Tuesday, April 26, 2016

#empoexpiire Lack of automated rotation is identified by @cloudsa as a problem...but automated rotation is not the solution

[DISCLAIMER: MY EMPLOYER PROVIDES BIOMETRIC AND CLOUD SOLUTIONS. VIEWS ARE MY OWN.]

The Cloud Security Alliance recently published a report (downloadable from here) that talked about security breaches.

In February of 2016, the Cloud Security Alliance released “The Treacherous Twelve: Cloud Computing Top Threats in 2016” which revealed the top concerns expressed by IT security professionals in cloud computing. Data Breaches, Account Hijacking, and Malicious Insiders all rated as top threats. The enabling of these attacks can occur because of a lack of scalable identity access management systems, failure to use multifactor authentication, insufficient password use, and a lack of ongoing automated rotation of cryptographic keys, passwords, and certificates. As a result, these deficiencies can enable unauthorized access to data and potentially catastrophic damage to organizations and end users. It was not surprising to find that Insufficient Identity, Credential, and Access Management was listed as the top vulnerability in the report.

Cloud Security Alliance “IDENTITY SOLUTIONS: Security Beyond the Perimeter”


For professional reasons - my employer provides both biometric and cloud-hosted solutions - I am interested in tons of things in this report, but for this blog post I want to focus on the statement about "a lack of ongoing automated rotation of cryptographic keys, passwords, and certificates."

My question:

So what?

As has been previously noted in other posts with this hashtag, there is really only one "automated rotation" that is required in IT security: rotate the keys/passwords/certificates in when the person requires access, and rotate the keys/passwords/certificates out when the person no longer requires access.

Years ago, a guy named Lamar worked at one of my employers. Lamar was a tall, imposing man. Among his other duties at the time, one of his jobs was to stand outside of the office/cubicle of a person who had just been terminated from the company as said person was packing up his/her things.

If I were to convert Lamar's name into an acronym for termination procedures, the "R" in LAMAR would stand for Revoke. As the person is packing up to leave the facility - or perhaps as the person is getting the bad news in a human resources office - your IT professional should be revoking the person's passwords and shutting off the person's company phone. Meanwhile someone should be taking the person's company phone, along with keys, computers, and the like.

Guess what? If all of these access privileges are revoked upon the termination of the employee - or upon the termination of an employee's need to have a certain level of access - then there is no NEED for an automated rotation policy. Which means that people won't have to deal with the hassles of such a rotation policy, and won't have to write passwords down every 90 or 60 or 30 days. Remember my prior post in which I quoted Lorrie Cranor (Chief Technologist of the U.S. Federal Trade Commission)?

There is also evidence from interview and survey studies...to suggest that users who know they will have to change their password do not choose strong passwords to begin with and are more likely to write their passwords down. In a study I worked on with colleagues and students at Carnegie Mellon University...we found that CMU students, faculty and staff who reported annoyance with the CMU password policy ended up choosing weaker passwords than those who did not report annoyance.

And remember the story from Alan Henry that I shared in this post:

I knew one person who put post-it notes [with her passwords] on the bottom of their chair—she was livid when she arrived one morning to find a colleague had borrowed her chair for an impromptu meeting in her office next door.

So if you get rid of auto-rotation, everyone will be more secure.

Tuesday, April 19, 2016

The management style of Brian Wilson, circa 1966

If you took my advice and liked the Empoprise-BI Facebook page, you might have seen my share of a Future Vintage video.



There are a number of musical reasons to be fascinated with this, but I was inspired to look at this from a business perspective.

The song "Good Vibrations" was Brian Wilson's finest moment, although he didn't realize it at the time. By this time Wilson had forced his father out of the group's management, had forced himself out of the group's touring unit, and had assembled a crew of musicians and lyricists to help him realize his vision. By the time of "Good Vibrations," most of the Beach Boys themselves (with the exception of Carl Wilson) were not playing the instruments, and Mike Love alternated with others for the lyrical duties (although, as was subsequently noted, Love's contributions may or may have been downplayed at the time).

Wilson did not have complete control - when "Pet Sounds" bombed financially, he had to take a step back - but with "Good Vibrations," he had the opportunity to craft what he hoped would be the perfect single. (After "Good Vibrations," he would try to write a teenage symphony to God.) But this was years before Prince could go into a studio and create an entire album by himself - Brian Wilson needed help to create his vision.

How did he do it?

Take the lyrics, for example. While Mike Love is in some respects a controversial figure (I've even alluded to the controversy myself), he had his own vision of the Beach Boys. By 1966, the band had enjoyed spectacular success with a steady diet of surf, car, and girl tunes. Why rock the boat? Love had a highly negative reaction when he walked in on the final production for "Pet Sounds," much of which had been conceived while the touring unit of the Beach Boys was on the road. Even by the time of "Good Vibrations," Love had his misgivings:

This was before the Summer of Love, but there were definitely psychedelic rumblings on the West Coast. I felt “Good Vibrations” was The Beach Boys’ psychedelic anthem or flower power offering. So I wrote it from that perspective. The track itself was already so avant-garde, especially with the theremin, that I wondered how our fans were going to relate to it. How’s this going to go over in the Midwest or Birmingham? It was such a departure from “Surfin’ USA” or “Help Me Rhonda”.

So I thought the one thing that everyone can relate to is boy-girl. You know, “she’s giving me excitations”. Had that track not had anything to connect to people intellectually or emotionally, then it would have been a brilliant piece of music, but perhaps not gone to No 1.


So Love wasn't completely on board, but as long as he could get his few words in, he was happy (at the time) to go along with his cousin's wild vision.

Meanwhile, Brian had to communicate with the instrumentalists, such as bassist Carol Kaye.

Brian had all the sounds in his head. He knew what he wanted and wrote out the bass parts for me. They were written crudely – it wasn’t the work of an educated person – but we could read it.

Kaye had another observation.

Brian was a really sweet guy, but he could be cocky when he wanted to be. It was that cockiness that comes with youth. But he was sharp, with very good ears. And he was completely engrossed in what he was doing.

At this stage of his career - after his disruptive father had been banished from the studio, and before Brian himself checked out - he was able to inspire both Wrecking Crew members and the band itself to come up with their greatest work.

In that respect, perhaps Wilson DOES belong in business case studies, right along with other mercurial leaders such as Steve Jobs. This statement about business success could just as well be applied to Wilson, especially when you consider that it took time to appreciate Pet Sounds:

The most revolutionary changes in business method alter the world so fundamentally that their insights can appear banal in retrospect. Alongside the bombast and egotism that can characterise business success, this is a reason for the achievements of business pioneers not always being appreciated as they should.

The parallel does not fit perfectly - after all, there were certain people who were calling Wilson a genius even in 1966 - but his contributions to music were certainly better appreciated in hindsight.

Even by Mike Love.

Monday, April 18, 2016

Can a fruit feel insecure? (QuickTime on Windows)

Apple has had a security battering lately. Recently, despite taking a stance for keeping its iPhones secure, the FBI hacked an iPhone. Now, a former flagship Apple product has been branded as insecure.

The Department of Homeland Security (DHS) is warning Windows customers to stop using Apple’s QuickTime media player.


I didn't read this in a tech journal; I read this in The Hill. For those who don't know, "THE Hill" is Capitol Hill, where national legislation is hammered out in my country.

And no, this isn't an attempt by the FBI to get back at Apple. This warning was issued by the Department of Homeland Security, not the FBI, and as I've already noted, two separate government agencies often have no incentive to cooperate with each other.

To be fair to Apple, the first version of QuickTime (for the Macintosh) was released over a quarter century ago, and much has happened in the world of security since then. This simply serves as a reminder that while software upgrades may appear to be a form of planned obsolescence, there are some legitimate reasons to get rid of that old software.

The DHS notification can be found here.

Workflow update, and the Empoprise-BI Facebook page

I've been playing around with something for the past few days, and I figure that I ought to clue you in on it. It has to do with my workflow.

In the past, I've gotten all convoluted about my workflow, and have created elaborate diagrams showing how my content flows from one service to another. For example, I shared this workflow back in 2008:


Part of the complexity of this workflow was due to my use of FriendFeed (R.I.P.), which (when originally conceived) served as a way to aggregate stuff from a lot of sources. Of course, FriendFeed (and Google News, etc.) is no more.

These days, my workflow is a lot simpler. NetworkedBlogs currently auto-publishes information about my blog posts to Twitter and to selected Facebook pages, and I manually share these on Google Plus (when I remember to do so). However, I'll confess that I'm not visiting Google Plus all that often these days, and I'm not the only one. I don't believe that Google Plus is dead, but the Facebook audience is still the largest one out there that meets my needs.

Well, provided that people find my content.

While I occasionally share posts from this and other blogs on my personal feed, the best way to find most of my content is through my Facebook pages. For example, this blog has an associated Facebook page, Empoprise-BI.


(My admin view. And yes, I'm working on it.)

Now for the workflow change - over the last few days, I've found that I'm sharing more and more stuff to the Empoprise-BI Facebook page. Some of it is random thought, and some of it may eventually end up as Empoprise-BI blog posts (which, as I mentioned, are automatically shared to the Empoprise-BI Facebook page).

So how can you find out about this amazing content?

By liking the Empoprise-BI Facebook page.

Now I won't insist that you choose the additional option to put Empoprise-BI page content at the very top of your feed. Heck, I don't do that myself (I constantly find myself switching to "most recent" rather than "top stories"). But go ahead and like the page, and be sure to visit it every once in a while. You might find a preview of what's coming up in the Empoprise-BI business blog. Heck, if you contribute, YOU might find yourself featured in the Empoprise-BI business blog. (Exciting, I know.)

(And yes, I'm doing similar things for some of my other blogs, but this post is keeping focused on this blog.)

Saturday, April 16, 2016

Update on John Krpan lawsuit

I've noticed increased activity around an old post of mine from April 2015, So you want to interpret for the deaf? There's just one thing.... This told the story of John Krpan, a certified American Sign Language teacher who wanted to get one more certification - the National Interpreter Certification from the Registry of Interpreters for the Deaf, Inc. I summarized the process to get that certification.

You start with the written exam, meet some educational requirements, and then have an interview.

An oral interview.


This caused a problem for Krpan, who is deaf. He ended up taking RID to court on the grounds that RID violated the Americans with Disabilities Act by de facto excluding him from certification.

So why is this old blog post getting renewed activity? Because a judge ruled in the case.

On March 8th, 2016 a U.S. District Court Judge in the Eastern District of Virginia, Alexandria Division granted RID’s Motion for Summary Judgment in the matter of John Krpan, Plaintiff v. Registry of Interpreters for the Deaf, Inc. As a result, a judgment in favor of RID was entered. On Count I, the court determined that the NIC exam and certification process do not violate Title III of the ADA. In terms of Count II, the court determined that the CDI exam and certification do not violate Title III of the ADA by labeling CDI credentialed individuals as “deaf”.

This does not necessarily render Krpan unemployable - after all, he has several other certifications. And perhaps institutions that insist on NIC certification may be picketed by Gallaudet University.

Or perhaps not. Gallaudet offers preparatory courses for people who want to obtain NIC certification, despite the fact that Gallaudet's own president may not qualify for NIC certification herself.

Friday, April 15, 2016

A spot for Spotify - or for any company (rent, taxes, and the talent pool)

There's a reason why this Spotify post isn't going into my Empoprise-MU music blog - because this goes well beyond Spotify.

But we'll start with Spotify, whose founders have penned an open letter to Sweden's government. Because my Swedish language skills are non-existent, I am relying on Quartz's account. Basically, Spotify has three issues:

[CEO Daniel Ek and chairman Martin Lorentzon] say their employees are having a hard time finding apartments and are being charged inordinately high taxes on their stock options, and that the pipeline of programmers coming out of Sweden’s schools is not large enough.

Let's ignore the third point for now, because after all, how can you get more programmers out of Sweden's schools if you don't raise taxes? And we'll also ignore the second one about high taxation for the moment.

So we're left with the first issue - The rent is too damn high.

How does Spotify propose to alleviate this?

By moving to New York.

Seriously.

As the Quartz article notes, there may be a flaw in that logic.

Mans Ulvestam, founder of Acast, which produces analytics and inserts ads in podcasts, has offices in New York, London, and Stockholm. “The cost of living in New York is way higher than Stockholm,” he says. “It’s certainly cheaper to buy an apartment in Stockholm than San Francisco, New York, or London. If Spotify had said they were moving to Idaho–that would have been a valid argument.”

But the difficulty, as Silicon Valley companies well know, is that you need to go where the talent is. And no matter how much I protest, there are not a whole lot of bleeding edge technical personnel in Ontario, California. And when the talent is outside of tech centers, it migrates to tech centers, despite the high personal costs. Talia Jane (who worked at Yelp until she was fired for talking about her struggles) wasn't the only Yelp employee trying to make ends meet.

Every single one of my coworkers is struggling. They’re taking side jobs, they’re living at home. One of them started a GoFundMe because she couldn’t pay her rent. She ended up leaving the company and moving east, somewhere the minimum wage could double as a living wage. Another wrote on those neat whiteboards we’ve got on every floor begging for help because he was bound to be homeless in two weeks. Fortunately, someone helped him out. At least, I think they did. I actually haven’t seen him in the past few months. Do you think he’s okay? Another guy who got hired, and ultimately let go, was undoubtedly homeless. He brought a big bag with him and stocked up on all those snacks you make sure are on every floor (except on the weekends when the customer support team is working, because we’re what makes Eat24 24-hours, 7 days a week but the team who comes to stock up those snacks in the early hours during my shift are only there Mondays through Fridays, excluding holidays. They get holidays and weekends off! Can you imagine?).

Theoretically, you could live anywhere - even Idaho - and work for a Stockholm or New York or Silicon Valley company, but the theory doesn't always work out - again, despite my protests.

So how does a company get access to a huge pool of tech people, yet do so in a way that the tech people can afford to live without giving most of their money away for rent, taxes, and ten pound bags of rice?

Thursday, April 14, 2016

Fear everyone - or don't (Cellebrite or Hacker X never met the Bedford Police Department)

Every once in a while, I like to write a post in which I explain why I don't fear Big Brother (or, to put it another way, "don't worry about the government"). Over the years I've documented the demise of uGov, the cross purposes at UC Irvine, competing airline security systems, the poor security for nuclear missile launches, the lack of NSA-FBI security coordination, the lack of DHS-CIA coordination, and conflicts between the DHS, the FBI, and the NSA. These and many other episodes highlight the truth, expressed by Dave Barry, that any action by government will be met with an equal and opposite reaction from another part of government.

But right now I'm thinking about another post in this vein - Which do you fear more - business Big Brother, or government Big Brother? I want to quote from that 2011 post, which seems eerily relevant today.

Cellebrite manufactures a Universal Forensics Extraction Device. Now we're not talking about debate or biometrics here, but the examination of any item for purposes of law enforcement. In this particular case, we're talking about cell phones. If Malte Spitz had been unsuccessful in getting his location information from Deutsche Telekom, perhaps he could have bought the Cellebrite UFED and obtained the location information in that manner.

"Based on Cellebrite’s expertise in data extraction technology, the mobile forensics products perform both logical and physical data extraction, including recovery of deleted messages and content.

"With more than a decade of experience in mobile data technologies, Cellebrite provides the widest coverage available in the market today. The UFED family of products is able to extract and analyze data from more than 3000 phones, including smartphones and GPS devices."


I am writing this post mere weeks after the FBI ceased its attempts to have Apple unlock Syed Farook's iPhone. Why did the FBI stop? Because it got someone else to unlock it. The FBI didn't say who helped, but various sources claim that Cellebrite did the work, while other sources claim someone else did it.

So who looks good after this affair? Nobody. The FBI, who pleaded that they couldn't unlock the iPhone and that only Apple had the expertise to do so, apparently found someone to do it - possibly cheaply. Apple, who wanted to maintain its posture as a manufacturer of secure communications equipment, has had its security breached - possibly cheaply. And the people who actually unlocked the phone can't get any credit for the deed. Oh, and it's quite possible that the only information that was found on the iPhone in question was data about San Bernardino dining spots.

Now, who are you supposed to fear?

The FBI, who set the wheels in motion to allow this phone - or perhaps your phone - to be hacked?

Apple, who manufactured a phone - perhaps your phone - that could be hacked?

Or the mysterious people who actually performed the hack on this phone, and could do it to your phone?

"None of the above," you might say. "I have nothing to hide."

Well, if you have nothing to hide, then feel free to share your name, address, Social Security Number (remember Todd Davis?), and bank account passwords.

Oh, and leave your house and car unlocked.

Wednesday, April 13, 2016

Does wisdom require information?

You may recall my old post about data, information, knowledge, and wisdom, and its underlying assumption that these are ordered and one proceeds from another.

James Altucher feels differently.

I never read random articles on the Internet unless they are by people I know. Mostly I read books I love.

A friend asked me, when he heard all of this, “But aren’t you afraid you’re going to miss some information?”

I asked him, “What information?”

Wednesday, April 6, 2016

Are credit unions evil banks, or virtuous anti-banks?

As I was walking through a parking lot near a credit union office, I spotted a Bernie Sanders for President bumper sticker.

And it got me thinking.

As many of you know, the Bernie Sanders campaign can almost be characterized as a single issue campaign - namely, to ensure that land acquisition for the National Park Service is fully funded.

Whoops - I seem to have scrambled my notes. Actually, the Sanders issue that is getting a lot of attention can be summarized in four words: "Wall Street is evil."

From the Sanders website:

Wall Street cannot continue to be an island unto itself, gambling trillions in risky financial decisions while expecting the public to bail it out....

The six largest financial institutions in this country today hold assets equal to about 60% of the nation’s gross domestic product. These six banks issue more than two-thirds of all credit cards and over 35% of all mortgages. They control 95% of all derivatives and hold more than 40% of all bank deposits in the United States.

We must break up too-big-to-fail financial institutions. Those institutions received a $700 billion bailout from the US taxpayer, and more than $16 trillion in virtually zero interest loans from the Federal Reserve. Despite that, financial institutions made over $152 billion in profit in 2014 – the most profitable year on record, and three of the four largest financial institutions are 80% bigger today than they were before we bailed them out.


So why would a credit union employee support a guy like Sanders?

One possible reason might be the conclusion that when Sanders rails against financial institutions, he's not railing against credit unions. After all, credit unions are different - the government said so:

Credit unions are not-for-profit organizations that exist to serve their members. Like banks, credit unions accept deposits, make loans and provide a wide array of other financial services. But as member-owned and cooperative institutions, credit unions provide a safe place to save and borrow at reasonable rates.

So perhaps the bumper sticker owner believes that the problems on Wall Street are solely caused by for-profit (rather than not-for-profit) firms that are controlled by oligarchs (rather than individual credit union members just like you and me).

Or perhaps the bumper sticker owner realizes that money is money, but supports Sanders anyway. If so, he or she is not alone:

Meredith Burak is a third-generation Wall Street executive. At 32, she has worked in global wealth management for Bank of America and Merrill Lynch....

"Wall Street has been very good to my family," she said. "It has enabled myself and my cousins and people around me to go to college."

But at the same time, Burak said, Wall Street needs tougher regulation and rules. "People on Wall Street want the game to be fair," she said. "It is when people cheat that things get messed up for everyone. And to the extent that we can have rules and more enforcement to get people like [Ponzi schemer] Bernie Madoff out of the financial system, the better it is for the economy."

Burak said she left Merrill Lynch earlier this month and is traveling in Israel this week, focusing on charitable work on behalf of a cancer foundation in honor of her mother.


And after all, as an anonymous Sanders supporter points out:

"You've got Warren Buffett — one of the wealthiest people in the country — and he's out there supporting raising taxes and the things that Bernie talks about."

Tuesday, April 5, 2016

Coworking, where the new meets the old

Several years ago, coworking was a trend, part of the general trend of working away from an office. Perhaps you'd just park yourself in a coffee shop, or perhaps you'd rent time at a place such as Citizen Space. But people working in coffee shops initially created a backlash, and I just belatedly discovered that even the venerable Citizen Space is no more.

But companies are still entering the coworking market, such as Workbar. For those who aren't familiar with the coworking concept, Workbar has an explanation about the practice:

At Workbar we understand that people don’t always work the way they used to. Technology has made the workforce more mobile, yet has also increased the need for shared resources, human interaction, and fun at work. So we’ve created a network of coworking spaces where independent professionals, start-ups, small businesses, and remote employees of larger enterprises can enjoy a vibrant community and high quality office amenities at an affordable price.

Of course, if you're going to go out and create a coworking space for people, you need...space. And Workbar has, um, worked out a mutual win-win for itself and a much older company:

As consumer needs around commerce are changing, commerce hubs are reimagining and redesigning their physical locations to meet customers halfway, so to speak. Staples is joining in on that trend, and is thus converting some of its retail locations for office supplies into temporary office spaces for rent.

Staples, in conjunction with office-sharing startup Workbar, is looking to open three Boston-area communal workplaces. The hope is that the affiliation will draw more small business owners and mobile professionals into Staples locations. Staples needs the customers, as foot traffic has been on the decline since 2009.


This could be an interesting trend. As more people shop online, and brick and mortar establishments try to reinvent themselves, they're looking for all sorts of ways to use up their leased retail space. If this use brings in more customers for the establishment's primary business, all the better.