17 Security Related Phrases We Are Sick of Hearing

1. “What is the key to our wireless again?”


2. “I downloaded something and now my computer is acting all weird”


3. “Why do I need to use the VPN all the time?”


4. “How come I have to apply updates all the time?”


5. “At home I run macs because they don’t get viruses and malware”


6. “Hey, can you teach me how to hack?”


7. “Is there any way to get around me having to type my password over and over again?”


8. “I clicked on it because it totally looked like it was from my bank”


9. “I think my twitter account has been hacked, what do I do now?”


10. “Should I get my CISSP?”


11. “Is it safe to click on this self-signed cert?”


12. “I have no idea how that pornography got on my computer?”


13. “The webpage said that this cloud services was 100% secure?”


14. “I locked myself out of my account again, can you reset it?”


15. “I think I may have just lost a bunch of important files, what do I do?”


 16. “Can I get root access on this server?”


17. “We will get back to you on those security-related changes you recommend”


Accounting for the uncountable

Albert Einstein Gives a Lecture

Everything that can be counted does not necessarily count; everything that counts cannot necessarily be counted. —Albert Einstein

I know now more than ever why he made this point.  Back in 2009 I blogged on this topic and wanted to revisit it briefly before I start in a direction that will ultimately place me back in the industry where this research can be applied.

In my independent study of Gregory Bateson and Alfred Korzybski I truly understood for myself that the name is not the things named or as some would say the map is not the territory.  I call your attention to this manner of thinking because we have a problem with metrics in that the count is not the things counted.  Many metrics for risk and compliance describe beautiful mathematical formulas but only see a limited success because the classification of the things being counted is narrowly understood beyond a few individuals.  This blog posting makes the assertion that our problem with effective metrics is not one of numbers but one of semantics; not of the counts but of the things counted.  Since April of this year, I’ve been working on a few computational systems that side step the requirement put forth by number systems and I’m excited to test them out in the real world.

The things being counted must be named, defined, and ultimately understood by a community of practice.  The very act of naming is an act of mapping or classification; it comes with a certain level of precision and consequences. A useful classification standard for one community may be useless for another. To the degree that this mapping or classification is common with others in your community of practice, you achieve a mutual semantic coherence (some call this objectivity but I reject that term).  The durability of a set of metrics is challenged when multiple communities of practices are asked to engage in a common objective for the business.  Such is the case when one proposes a standard terminology and metrics that apply across a large enterprise consisting of multiple communities of practice and diverse personas.  To be useful one must know what these metrics mean and to be able to draw inferences from experience.  Needless to say, the process of stabilizing semantics across communities are extremely expensive and for those performing this in purely information spaces like information security, rapid change makes this practically impossible.

A measurement system must be judged on the notion of “usefulness to a community of practice” and this scoping must be made explicit.  The utility is a function of the audience’s ability to draw inference from the counts and things counted.  Let me share with you an example I experienced with a Canadian co-worker back in 2009.  I said “Dude, it was in the 90’s in San Francisco today”.  A blank face appeared as I saw him think and convert this implicit 90 degrees Fahrenheit to Celsius ((F – 32) x 5/9) because he could not draw an inference from Fahrenheit.  Inferences like it being weather for shorts, no jacket required, that it is odd for San Francisco to have a high of 32 Celsius, that homes in San Francisco don’t have AC because it is never that hot and so on and so on.

When you look at the notion of temperature, you can see that the different communities have chosen different standards because of the way they have come to know those units and it is more about the semantics than the mathematics.  This becomes exponentially more difficult when the syntax is the same but the semantics vary.  Take terms like ‘asset’ or ‘platform’ and you can fill a page with what it means in certain context with certain communities even within the same enterprise.  Each community of practice has come to know the term ‘asset’ in very different ways; this person has encoded work and meaning in ways that are different than others.  While mathematics remains important, we must turn our focus to formal ways to share semantics. Only then can we share both the numbers (the count) within their intended context (the things counted); semantics that can only be seen through a keen ethnographic eye that respects heterogeneous sense-making and the diverse viewpoints of an enterprise.

So while I am not going to spill the beans just yet, I will say that more important than numbers and counts, are the means to compute membership to classes.  You are probably saying to yourself, well, does that not require numbers?  I mean I need to score higher than 70 to pass this test, I need to score less than 40 to pass this audit, etc.  We got so hung up on number systems to help us compute membership to a set that everyone forgot to explore the other techniques.  Welcome to the wonderful world of semantic reasoning and in the coming months, I will have many stories to tell.  Thanks to the great works of Einstein, Bateson, and Korzybski, accounting for the uncountable will finally make sense.

The Spy Who Loved Me (be tracked and earn points!)


Almost every task you perform is online and almost every online service you subscribe to is tracking your behavior in detail.  And, the reality is that this is happening offline as well.  How many loyalty cards are you carrying around to get points?  Guess what all those businesses are doing with the data they gather from your loyalty cards? That’s right, they are tracking your every move.

Everyone is freaking out about the NSA tracking US citizens, but their local grocery store, Amazon, and their favorite search engines are likely to have a longer history of “spying” on their behavior.  Beyond these obvious data collection mechanisms, bike computers, fitness monitors, and mobile phones are all publishing location data to systems that are not very well protected.

As a consumer of online and offline services, do you have a choice about being tracked?  Not really.  I dare you to try and be proactively anonymous.  The effort alone, not to mention the discounts you will forfeit, will be significant.  On average, you save about 10% to 20% in loyalty programs and that can really add up. If you really want to be anonymous, you’ll need to pay in cash and that’s not very convenient. You’ll also need to enter all your personal accounting data manually and as Sweet Brown would say: “ain’t nobody got time for that!” Of course, cash will also limit your vendor selection.  Anonymity, or even it’s close approximation, will take practice and skill that you just don’t have and the people tracking you are banking on this fact.

Parents, employers, governments and online vendors all want to “spy” on you so they can “make” you a better son or daughter, student, employee, citizen, or customer.  No matter which role you fall into during a specific transaction, the “spying” is supposed to be for your benefit.

My point is that if you accept the fact that spying or tracking is a given, then instead of complaining about it you can get proactive. This makes it possible to make conscious decisions about who is allowed to “spy” on you. I think consumers should approach this decision by evaluating these criteria:

1) Make sure you are the one getting a tangible benefit. This doesn’t have to be a discount, it could be priority access to information or better status. Whatever it is, it should be meaningful to you – don’t give your data away for nothing.

2) Demand that the data being collected on you is protected in some way.  Some people tracking you are absolutely careless about how they store and protect the data and this is not going to change until consumers collectively demand a change.

One other issue that hasn’t been addressed by most vendors tracking your behavior is ‘identity noise’ or ‘profile pollution’ caused when multiple people using a single login. Most systems assume a one to one relationship between users and logins, or are based on an incorrect assumption that you only shop for yourself. When you start allowing others to make purchases using your login or buy things for your children or friends with very different tastes, stupid recommendations start to appear rendering recommendation engines annoying instead of helpful.

Netflix recently came to terms with the fact that multiple people were using the same Netflix account and instead of fighting it, they introduced the concept of multiple profiles associated with the same login/password.   Now a single account can have up to 5 profiles, so your kid’s unicorn or pony cartoons and your wife’s romance flicks don’t pollute your quality sci-fi recommendations.  Good job Netflix!

Believe it or not, it’s possible (and maybe even likely) for us to become even more traceable. Just wait until Tiles are available and used by the masses.  All I have to say about this is that the people behind Tiles better have badass security people working on the design and implementation or it has the potential to make really bad things happen.  Tiles could get very creepy very fast; for example, they could be hidden in gifts so subsequently something in your proximity can be tracked.  Give a gift that keeps on spying – ugly but extremely possible.

Are you paranoid yet?  I’m not sure you will ever be sufficiently paranoid because so many of these monitoring acts are being sold with major benefits. Deep discounts, rewards, recommendations that you would have not found on your own — all of these things are the positive side of vendors “spying” or tracking your actions.  Marketing and business intelligence systems require more precision about customer behavior so businesses have become very effective in their communications in order to remind you that every action they are taking is “for your own good”.

This battle is being won or lost in the hearts and minds of consumers, not in the bits and bytes of the data vendors are collecting. And all hope for privacy isn’t completely lost. Eventually, it will all works itself out but the issues are more social than technical.  Just remember this: You are a person of interest to someone and that someone will want to track you.  This has been true since the day you were born.

The death of the physical space


When you think about the social function of architecture – to increase the probability of communicating with another individual via a physical encounter – you also must consider the radical change technology has brought to it.  If your ancestor a few hundred years ago needed to speak with someone and that person was not home, he would likely wait for hours at a common place like a town square or market place knowing that at some time in the day that person would show up and they could communicate.  This would change forever with the mobile phone.  The opportunity spaces once created by architects and city planners now take a back seat to just calling or sending a text message to the individual.  Being in the same physical space is no longer a requirement and thus the infrastructure changes to meet these needs.  The same case applies to the work environment and in this post let’s explore the death of the physical space we call work.

Let us first rule out all physical work because if you are a masseuse you are not likely to be able to work virtually (that is until you invent robots for the task but I digress).  We are talking about the knowledge worker, the same class of worker that Alvin Toffler and Peter Drucker spoke about in all of their published work.  It is exactly this workforce that is transformed by smartphones, tablets, cloud storage, and all the productivity of Internet-based applications.  Yet the old culture, still requires them to have their butts in some designated seat in some office cubicle.  Their crude measure of productivity is how many hours they are physically at work, not mentally at work and this should be a warning sign.  Ask yourself this: how does your management measure your productivity?  If they are all heavily based on physical factors and you are a knowledge worker, time to get the hell out and join a company that will scale, thrive, and appreciate your value.

With a highly dynamic and adaptable workforce comes also another shift in thinking regarding roles and responsibilities.  The old static roles of yesterday gave rise to the infographic we know today as an organizational Chart or orgchart.  I find this to be useless to misleading when you are trying to build a dynamic cross functional team that needs to deliver a project in a few weeks.  In a theatrical sense, the old way of working was easier with your role and responsibilities being tightly coupled to your title but the new knowledge worker comes to the table with a capability set that is only defined by his/her contribution to the overall group at runtime.  It is no longer about being the smartest person in the room, it is about being the smartest room!  And for those of you not paying attention, I don’t mean physical room.

I’m not going to argue with you about the effectiveness of high bandwidth face to face communication, I’m talking about leveraging and making productive the other 90% of the time when you are not face to face with that person or group.  Being a geographically distributed organization is a reality or you will not be able to scale or remain competitive.  This 10% face to face time is likely to decrease to more like 2% if you are lucky.

The workplace of the industrial age has a long standing tradition of creating memes that get the talent to congregate physically.  While you still need to move to New York if you want to be on Broadway, it is less the case these days that you need to move to Silicon Valley to be a successful software company.  I’m always shocked to hear about arcane work policies that require an 8 hour physical presence of a worker at their desk.  The companies that focus on talent and not location are the ones that will deliver higher quality product, innovation, and operate at a much lower cost.

Face it, [physical] space is optional.  Much of how we work, live, and play does not require us to be in physical proximity of one another.  Amazon is crushing the physical retail, streaming media surpasses other physical delivery of movies and music, everywhere you turn, the physical room is reduced to an information space that facilitates some set of tasks.

Live where you want to live, play where you want to play, and work where you want to work.  Go ahead and try to fight it but you will lose.

BYOD: Bring your own Dissonance



Bring your own device (BYOD), or the policy of allowing employees to bring personally owned computing platforms to work to perform work tasks, has raised security and management concerns.

The reality is that this is a pattern that has been repeated several times over the years. This pattern has to do with the dissonance that forms when humans and computers move to the next level of technology and practices.

Some of you may have been doing this as long as I have – Do you remember when IP or (Internet Protocol) wasn’t the only thing on the wire?  If you were in an IBM dominated shop, they used to call us the “Open Systems” (referring to devices that ran IP.) For the most part, we were treated the way mobile BYOD folks are treated now.  Basically, we were guilty until proven innocent.  At the time no one could measure our productivity gains directly, so it was nearly impossible to make a solid business case against protocol stacks like IBM or Novell’s IPX.  Then suddenly, the Internet happened and, for the most part, IP quickly became the dominant network protocol.  In retrospect this might seem like a smooth transition but I promise if you were there fighting the fight, you remember it as a period of dissonance with plenty of drama.

In the same way that IP connected the world in a completely new way, new personal computing devices are redefining the ritual space we call ‘work’.  Work is no longer a physical place and phrases like “I need to go to work” are going to fade away just like the buzzing and squealing of dial-up modems.  Instead, work is becoming a set of processes. It turns out that more often than not these processes can be executed more effectively when you aren’t sitting in your assigned cubicle in front of your assigned corporate owned computing device.

Recently, I’ve found myself becoming much more sensitive to the context of a task. So much so that now I queue my task lists this way. Call it context-based task execution where one of the contexts is location.  (In my task lists things, people, and places, are the parent categories – you get the idea)

Another factor that’s often overlooked in BYOD is the emotions connected with the buy decision for personal devices.  Compare this with corporate purchases that are all about the numbers and how they stack up in Excel.

People tend to fall in love with their devices; corporations are just evaluating total cost of ownership and specs.  This aspect of BYOD has the potential to drive profound change over time as companies make provisions for their users.

In the not too distant future I can see the IT Ops folks moving away from the role of network device cop and toward the role of device consultant. Instead of kicking users off the network and reprimanding them for attaching unmanaged devices, users will proactively consult with IT Ops about which devices to buy and be involved very early in the lifecycle.

Some companies have already embraced this change and those companies, just like the ones that embraced IP early on, are going to have an easier time attracting and retaining the best talent which translates into better profits.  The trick will be new metrics in the measurement of productivity and associating on-time delivery, innovation, or product quality to these new aspects of work.

Others will fight the change and, as we saw in the transition that made IP the dominant network protocol, may not survive.

It’s estimated that 129 million people will have purchased their own smartphones for work use in 2013.  These numbers are growing and what you must realize is that some of the most important communication and decisions you will make in 2013 will likely be done on your smartphone.