Two Blasts From The Past In One Day: Monetate and IMCD

I got two exciting calls today from friends and former colleagues, David Brussin and Michael Miora. two of the guys with whom I co-founded InfoSec Labs and ePrivacy Group.

Mr. Miora is a seriously qualified information security and disaster recovery expert (as in Michael Miora, CISSP, ISSMP, FBCI). He has been working on a product that helps businesses recovery from disasters. It is called IMCD, from Incident Management CD, because one of its many clever tricks is to store, one on CD (or USB thumb drive or SD card) everything your company needs to know in an emergency: who to call, contact details, systems and software applications and data, by department, priority, location, and so on and, Wow, there really is a lot of stuff you need to get your hands on fast when the nasty stuff meets the whirling blades.

One reason I'm familiar with this product is that my brother (Mike Cobb, CISSP, ISSAP, MCDBA) was heavily involved, coding the interface and algorithms and such. The exciting news today was the availability of the new version, boxed and priced to sell, on places like Amazon, for $99.00. At this price it's a very cheap insurance policy and potential life-saver for owners of small-to-medium businesses as well as in charge of regional offices of larger companies. The next step in the marketing plan is to move into brick and mortar retail stores like Staples and OfficeMax. I look forward to seeing it on the shelves soon.

The news from Mr. Brussin was also very exciting--his new company's new product is ready to rock and they've just activated the first client. David is one of those people obsessed with making things work better through the appropriate application of technology. He was running his own networking company before he turned 20 and has been coming up with bright ideas ever since, like the anti-spam router, still the single most effective anti-spam tool you can buy. This latest company/idea is a means of making online retail sites work better (a by-product of spending too much time Internet shopping?). It sounds like David has put together an ace tech team to build this thing and I look forward to learning more about it.

What Fighting Spam Taught Me About Marketing (and Market Forces)

Yesterday I reflected on the emergence of the spam problem and some early work on anti-spam strategies. I'd like to continue the topic today with a second observation from early in 2001:

2. A lot of people want to receive relevant offers.

This is not the same as observation #1 in my previous post: Some people like unsolicited email. Back in 2001, point #1 was true: a not insignificant percentage of email users were open to getting email they didn't ask for. This percentage dropped rapidly over the next few years as the quantity of unsolicited email that these people received increased, together with the proportion of that email which was deceptive and distasteful.

What did not change is point #2; it is human nature to be receptive to a good deal IF it is relevant. We realized this...

Anti-Spam? But some people like(d) email surprises

Back in January of 2001, some of my buddies and I did some serious thinking about spam, the obnoxious unsolicited email, not the canned luncheon meat (email spam is sometimes referred to as unsolicited commercial email or UCE). For several days we sat around a table in a room paneled with whiteboard in the basement of a house in a suburb of Philadelphia. Collectively we came up with some useful and enduring insights. With spam now accounting for up to 90 percent of all Internet email traffic and new, more malevolent variations appearing weekly, I thought it might be useful to revisit some of those insights in this post...

A Small Wonder: World's fastest autogyro

I recently came across a story that intrigued me and at the same time lifted my spirits. It concerns a small flying machine called Woodstock.

But first some background. I've been interested in aircraft at least as far back as my first transatlantic flight (in a Bristol Britannia operated by B.O.A.C. ). That was when my father was on his way to work for the Renfrew Aircraft company in Canada, where we lived for the year that I was six. When I was 10, he and I went on a church outing to Heathrow Airport (my folks belonged to a pretty cool church). We had a guided tour of the Boeing maintenance facilities (where I learned that each of the four engines on a Boeing 707 are held on by just three bolts).

My brother and I got my our first helicopter ride when I was 11 and he was 6. Many years later he completed his training for his helicopter license while staying with Chey and me in San Francisco.

Lavish G8 Menu: A hotch-potch of complacent inanity?

Gotta love those British journalists. They have such a knack for spotting irony. In the Times this morning the headline read "G8 leaders feast on 13 courses after discussing world food shortages." This was followed by a truly sickening menu of the exotic foods upon which the leaders of the world's richest and most powerful nations feasted while pondering a massive increase in world hunger.

And it's not like the Times smuggled the menu out--the summit organizers were actually bragging about it, proving, once again, that the people who currently rule the planet have no clue. I mean, either you eat the fancy food in secret or you make a big show of eating plain food, for a change.

Then the Guardian's economics editor Larry Elliott, writing under the headline "A G8 removed from the real world," ponders what action, if any, the G8 will take. Will they do something decisive, for a change? Warns Elliott, "It would be foolish to bank on it." After pointing out that the last summit was way off base, he concludes that we would be "far safer to expect a repeat of last year's hotch-potch of complacent inanity."

And really, the G8 would have done better to dine on "aged hotch-potch of complacent inanity," perhaps served with a side order of humble pie, instead of wolfing down things like corn-stuffed caviar and truffle soup or sea urchin 'pain surprise' style.

Coming Together Nicely: Google Maps, Streetview, and Trip Advisor

I need to find a hotel to stay at in New York on August 22 for the opening night of 'our' movie: Dare Not Walk Alone. So I go to Google Maps and check the address of the cinema (Pioneer Theater, 155 East 3rd Street between Avenues A and B). Then I use Street View to check out the neighborhood. Then I use the Find Nearby feature to look up hotels. This not only maps the nearby hotels but now shows me Trip Advisor listings for them.

Not sure when Google added this feature, but it's very handy. I've blogged about Trip Advisor before when I used it to find an affordable hotel for a working trip to London. I find it useful, although you have to filter the opinions of the reviewers (some people 'hate' or 'love' things too easily). But it is even more useful in combination with Street View because I can see what the hotel and environs look like in a candid photo, not the hotel brochure (at the very least this should reduce the disappointment factor when people arrive and find the place is less glamourous than the official photos suggest.

Erosion Threatening America: And it's not global warming

At the supermarket you try to buy fresh, natural produce. but you recently heard that more than 60% of the food on the shelves today likely contains GM ingredients (a recent survey said 80% of Americans want food labels to indicate the presence genetically modified ingredients but 99.9% of GM food it is not labeled as such).

In the meat aisle you look for some meat to grill at the weekend when friends come over to watch the game. You see some are Black Angus steaks on sale, but are vaguely aware that under USDA rules any beef meat can be labeled Black Angus if the animal has a "black hair coat". You just hope the steaks taste okay.

At the checkout you swipe your debit card and hope that there is not some malicious code in the store that is capturing your card details and shipping them offshore for use in fraud schemes (which was happening for a while at nearly 300 otherwise reputable grocery stores).

Come the weekend, you fire up the grill and settle in to watch the game, unaware that one of the teams has been illegally spying on its opponents for years. At half time a friend asks about an email he got from the IRS asking for bank account information so the agency could send his tax refund via direct deposit. You tell him the message is a scam and the IRS does not use email because it can't be trusted.

In fact, you have this growing feeling that there is too much that can't be trusted these days; surely this erosion of trust is not good for the country. As the second half of the game begins you find yourself surreptiously surfing the Web on your laptop, entering search strings like: trust economic payoff, trust erosion growth, and such like. You find a widely quoted paper from 1997 that showed trust having a significant impact on aggregate economic activity, specifically "the coefficient for Trust [...] indicates that a ten percentage point rise in that variable is associated with an increase in growth of four-fifths of a percentage point" (Knack and Keefer, 1997). You find another paper from 2000 that concludes "a ten-percentage point increase in the number of respondents revealing themselves as “generally trusting others” is associated with a rise of per capita income in purchasing power standards of three-fifths of a percentage point" (Van Puyenbroeck and Cherchye, 2000).

So, increasing trust within America by ten percent could actually provide a big boost to an otherwise sagging economy. Is that feasible? Consider the numbers in this IBM study. America's trust level is 36. The figure for the Netherlands is 55 and for Norway it's 65. The UK is at 44 and Ireland's at 47. In other words, if Americans had the same level of trust as the Irish, an annual GDP growth rate of 3% percent could be boosted to 3.8%. If we reached Dutch levels of trust, that 3% GDP figure could be 4.6%. And if we achieved Norway's trust level, we could hit 5.4%, a veritable powerhouse of growth, achieved not by raping the land and ruining the environment and hogging resources, but by engendering trust between individuals and institutions.

There Should Be Blood: Oil deserves better

I finally got round to watching There Will Be Blood and I was terribly disappointed. While Upton Sinclair's Oil! painted a subtle picture of human motives and morals set against a detailed picture of the oil industry, the story told in this film just didn't make sense, at least to me.

It's not that I was expecting a true-to-the-book movie, or even the same basic story as the novel--we are given fair warning that the book merely inspired the film; but what I did expect was a coherent tale full of insights into the oil business.

Instead we get this incredibly intense character, Daniel Plainview (Daniel Day-Lewis) driven by heaven-knows-what motives. We wait all movie to learn why he is so angry and bitter and violent. I never found out. It's like a Coen brothers' movie without the humor. Indeed, I would probably have been happier if the film had been introduced as a Coen brothers production set in the early years of the California oil boom and World War I (after all, they made O Brother Where Art Thou? about the Depression in Missippi).

What I don't understand is the need to hook the film to the novel. Elements are shared, like an oil developer with a son in tow and a quail hunt that finds oil and a charismatic preacher whose family sells its land to the oil man. But that's about where the similarities end.

The differences are even more telling. While we see some of the workings of the oil business in There Will Be Blood the film passes up a lot of opportunities to educate, which was part of Sinclair's genius. The difference between leasing land to drill and buying it outright was not made clear--something that a lot of people in today's gas-boom states like Pennsylvania and New York could stand to learn more about.

Also unaddressed were the conflicting emotions experienced by the boy, used by Sinclair to address the age-old conundrum of how well-intentioned acts can produce bad outcomes. Sinclair's oil man is seemingly well-intentioned. He was a simple shop-keeper whose wife left him. He happened into the oil business at 40, got lucky, and wanted to pass along his knowledge and wealth to his son. He is not cynical in his exploitation of resources and people, he believes he is doing the right thing and being fair. The film totally omits the unions, The War, Bolsheviks, and the rise of communism and this misses a great opportunity to highlight major parallels with the world today, and underline how easy it is for well-intentioned men who think they are fair to really screw up the world, politically, economically, and environmentally.

Child Porn: Why One Man's Innocence May Worry IT Managers

Computer security news out of Massachusetts this week could be a sign of big troubles to come for IT managers in enterprises, government agencies, and SMEs, in the U.S. and around the world. It's not a virus or worm or Trojan as such, although they may be involved. No, it's a case in which an innocent man lost his job and his reputation, and may now win a landmark suit against his former employer. Why? Because he was fired for having child pornography on his company laptop without adequate forensic evidence that he put it there.

The case of Michael Fiola could become a landmark of sorts, although some observers seem to have missed the point I'm going to make: Any employer considering taking action against an employee, based solely on what is 'found' on an employer-issued computer, must have solid forensic evidence to justify that action, and preferably be in a position to justify the action on additional, non-forensic grounds. Why? Because failure to do so could have serious consequences.

Legal Precedent, the CIO/CISO Remit, and Indian Affairs

Q. Have you spent much time at the U.S. government's Bureau of Indian Affairs web site lately?

A. No.

I didn't think so. Because, when you go to www.bia.gov it's not there. According to a recent news story that may be about to change, but don't hold your breathe. There hasn't been a web server at bia.gov for most of the past 7 years. Why? The short answer, which I consider to be highly instructive to Chief Information Officers and Chief Information Security Officers everywhere--inside the government and out--is this: "Because the judge just said No."

Allow me to elaborate. Back in 2001 a judge told the BIA to take its site off the Internet because it was not secure. And, in a judgment that strikes me as a brilliant application of commonsense, he added: "Don't put it back until it's secure."

How does a judge determine if a web site is secure? The same way that the Federal Trade Commission does: submit it to examination by an objective, independent third-party who is suitably qualified, such as a CISSP (Certified Information System Security Professional). And that's what the BIA did, in 2003, and again in 2004. Basically, the BIA kept reworking its systems to try and achieve a standard that I like to call "secure enough." That means the site can withstand all of the obvious, predictable and realistically feasible attacks.

And that pretty much sums up the real world standard used by site like Amazon.com and BankOfAmerica.com. For example, a site won't fail the "secure enough" standard just because it's encryption could be defeated by a brute force attack that would take $50 million super-computer to execute. A site will fail if it is found to be vulnerable to a known cross-site scripting attack or a SQL-injection hole that was patched six months ago.

Well now there is a Court Order permitting Internet reconnection for Indian Affairs and the agency is "on the path to full reconnection to the Internet." Note that this is not happening because the judge's security experts gave the site a clean bill of health. On the contrary, the United States District Court for the District of Columbia Circuit and agreed with the agency that the judge was out of line when he issued the Consent Order Regarding Information Technology Security that suspended the site back in December, 2001. So, the court gave permission for the "information technology systems of the Bureau of Indian Affairs (BIA), the Office of Hearing and Appeals (OHA), the Office of the Special Trustee for American Indians (OST), and the Office of Historical Trust Accounting (OHTA) to be reconnected to the Internet." It will be interesting to see how long that takes, and how secure the site proves to be, in a real 'real world' test.

In the meantime, companies might ponder how they would fare if all Web sites had to pass a security review before they were allowed to go live.