fall in Love With the Medium" and Jesse Stay was writing"My Official (and Obligatory) 'Traditional [REDACTED]ging is Dead' Post."

It's important to note that Brogan and Stay are NOT disagreeing with one another. This excerpt from Stay's 2012 written product illustrates a point that Brogan would heartily agree with:

Does that mean that personal opinion and citizen journalism is dead? Does that mean that sharing is dead? Does that mean engagement is dead? In fact, it’s even greater than ever.

The one change, as Brogan notes:

Gone are the days of “Just write something because we were told to have a blog by some ‘guru.'” Instead, you have to have created something of value.

What is value? Is this particular post one that I'm going to immediately rush and share on LinkedIn, Instagram, terrestrial radio, and fake scientific journals? Probably not. I'd be willing to bet that the majority of people don't even realize what word I'm consistently redacting throughout this written product, and therefore would be confused by the content.

But perhaps it's something that I can refer to later. After all, when you have a [REDACTED] of sequential written products (this [REDACTED] alone has over 2,600 of them), it's a resource that I - and you - can dive into at will as needed.

P.S. It has occurred to me that by redacting the offensive word, I have shot myself in the foot regarding search engine optimization. So if you are a sensitive individual, stop reading now. Because I am going to use the offensive word.

Like a true so-called "SEO expert."

blog blogs blogger blogging blog blogs blogger blogging

Tuesday, June 14, 2016

Can you hear me...NOW? (When spokespeople become free agents)

It seems like a good idea at the time. "Let's start an ad campaign and use a highly recognizable character as part of it!" a marketer exults. So the campaign is launched, people like it, and the campaign - and its character - get attention. A lot of attention.

But the years go by, times change, and contracts expire. The most interesting man in the world isn't so interesting any more. The two guys on the porch - no, their real names were NOT Frank Bartles and Ed Jaymes - lose the support for which they were so thankful. We don't really care what beer Bob Uecker and John Madden drink any more (we want to see women wrestling). And we don't want to know what Jared Fogle is doing.

Or, in the case of former Verizon pitchman Paul Marcarelli - Verizon's "Can you hear me now?" guy - Verizon didn't want to hear him any more.

By Stagophile - Own work, CC BY-SA 4.0,

The contract with the spokesperson ends, and perhaps there's a non-compete clause, but eventually it also ends. Which leaves the pitchperson free to work for someone else, to the possible embarrassment of the original company.

And Paul switched to Sprint.

Verizon can do nothing to prevent Paul Marcarelli from working for Sprint, so they're trying to make the best of a bad situation.

"Sprint is using our 2002 pitchman because their network is finally catching up to our 2002 network quality."

Sprint is hoping that Marcarelli's presence will help convince people that Sprint is now the better network. Meanwhile, Verizon is hoping that people won't remember Marcarelli, or won't care even if they do remember him. Meanwhile, Marcarelli is hoping that Sprint's contract lasts as long as Verizon's did. And T-Mobile's former spokeswoman Carly Foulkes and AT&T's current spokeswoman Milana Vayntrub are hoping that there's more wireless service money to be doled out to actors.

Monday, June 13, 2016

When small data is more important than big data

Have you ever completed a survey?

While surveys are sometimes conducted for other purposes, the usual reason for conducting a survey is to obtain information from a subset of the population, and use this aggregated information in decision making.

For example, if the Donald Trump campaign took a survey and discovered that the majority of people think he shoots from the lip way too often, the campaign would then conclude that Trump should be quiet. And Trump would immediately overrule his campaign staff. But I digress.

To get back on topic, I'm going to look at something that I wrote back in February. Here's an excerpt:

I cannot share the details of the two instances, although there is one that I'd REALLY like to share if I could. But both boil down to the same thing. In each case, Person A sent an email to Person B at a particular company. Not receiving a response, or an out of office message, Person A sent a follow-up message to Person B. After increasing frustration, Person A finally asked other people, "Why isn't Person B responding to my emails?" In both cases, it turned out that Person B had left the company, and the person's email account was not disabled.

Now I'm going to reveal a few things - but not everything - about one of these instances.

Person A was (and probably still is) an accounts receivable person at a company that I'll call Company X. Person B is the person who signed the contract with Company X for its annual service - a service that has an auto-renewal clause if you don't cancel at a particular time.

Filling in the blanks from my February post, Person A sent the annual renewal bill for the next year to Person B, who didn't answer his email because he had already left the company. Finally, after several months, Person A sent an obnoxiously-worded email to everyone that he knew at Person B's company, saying that the bill was overdue and was about to go to collection.

At this point the people at Person B's company decided, "Well, the new term hasn't started yet, so we just won't renew."

That's when they found out about the auto-renewal clause, and that the date to cancel had already passed.

So Person B's replacement paid the bill for the forthcoming year, then immediately sent a notice cancelling the service. Both sides were unhappy with the whole episode.

Several months later, employees at Person B's former company received a survey from Company X, asking for opinions of Company X's service. Person B's former coworkers just rolled their eyes - after all we went through, Company X is asking how we feel?

The results of the survey, of course, would be aggregated with everyone else's from the survey, and conclusions would be drawn from the aggregated data.

This is one of the data points that formed part of the aggregated data.

Now this data point in and of itself doesn't provide a lot of context - the person who completed this survey was so disgusted with Company X that most of the open-ended responses were left blank. (Why bother?)

But when all of the data is aggregated together, it will provide even less context. The aggregated data will simply report that in response to question 10, 1.62% or 2.3% or whatever of the respondents indicated that they would never recommend Company X. And then Company X will have to decide how to improve its performance in that area.

And I'd be willing to bet that Company X's solution won't please Person B's former coworkers. Company X doesn't have all the necessary data, despite its survey.

P.S. For more on surveys, see this Marketoonist cartoon.

Tuesday, June 7, 2016

Why I don't fear Big Brother, June 2016 edition - and WHY the DHS is at war with the DHS (and we are at war with ourselves)

In our last installment of "Why I don't fear Big Brother," we looked at an interturf battle between various entities within the Departments of Defense, Homeland Security, and Justice - including a battle between two units within the Department of Defense against each other. In that post, I quoted from a 2012 Wired article.

In the midst of an ongoing turf battle over how big a role the National Security Agency should play in securing the nation’s critical infrastructure, a Defense Department official asserted on Wednesday that the military’s controversial intelligence agency should take a backseat to the Department of Homeland Security in this regard.

DHS as of August 26, 2015. From the DHS website.

Fast forward to today, and we're talking about a fight between two parts of the DHS. This is actually part of a larger battle - the two people who raised the topic were Republicans, and one of them noted that this problem occurred while Democrat Barack Obama was in charge - but the referenced fight was an incident that occurred after last year's terrorist attack in San Bernardino, when Enrique Marquez, an admitted friend of Syed Farook, happened to be at a DHS facility for an immigration hearing.

"The report from the Office of Inspector General confirms whistleblower complaints I received about a dangerous lack of coordination between Immigration and Customs Enforcement and U.S. Citizenship and Immigration Services,” said Sen. [Ron] Johnson. “The refusal to allow armed ICE agents into a USCIS facility to detain a suspected terrorist could have had tragic consequences. Congress created the DHS to unify and improve coordination among agencies in defending our homeland. What happened in the San Bernardino USCIS field office on December 3 shows that work remains. I hope Secretary Johnson and DHS leadership take this independent watchdog report to heart."

So why did the USCIS burn ICE when they came calling? The press release goes into the thought process that occurs when bureaucrats collide.

The DHS OIG report found that USCIS “improperly delayed HSI agents from conducting a lawful and routine law enforcement action.” The HSI agents waited 20 to 30 minutes in accessing the USCIS building because the USCIS field office director incorrectly asserted that she had authority to determine who could and could not enter the building. The report states that the HSI agents should have been allowed to enter the building immediately after they had identified themselves and explained their purpose. The USCIS field office director incorrectly asserted that USCIS policy prohibited making an arrest or detention at a USCIS facility.

So what happened in this case? Whether you're a USCIS field office director, a political campaign volunteer, or a strategic marketing manager, your primary loyalty is not to humanity, or to your (country's or company's) president. Your loyalty is to the person right above you. People leave jobs because of bad bosses, so it stands to reason that people stay in jobs because of good bosses.

So in this particular case, the USCIS field office directory expressed her loyalty to someone within USCIS, not to the overall goals of the U.S. Department of Homeland Security. Thus, the vision that a unified Department of Homeland Security would result in a unified purpose in all of its components has come to naught.

But this isn't just isolated to a single USCIS official. In fact, I am guilty of the same issue. When I worked as an AFIS product manager for Motorola, I did not spend every waking hour of every day wondering about how police radios and RAZR phones should penetrate the market. And if you ask me today whether I constantly worry about aircraft engine sales, my response is - no comment. Although to be fair to myself, the folks at Safran Helicopter Engines (formerly Turbomeca) don't spend their days and nights worrying about ANSI/NIST-ITL 1-2011 either.

Back to the USCIS-ICE brouhaha - in the end, the half-hour standoff between the two agencies didn't matter. Enrique Marquez, rather than going on a shooting spree or anything like that, instead went to the UCLA Harbor Medical Center psychiatric ward and was subsequently arrested.

No word on whether the psychiatric ward had to battle any other units within UCLA regarding Marquez.

Monday, June 6, 2016

Duh! court case of the day

Courthouse News Service reports that the Arizona attorney general has brought suit against a company that received clothing orders (and money) from customers, and that 900 customers never received their orders.

The name of the company in question?

Lawless Denim & Co.


I have found independent confirmation that Lawless Denim has problems filling orders.

The history of Lawless Denim can be traced on its Kickstarter page. Despite original high hopes for Roman Acevedo's firm, its web page is defunct, and its unofficial Facebook page is occupied by rugged hardworking American crickets.

Thursday, June 2, 2016

#empoexpiire Microsoft's approach to password protection

Warning: this post presents some theories from Microsoft, and there are those of you who think that Microsoft is stupid, backward, and evil. Therefore, some of you will probably want to do the exact opposite of what Microsoft recommends.

For example, IT professionals may want to enforce password expiration schemes and insist on password complexity rules.

Why? Because Microsoft says they're ineffective.

Now that the Microsoft haters have stopped reading this post, shaking their heads at the post's inanity, let's turn to the work of Microsoft program manager Robyn Hicock. In brief:

I’d recommend you read this great whitepaper that Robyn Hicock, a Program Manager on our team just published online. It highlights a bunch of very cool research and gives some great guidance on improving the security of passwords.

The paper draws on some great work done by the folks in Microsoft Research, our data and learnings from 10+ years of defending the Microsoft Account service from attacks and information across the industry.

I think it will change the way you think about your password policies. For example, did you know that in the real world all of these common approaches:

•Password length requirements
•Password “complexity” requirements
•Regular, periodic password expiration

actually make passwords easier to crack? Why you might ask? Because humans act in pretty predictable ways when faced with these kinds of requirements.

In the paper (PDF), Hicock refers to "anti-patterns" that result from the use of common security techniques. Regarding password expiration, Hicock notes (as others have noted) that

Password expiration policies do more harm than good, because these policies drive users to very predictable passwords composed of sequential words and numbers which are closely related to each other (that is, the next password can be predicted based on the previous password)....

One study at the University of North Carolina found that 17% of new passwords could be guessed given the old one in at most 5 tries, and almost 50% in a few seconds of un-throttled guessing. Furthermore, cyber criminals generally exploit stolen passwords immediately.

But this is just one of the "anti-patterns." Password length and complexity requirements result in their own anti-patterns, as detailed in Hicock's paper (PDF).

And why listen to Microsoft? Because it deals with passwords like Facebook deals with users - in massive quantities.

Microsoft sees over 10 million username/password pair attacks every day. This gives us a unique vantage point to understand the role of passwords in account takeover.

So while you've been reading this post, Microsoft has dealt with over 10,000 password attacks. Perhaps we should listen to the company.

And what DOES Microsoft recommend? One of its recommendations is to ban common passwords, as defined in a constantly-updated list of common passwords. The white paper links to a list of the most commonly used passwords in 2015. Spaceball's famous "12345" password is on the list of the top 25 passwords, and has been for a while. But in 2015, a number of new passwords made the list, such as "princess" and "solo." And if you're not sure why those passwords suddenly appeared on the list, perhaps another password - "starwars" may give you a hint.

Of course, the most popular passwords in 2015 may not help the criminals in 2016. I'd be willing to bet that by the end of the year, "makeamericagreatagain" will appear on the list, despite its length.

Wednesday, June 1, 2016

Painting a mental picture of some ALMOST complete instructions

They should really put instructions when going to a hotel on how to use the shower, I can never get it to work then I feel really dumb for not knowing.....

I spent the last week in a hotel...which means that I spent the last week dealing with hotel showers.

They can be confusing. You're used to your home shower, and then you're in this other room with unfamiliar bathroom fixtures. So when you take your first shower during your stay, you have to allot some time to figure out exactly how to take the shower.

But this hotel thoughtfully provided a solution. I failed to take a picture of the solution - for some reason, whenever I was in the shower, I didn't have my camera with me - but when you entered the shower, you could see some printed instructions that covered how to use the shower.

Pull the handle - water comes on.

Push the handle - water goes off.

Turn the handle counterclockwise - water gets hot.

Turn the handle clockwise - water gets cold.

Although these aren't the instructions for MY hotel shower, these instructions from Lemonsoap illustrate the concept. While Lemonsoap believes that the very need for instructions indicates bad design, I assert that it is probably impossible to design a shower fixture that is intuitive for a worldwide audience.

As you can see, the Lemonsoap-cited instructions, as well as the instructions that I found, covered EVERYTHING that you would need to know to use the shower. Right?

Well, almost everything.

The printed instructions failed to tell you how to change the water from the BATH faucet to the SHOWER faucet.

Luckily, I was able to find the separate control to switch between bath and shower - but what if I couldn't?

Tuesday, May 31, 2016

Is the Uber-Motherboard pitch an indictment of tech journalism? No.

A little context is in order here.

On May 24, Motherboard ran a post with the title "Uber’s Next Stop: America’s Military Bases." In the interests of transparency, Motherboard ran the following text at the end of the post:

Motherboard is running a week of stories about Uber. We asked the company’s public relations department what stories it thought the media should be writing about, and this story was one of the things Uber pitched.

This original text, recorded here and here, was subsequently replaced by a much longer explanation. The entire tempest in a teapot clarified a few things - most notably, that Uber did not pay for the article.

However, a question still remains - possibly.

Here's how Thomas Baekdal framed the issue:

... it just feels like they [Motherboard] are trying not to rock the boat too much.

Evgeny Morozov goes into more detail:

...traditional media find themselves in an odd relationship with Silicon Valley. Their future depends upon tech firms and their CEOs (who are rich enough to buy them out, as Jeff Bezos, the Amazon founder, did with the Washington Post)....

Most tech blogs just recycle press releases from startups and established technology firms....

Now that the tech media do not even bother concealing they are just a PR appendage to Silicon Valley, you have to worry how the accumulation of so much power and cash in one industry – combined with aggressive legal campaigns targeting the few who, for whatever reason, are still critical of it – is happening at a time when there is no one to keep our new elites on their toes.

Morozov is arguing that the media in Silicon Valley is dramatically different than media in other places. He's made similar arguments before.

But is coverage of non-tech stuff truly different than coverage of tech stuff? Journalists in ALL industry sectors "just recycle press releases" all the time. Frankly, that's one of the reasons why Narrative Science (despite Morozov's concerns about its ultimate state) is able to work successfully; if your typical business coverage merely consists of repeating little bits of information, well, a computer can write that.

So, yes, Motherboard felt the need to let Uber state its side of the story in one article. But that isn't unique to the tech industry. In fact, some consider it good journalistic practice. When the Washington Post recently ran an article detailing Trump's comments about New Mexico Governor Susan Martinez, the Post writer (and Bezos employee) felt compelled to add the following:

Corey Lewandowski, Trump’s campaign manager, defended the attacks on “Fox News Sunday.” “There’s no attack on a Latino or a woman governor,” he said. “What this was was laying out the economic perspective of what the state of New Mexico was doing, and he’s saying we need to do a better job.”

The article reported what a candidate said, and the writer felt it necessary to turn to a spokesperson for that candidate for clarification? But I thought you only buttered up to sources in the tech industry, not other industries.

Then again, perhaps media coverage of the Trump campaign may not be the best example to use to talk about critical coverage.

Monday, May 30, 2016

Indian introduction of the Nextbit Robin

May 30 is a holiday in the United States (Memorial Day), so this is as good a day as any for me to attempt to snag 1 billion readers by writing something for the Indian market. I've done it before.

May 30 turns out to be day that the Nextbit Robin will be introduced in India, and it's fascinating to observe how Nextbit has to adapt to the Indian market.

One difference is the price. The Nextbit Robin is being offered in India at the equivalent of US$300, as opposed to the $400 that someone in the United States would spend. Since phones often have to be activated by local service providers, this price difference can probably be maintained without all of us in the United States rushing to Flipkart to buy Indian phones.

Another difference is the lack of a microSD card. Not for price reasons, but because (according to Ryan Whitwam) microSD cards are "extremely uncommon in the Indian market." Instead, Nextbit offers cloud storage capability.

By merging cloud and onboard storage, Robin seamlessly backs up your apps and photos, intelligently archives the stuff you’re not using, and easily restores items when you need them.

In essence, this phone's 32 GB of storage ends up being 132 GB when the free cloud storage is added. However, the cloud storage mechanism may not work that well in India, according to Siddhartha Sharma:

Now the biggest problem with the cloud storage system is that in India, connectivity is a major problem. The cloud storage works seamlessly on a WiFi connection on the Robin, but struggles over 3G or a 4G connection.

For instance, when I didn't play Real Racing 3 for a wee,k the phone backed up the app and its data to the cloud. And after a week when I felt like giving the game a try I had to wait for 15 minutes for it to download the app back to my phone, given that the app was over 1 GB.

Connectivity is a real problem in India, and one realises it when phones like the Nextbit Robin, boasting of the cloud-first approach, comes to India.

Frankly, even in the United States this may be problematic - if your service provider charges you for the data uploads and downloads.

Back to India - the Nextbit is an Android phone, and Android does well in India.

Samsung Electronics, Micromax Informatics and Intex led the Indian mobile phone market in the quarter ended March....It was a huge quarter for Indian brands - their share of the smartphone market was at an all-time high of 45%, while 67% of all phones shipped were made in India, according to CyberMedia Research's India mobile handset report on Tuesday.

Apple in India? Less than one percent of the market. In the United States, the iPhone market share is over 40%.

Saturday, May 21, 2016

The Carolina Donut Festival was clearly not "marketing free"

Years ago, some tech conference promoted itself as being "marketing free." If any speaker started to do any marketing, the speaker would be immediately battered by signs. Expertly constructed sign...whoops! (Ducks) However, the company that promoted "marketing free" stuff ended up going bankrupt.

Because of all this, marketing lives on. (Which is a good thing for me, since I am currently employed as a strategic marketing manager.)

I was recently reminded of the continued importance of marketing when I heard about a stellar event in Marion, North Carolina.

The Carolina Donut Festival, which is taking place as I write this.

Just listen to the local press description of the event:

The first ever Carolina Donut Festival will be held in the downtown Marion from 10 a.m. to 3 p.m. Saturday....

As of Tuesday, the festival had 66 vendors lined up. These include vendors for arts and crafts, non-profit organizations and direct sales. These vendors will be lined up along Main Street in the block in front of Mr. Bob’s Do-Nuts.

Before the festival begins, there will be a Carolina Donut Dash 5K through the streets of downtown Marion. All walkers and runners are encouraged to dress in a doughnut theme....

The Carolina Donut Festival Pageant will then take place after the opening ceremony. Masiello and Morgan said Tuesday the pageant so far had 38 contestants lined up, which includes male and female contestants. They will be in different age divisions: birth to 18 months, 19 to 35 months, 3 to 4 years, 5 to 6 years, 7 to 9 years, 10 to 12 years, 13 to 15 years, 16 to 19 years, birth to 6 years (male) and 7 to 19 years (male). The contestants will come from Spruce Pine, Troutman, Lenoir, Shelby, Morganton, Hickory, Newton and Dallas, N.C., in addition to those from Marion and McDowell County.

Sounds like a lot of stuff, and I haven't even mentioned the donut part. This is, after all, a donut festival. For that part of the festivities, I will turn to a friend of a friend, who posted a review on a semi-private Facebook post.

Doughnut festival.... One and only one doughnut vendor, the local doughnut shop, selling doughnuts on the street in front of the store. Hmmmm.....

Left after getting funnel cake, not even a doughnut. Lol.

Yup, that's right. The entire Carolina Donut Festival is the brainchild of Mr. Bob himself, the donut (whoops, do-nut) guy, along with an events coordinator. If you want to try someone else's donuts, go to THEIR festival.

Now there's no issue per se with a town hosting an event to glorify a single business. After all, if the business has contributed to the community for decades, and if the community is known for that business, I could certainly understand that. For example, if my hometown of Ontario, California entered into a festival deal with Graber Olive House (founded 1894), that would make sense. So how has Mr. Bob contributed to Marion? Back to the article:

Since this business opened in October 2014, Mr. Bob’s Do-Nuts has proved to be a big hit in the local community. Owner Bob Masiello serves up doughnuts, cinnamon buns, Danishes, cannoli, bagels and cream cheese. Customers can also enjoy a cup of hot coffee with their treats, all of which is made fresh every morning.

As you can see, Marion has been blessed with an amazing vendor - one who has served the community for over EIGHTEEN MONTHS, and who serves donuts that are made FRESH. Not only that, but he also serves COFFEE. Where are you going to find an establishment that has done all of that, for so long?

Yet, despite all of this, I am not criticizing Mr. Bob for coming up with this idea.

I am criticizing myself for not thinking of it first.

The Empoprises Festival Planning Committee is being set up as I speak.

Thursday, May 12, 2016

#page462 When you want to provide service, but depend upon a service provider

Brad took his usual exit off the Silicon Freeway. His morning commutes were sometimes filled with traffic, but today was rather pleasant. This would put Brad in a good mood as he drove to his company. Yes, his company - he founded it. A typical 21st century virtual company, Brad's firm provided an app that allowed its users to access specialized content. Typical of today's service offerings, the users didn't actually own the app, or any of the content that they accessed via the app. But the users found the service to be valuable, and kept on downloading the app. Brad still had to work out the whole revenue part of the equation, but his backers seemed to be happy.

Brad turned down a side street to get to his office building - and was surprised to find a gaping hole where his office used to be.

Within a minute, he was on the cell phone to his landlord.

"Where's my office?" Brad shouted.

The landlord was silent.

"C'mon. Where's my office?"

"Sir," replied the landlord, "that was not YOUR office. That is OUR office, and it is no longer available."

"But I have lease papers! That's my office, and you had better get it back!"

"And where are those lease papers?" asked the landlord.

There was a pause. "In my office."

"And we have a duplicate copy here," replied the landlord, "and if you consult page 462 of the terms of service agreement, you have acknowledged that your company did not own the building in question, and that we had the right to revoke access to that building at any time."

"But that's unfair! You can't just take something away from people with no notice!"

The landlord calmly replied. "Perhaps you should have thought of that BEFORE you removed the flying pigs movie from your app. I really liked that movie."

(Image source: Wikimedia)

Tuesday, April 26, 2016

#empoexpiire Lack of automated rotation is identified by @cloudsa as a problem...but automated rotation is not the solution


The Cloud Security Alliance recently published a report (downloadable from here) that talked about security breaches.

In February of 2016, the Cloud Security Alliance released “The Treacherous Twelve: Cloud Computing Top Threats in 2016” which revealed the top concerns expressed by IT security professionals in cloud computing. Data Breaches, Account Hijacking, and Malicious Insiders all rated as top threats. The enabling of these attacks can occur because of a lack of scalable identity access management systems, failure to use multifactor authentication, insufficient password use, and a lack of ongoing automated rotation of cryptographic keys, passwords, and certificates. As a result, these deficiencies can enable unauthorized access to data and potentially catastrophic damage to organizations and end users. It was not surprising to find that Insufficient Identity, Credential, and Access Management was listed as the top vulnerability in the report.

Cloud Security Alliance “IDENTITY SOLUTIONS: Security Beyond the Perimeter”

For professional reasons - my employer provides both biometric and cloud-hosted solutions - I am interested in tons of things in this report, but for this blog post I want to focus on the statement about "a lack of ongoing automated rotation of cryptographic keys, passwords, and certificates."

My question:

So what?

As has been previously noted in other posts with this hashtag, there is really only one "automated rotation" that is required in IT security: rotate the keys/passwords/certificates in when the person requires access, and rotate the keys/passwords/certificates out when the person no longer requires access.

Years ago, a guy named Lamar worked at one of my employers. Lamar was a tall, imposing man. Among his other duties at the time, one of his jobs was to stand outside of the office/cubicle of a person who had just been terminated from the company as said person was packing up his/her things.

If I were to convert Lamar's name into an acronym for termination procedures, the "R" in LAMAR would stand for Revoke. As the person is packing up to leave the facility - or perhaps as the person is getting the bad news in a human resources office - your IT professional should be revoking the person's passwords and shutting off the person's company phone. Meanwhile someone should be taking the person's company phone, along with keys, computers, and the like.

Guess what? If all of these access privileges are revoked upon the termination of the employee - or upon the termination of an employee's need to have a certain level of access - then there is no NEED for an automated rotation policy. Which means that people won't have to deal with the hassles of such a rotation policy, and won't have to write passwords down every 90 or 60 or 30 days. Remember my prior post in which I quoted Lorrie Cranor (Chief Technologist of the U.S. Federal Trade Commission)?

There is also evidence from interview and survey suggest that users who know they will have to change their password do not choose strong passwords to begin with and are more likely to write their passwords down. In a study I worked on with colleagues and students at Carnegie Mellon University...we found that CMU students, faculty and staff who reported annoyance with the CMU password policy ended up choosing weaker passwords than those who did not report annoyance.

And remember the story from Alan Henry that I shared in this post:

I knew one person who put post-it notes [with her passwords] on the bottom of their chair—she was livid when she arrived one morning to find a colleague had borrowed her chair for an impromptu meeting in her office next door.

So if you get rid of auto-rotation, everyone will be more secure.

Tuesday, April 19, 2016

The management style of Brian Wilson, circa 1966

If you took my advice and liked the Empoprise-BI Facebook page, you might have seen my share of a Future Vintage video.

There are a number of musical reasons to be fascinated with this, but I was inspired to look at this from a business perspective.

The song "Good Vibrations" was Brian Wilson's finest moment, although he didn't realize it at the time. By this time Wilson had forced his father out of the group's management, had forced himself out of the group's touring unit, and had assembled a crew of musicians and lyricists to help him realize his vision. By the time of "Good Vibrations," most of the Beach Boys themselves (with the exception of Carl Wilson) were not playing the instruments, and Mike Love alternated with others for the lyrical duties (although, as was subsequently noted, Love's contributions may or may have been downplayed at the time).

Wilson did not have complete control - when "Pet Sounds" bombed financially, he had to take a step back - but with "Good Vibrations," he had the opportunity to craft what he hoped would be the perfect single. (After "Good Vibrations," he would try to write a teenage symphony to God.) But this was years before Prince could go into a studio and create an entire album by himself - Brian Wilson needed help to create his vision.

How did he do it?

Take the lyrics, for example. While Mike Love is in some respects a controversial figure (I've even alluded to the controversy myself), he had his own vision of the Beach Boys. By 1966, the band had enjoyed spectacular success with a steady diet of surf, car, and girl tunes. Why rock the boat? Love had a highly negative reaction when he walked in on the final production for "Pet Sounds," much of which had been conceived while the touring unit of the Beach Boys was on the road. Even by the time of "Good Vibrations," Love had his misgivings:

This was before the Summer of Love, but there were definitely psychedelic rumblings on the West Coast. I felt “Good Vibrations” was The Beach Boys’ psychedelic anthem or flower power offering. So I wrote it from that perspective. The track itself was already so avant-garde, especially with the theremin, that I wondered how our fans were going to relate to it. How’s this going to go over in the Midwest or Birmingham? It was such a departure from “Surfin’ USA” or “Help Me Rhonda”.

So I thought the one thing that everyone can relate to is boy-girl. You know, “she’s giving me excitations”. Had that track not had anything to connect to people intellectually or emotionally, then it would have been a brilliant piece of music, but perhaps not gone to No 1.

So Love wasn't completely on board, but as long as he could get his few words in, he was happy (at the time) to go along with his cousin's wild vision.

Meanwhile, Brian had to communicate with the instrumentalists, such as bassist Carol Kaye.

Brian had all the sounds in his head. He knew what he wanted and wrote out the bass parts for me. They were written crudely – it wasn’t the work of an educated person – but we could read it.

Kaye had another observation.

Brian was a really sweet guy, but he could be cocky when he wanted to be. It was that cockiness that comes with youth. But he was sharp, with very good ears. And he was completely engrossed in what he was doing.

At this stage of his career - after his disruptive father had been banished from the studio, and before Brian himself checked out - he was able to inspire both Wrecking Crew members and the band itself to come up with their greatest work.

In that respect, perhaps Wilson DOES belong in business case studies, right along with other mercurial leaders such as Steve Jobs. This statement about business success could just as well be applied to Wilson, especially when you consider that it took time to appreciate Pet Sounds:

The most revolutionary changes in business method alter the world so fundamentally that their insights can appear banal in retrospect. Alongside the bombast and egotism that can characterise business success, this is a reason for the achievements of business pioneers not always being appreciated as they should.

The parallel does not fit perfectly - after all, there were certain people who were calling Wilson a genius even in 1966 - but his contributions to music were certainly better appreciated in hindsight.

Even by Mike Love.

Monday, April 18, 2016

Can a fruit feel insecure? (QuickTime on Windows)

Apple has had a security battering lately. Recently, despite taking a stance for keeping its iPhones secure, the FBI hacked an iPhone. Now, a former flagship Apple product has been branded as insecure.

The Department of Homeland Security (DHS) is warning Windows customers to stop using Apple’s QuickTime media player.

I didn't read this in a tech journal; I read this in The Hill. For those who don't know, "THE Hill" is Capitol Hill, where national legislation is hammered out in my country.

And no, this isn't an attempt by the FBI to get back at Apple. This warning was issued by the Department of Homeland Security, not the FBI, and as I've already noted, two separate government agencies often have no incentive to cooperate with each other.

To be fair to Apple, the first version of QuickTime (for the Macintosh) was released over a quarter century ago, and much has happened in the world of security since then. This simply serves as a reminder that while software upgrades may appear to be a form of planned obsolescence, there are some legitimate reasons to get rid of that old software.

The DHS notification can be found here.

Workflow update, and the Empoprise-BI Facebook page

I've been playing around with something for the past few days, and I figure that I ought to clue you in on it. It has to do with my workflow.

In the past, I've gotten all convoluted about my workflow, and have created elaborate diagrams showing how my content flows from one service to another. For example, I shared this workflow back in 2008:

Part of the complexity of this workflow was due to my use of FriendFeed (R.I.P.), which (when originally conceived) served as a way to aggregate stuff from a lot of sources. Of course, FriendFeed (and Google News, etc.) is no more.

These days, my workflow is a lot simpler. NetworkedBlogs currently auto-publishes information about my blog posts to Twitter and to selected Facebook pages, and I manually share these on Google Plus (when I remember to do so). However, I'll confess that I'm not visiting Google Plus all that often these days, and I'm not the only one. I don't believe that Google Plus is dead, but the Facebook audience is still the largest one out there that meets my needs.

Well, provided that people find my content.

While I occasionally share posts from this and other blogs on my personal feed, the best way to find most of my content is through my Facebook pages. For example, this blog has an associated Facebook page, Empoprise-BI.

(My admin view. And yes, I'm working on it.)

Now for the workflow change - over the last few days, I've found that I'm sharing more and more stuff to the Empoprise-BI Facebook page. Some of it is random thought, and some of it may eventually end up as Empoprise-BI blog posts (which, as I mentioned, are automatically shared to the Empoprise-BI Facebook page).

So how can you find out about this amazing content?

By liking the Empoprise-BI Facebook page.

Now I won't insist that you choose the additional option to put Empoprise-BI page content at the very top of your feed. Heck, I don't do that myself (I constantly find myself switching to "most recent" rather than "top stories"). But go ahead and like the page, and be sure to visit it every once in a while. You might find a preview of what's coming up in the Empoprise-BI business blog. Heck, if you contribute, YOU might find yourself featured in the Empoprise-BI business blog. (Exciting, I know.)

(And yes, I'm doing similar things for some of my other blogs, but this post is keeping focused on this blog.)

Saturday, April 16, 2016

Update on John Krpan lawsuit

I've noticed increased activity around an old post of mine from April 2015, So you want to interpret for the deaf? There's just one thing.... This told the story of John Krpan, a certified American Sign Language teacher who wanted to get one more certification - the National Interpreter Certification from the Registry of Interpreters for the Deaf, Inc. I summarized the process to get that certification.

You start with the written exam, meet some educational requirements, and then have an interview.

An oral interview.

This caused a problem for Krpan, who is deaf. He ended up taking RID to court on the grounds that RID violated the Americans with Disabilities Act by de facto excluding him from certification.

So why is this old blog post getting renewed activity? Because a judge ruled in the case.

On March 8th, 2016 a U.S. District Court Judge in the Eastern District of Virginia, Alexandria Division granted RID’s Motion for Summary Judgment in the matter of John Krpan, Plaintiff v. Registry of Interpreters for the Deaf, Inc. As a result, a judgment in favor of RID was entered. On Count I, the court determined that the NIC exam and certification process do not violate Title III of the ADA. In terms of Count II, the court determined that the CDI exam and certification do not violate Title III of the ADA by labeling CDI credentialed individuals as “deaf”.

This does not necessarily render Krpan unemployable - after all, he has several other certifications. And perhaps institutions that insist on NIC certification may be picketed by Gallaudet University.

Or perhaps not. Gallaudet offers preparatory courses for people who want to obtain NIC certification, despite the fact that Gallaudet's own president may not qualify for NIC certification herself.

Friday, April 15, 2016

A spot for Spotify - or for any company (rent, taxes, and the talent pool)

There's a reason why this Spotify post isn't going into my Empoprise-MU music blog - because this goes well beyond Spotify.

But we'll start with Spotify, whose founders have penned an open letter to Sweden's government. Because my Swedish language skills are non-existent, I am relying on Quartz's account. Basically, Spotify has three issues:

[CEO Daniel Ek and chairman Martin Lorentzon] say their employees are having a hard time finding apartments and are being charged inordinately high taxes on their stock options, and that the pipeline of programmers coming out of Sweden’s schools is not large enough.

Let's ignore the third point for now, because after all, how can you get more programmers out of Sweden's schools if you don't raise taxes? And we'll also ignore the second one about high taxation for the moment.

So we're left with the first issue - The rent is too damn high.

How does Spotify propose to alleviate this?

By moving to New York.


As the Quartz article notes, there may be a flaw in that logic.

Mans Ulvestam, founder of Acast, which produces analytics and inserts ads in podcasts, has offices in New York, London, and Stockholm. “The cost of living in New York is way higher than Stockholm,” he says. “It’s certainly cheaper to buy an apartment in Stockholm than San Francisco, New York, or London. If Spotify had said they were moving to Idaho–that would have been a valid argument.”

But the difficulty, as Silicon Valley companies well know, is that you need to go where the talent is. And no matter how much I protest, there are not a whole lot of bleeding edge technical personnel in Ontario, California. And when the talent is outside of tech centers, it migrates to tech centers, despite the high personal costs. Talia Jane (who worked at Yelp until she was fired for talking about her struggles) wasn't the only Yelp employee trying to make ends meet.

Every single one of my coworkers is struggling. They’re taking side jobs, they’re living at home. One of them started a GoFundMe because she couldn’t pay her rent. She ended up leaving the company and moving east, somewhere the minimum wage could double as a living wage. Another wrote on those neat whiteboards we’ve got on every floor begging for help because he was bound to be homeless in two weeks. Fortunately, someone helped him out. At least, I think they did. I actually haven’t seen him in the past few months. Do you think he’s okay? Another guy who got hired, and ultimately let go, was undoubtedly homeless. He brought a big bag with him and stocked up on all those snacks you make sure are on every floor (except on the weekends when the customer support team is working, because we’re what makes Eat24 24-hours, 7 days a week but the team who comes to stock up those snacks in the early hours during my shift are only there Mondays through Fridays, excluding holidays. They get holidays and weekends off! Can you imagine?).

Theoretically, you could live anywhere - even Idaho - and work for a Stockholm or New York or Silicon Valley company, but the theory doesn't always work out - again, despite my protests.

So how does a company get access to a huge pool of tech people, yet do so in a way that the tech people can afford to live without giving most of their money away for rent, taxes, and ten pound bags of rice?

Thursday, April 14, 2016

Fear everyone - or don't (Cellebrite or Hacker X never met the Bedford Police Department)

Every once in a while, I like to write a post in which I explain why I don't fear Big Brother (or, to put it another way, "don't worry about the government"). Over the years I've documented the demise of uGov, the cross purposes at UC Irvine, competing airline security systems, the poor security for nuclear missile launches, the lack of NSA-FBI security coordination, the lack of DHS-CIA coordination, and conflicts between the DHS, the FBI, and the NSA. These and many other episodes highlight the truth, expressed by Dave Barry, that any action by government will be met with an equal and opposite reaction from another part of government.

But right now I'm thinking about another post in this vein - Which do you fear more - business Big Brother, or government Big Brother? I want to quote from that 2011 post, which seems eerily relevant today.

Cellebrite manufactures a Universal Forensics Extraction Device. Now we're not talking about debate or biometrics here, but the examination of any item for purposes of law enforcement. In this particular case, we're talking about cell phones. If Malte Spitz had been unsuccessful in getting his location information from Deutsche Telekom, perhaps he could have bought the Cellebrite UFED and obtained the location information in that manner.

"Based on Cellebrite’s expertise in data extraction technology, the mobile forensics products perform both logical and physical data extraction, including recovery of deleted messages and content.

"With more than a decade of experience in mobile data technologies, Cellebrite provides the widest coverage available in the market today. The UFED family of products is able to extract and analyze data from more than 3000 phones, including smartphones and GPS devices."

I am writing this post mere weeks after the FBI ceased its attempts to have Apple unlock Syed Farook's iPhone. Why did the FBI stop? Because it got someone else to unlock it. The FBI didn't say who helped, but various sources claim that Cellebrite did the work, while other sources claim someone else did it.

So who looks good after this affair? Nobody. The FBI, who pleaded that they couldn't unlock the iPhone and that only Apple had the expertise to do so, apparently found someone to do it - possibly cheaply. Apple, who wanted to maintain its posture as a manufacturer of secure communications equipment, has had its security breached - possibly cheaply. And the people who actually unlocked the phone can't get any credit for the deed. Oh, and it's quite possible that the only information that was found on the iPhone in question was data about San Bernardino dining spots.

Now, who are you supposed to fear?

The FBI, who set the wheels in motion to allow this phone - or perhaps your phone - to be hacked?

Apple, who manufactured a phone - perhaps your phone - that could be hacked?

Or the mysterious people who actually performed the hack on this phone, and could do it to your phone?

"None of the above," you might say. "I have nothing to hide."

Well, if you have nothing to hide, then feel free to share your name, address, Social Security Number (remember Todd Davis?), and bank account passwords.

Oh, and leave your house and car unlocked.

Wednesday, April 13, 2016

Does wisdom require information?

You may recall my old post about data, information, knowledge, and wisdom, and its underlying assumption that these are ordered and one proceeds from another.

James Altucher feels differently.

I never read random articles on the Internet unless they are by people I know. Mostly I read books I love.

A friend asked me, when he heard all of this, “But aren’t you afraid you’re going to miss some information?”

I asked him, “What information?”

Wednesday, April 6, 2016

Are credit unions evil banks, or virtuous anti-banks?

As I was walking through a parking lot near a credit union office, I spotted a Bernie Sanders for President bumper sticker.

And it got me thinking.

As many of you know, the Bernie Sanders campaign can almost be characterized as a single issue campaign - namely, to ensure that land acquisition for the National Park Service is fully funded.

Whoops - I seem to have scrambled my notes. Actually, the Sanders issue that is getting a lot of attention can be summarized in four words: "Wall Street is evil."

From the Sanders website:

Wall Street cannot continue to be an island unto itself, gambling trillions in risky financial decisions while expecting the public to bail it out....

The six largest financial institutions in this country today hold assets equal to about 60% of the nation’s gross domestic product. These six banks issue more than two-thirds of all credit cards and over 35% of all mortgages. They control 95% of all derivatives and hold more than 40% of all bank deposits in the United States.

We must break up too-big-to-fail financial institutions. Those institutions received a $700 billion bailout from the US taxpayer, and more than $16 trillion in virtually zero interest loans from the Federal Reserve. Despite that, financial institutions made over $152 billion in profit in 2014 – the most profitable year on record, and three of the four largest financial institutions are 80% bigger today than they were before we bailed them out.

So why would a credit union employee support a guy like Sanders?

One possible reason might be the conclusion that when Sanders rails against financial institutions, he's not railing against credit unions. After all, credit unions are different - the government said so:

Credit unions are not-for-profit organizations that exist to serve their members. Like banks, credit unions accept deposits, make loans and provide a wide array of other financial services. But as member-owned and cooperative institutions, credit unions provide a safe place to save and borrow at reasonable rates.

So perhaps the bumper sticker owner believes that the problems on Wall Street are solely caused by for-profit (rather than not-for-profit) firms that are controlled by oligarchs (rather than individual credit union members just like you and me).

Or perhaps the bumper sticker owner realizes that money is money, but supports Sanders anyway. If so, he or she is not alone:

Meredith Burak is a third-generation Wall Street executive. At 32, she has worked in global wealth management for Bank of America and Merrill Lynch....

"Wall Street has been very good to my family," she said. "It has enabled myself and my cousins and people around me to go to college."

But at the same time, Burak said, Wall Street needs tougher regulation and rules. "People on Wall Street want the game to be fair," she said. "It is when people cheat that things get messed up for everyone. And to the extent that we can have rules and more enforcement to get people like [Ponzi schemer] Bernie Madoff out of the financial system, the better it is for the economy."

Burak said she left Merrill Lynch earlier this month and is traveling in Israel this week, focusing on charitable work on behalf of a cancer foundation in honor of her mother.

And after all, as an anonymous Sanders supporter points out:

"You've got Warren Buffett — one of the wealthiest people in the country — and he's out there supporting raising taxes and the things that Bernie talks about."

Tuesday, April 5, 2016

Coworking, where the new meets the old

Several years ago, coworking was a trend, part of the general trend of working away from an office. Perhaps you'd just park yourself in a coffee shop, or perhaps you'd rent time at a place such as Citizen Space. But people working in coffee shops initially created a backlash, and I just belatedly discovered that even the venerable Citizen Space is no more.

But companies are still entering the coworking market, such as Workbar. For those who aren't familiar with the coworking concept, Workbar has an explanation about the practice:

At Workbar we understand that people don’t always work the way they used to. Technology has made the workforce more mobile, yet has also increased the need for shared resources, human interaction, and fun at work. So we’ve created a network of coworking spaces where independent professionals, start-ups, small businesses, and remote employees of larger enterprises can enjoy a vibrant community and high quality office amenities at an affordable price.

Of course, if you're going to go out and create a coworking space for people, you And Workbar has, um, worked out a mutual win-win for itself and a much older company:

As consumer needs around commerce are changing, commerce hubs are reimagining and redesigning their physical locations to meet customers halfway, so to speak. Staples is joining in on that trend, and is thus converting some of its retail locations for office supplies into temporary office spaces for rent.

Staples, in conjunction with office-sharing startup Workbar, is looking to open three Boston-area communal workplaces. The hope is that the affiliation will draw more small business owners and mobile professionals into Staples locations. Staples needs the customers, as foot traffic has been on the decline since 2009.

This could be an interesting trend. As more people shop online, and brick and mortar establishments try to reinvent themselves, they're looking for all sorts of ways to use up their leased retail space. If this use brings in more customers for the establishment's primary business, all the better.

Thursday, March 31, 2016

Amalgamate all the things - biometrics, geospatial, and the buffet

So, where will we be five years from now? Will we have a number of companies providing everything to everyone, or will we have a myriad of specialty firms?

(Me, in 2011)

There are several different ways to organize businesses, ranging from the Mita model (we only do one thing) to the Beatrice model (we do everything). While the tail end of my Motorola years certainly exposed me to a trend toward the Mita model, I've been seeing a lot more of the Beatrice model lately, where dissimilar businesses end up as part of one big happy business.

Take my industry, biometrics. When I joined this industry in the mid-1990s, Digital Biometrics, Identix, and Printrak were three separate companies. Now all three of them are just a very small part of Safran.

I just ran across another example in the geospatial industry. You'll recall that I recently noted that Pitney Bowes, more commonly known for postage stuff, acquired the geospatial company MapInfo several years ago. But I have also run across another example [DISCLOSURE: I have worked with CACI in the past]:

CACI International Inc. announced it has been awarded a $180 million contract to provide Joint Geospatial Analytic Support Services (JGASS) to US Special Operations Command (USSOCOM).

So how did CACI get into this business?

Through its acquisition of TechniGraphics, Inc. in 2010, CACI has more than 20 years of experience providing geospatial services to the federal government and has become an industry leader in the production, analysis, and dissemination of geospatial data. The company's highly trained and cleared professional staff possesses a deep understanding of geospatial analysis and geospatial imagery intelligence.

Of course, the greatest example of diversification can be found in Warren Buffett's (two t's) company, Berkshire Hathaway. If you look at its list of subsidiaries, you can see that Berkshire Hathaway offers a buffet (one t) of different products and services. I won't provide the entire list, but let me just cite three examples:

  • Acme Brick Company (presumably a spinoff from Wile E. Coyote's supplier)
  • Kraft Heinz (I didn't even know those companies have merged)
  • Pampered Chef (chances are you know someone who works with Pampered Chef - but she can't sell you Acme Bricks)