Thursday, August 27. 2015
No sooner to we pontificate on MumsNet et al on Monday, than they hit the headlines again with a second DDoS attack within a week, brought the system down on Monday night - Times:
Mumsnet has been hit by a second wave of cyberattacks after a hoax campaign this month led armed police to the home of its founder.
From an information security point of view it's an "interesting" problem - the truth is that people with IT skills can create quite a sophisticated digital attack these days at fairly low cost and effort. The big players spend a lot of money on their defences, but how does a "midcap" digital enterprise protect itself without spending all its money on sophisticated technology and an army of skiled techies?
From what has been written so far there seem to be three main areas to look at:
(The Swat attacks are reprehensible, but they are not specifically due to system hacking per se - that has a separate risk profile, ie the amount of personal data that is publically available and triangulatable - see a talk we gave on that over here)
Surviving DDoS attacks is non trivial, but it is the simplest problem to solve, as it is purely technical - in essence one needs a hybrid architecture of a scalable cloud based infrastructure to be able to deal with the volumes, and an on site system that keeps the lights on and is watching for the probe hacks that will often come under the cover of the DDoS.
Data theft attacks are more subtle, and hackers often use the confusion created by a DDoS. If a company is hacked, it is highly likely that links will be redirected to false sites in order to phish for more data. This data often comes in droves after a DDoS attack as people try to log in to re-establish contact while there is still systemic confusion. The "worst case" attack is that an internal system has been subverted, typically a careless (or occasionally malicious) employee is the problem. This is exacerbated by modern "bring your own device" policies. In these cases they key is to ramp up secure procedures and discipline, and unfortunately also impacts users.
But ultimately, the cost of maintaining continual high security is, well, high, and no system is 100% secure against determined attack - it is also necessary to try to neutralise both the reasons for being attacked, and/or the attackers. It would appear that it's some posters on MumsNet who say things that these activists don't like, and thus the activists are mounting these attacks. The problem with activists (of all stripes) is that they probably won't go away anytime soon. As yet its not clear where they are coming from, but it is even harder to manage this process if attacks are coming from other countries.
We think this will be an emerging trend, the use of (fairly low cost & effort) cyber-attacks to stop people one doesn't agree with having their say (or in the case of Ashley Madison, doing things one disagrees with) as it plays to an increasing tendency towards online polarisation and intolerance. Unfortunately the "systemic" endgame solutions will be some time away - which doesn't help the companies being attacked early up. MumsNet has some tough decisions to make on content vs discontents.
Monday, August 24. 2015
We have been reflecting on the data breaches at Mumsnet and Ashley Madison as well as the user revolt over Spotify’s attempt at a data land grab. We are still at the start of the information age and users are still learning the value and power of personal data. We believe that there are some lessons to learn here.
Lesson 1 - nothing is secure! We should know this by now! Even the NSA is not secure, as Edward Snowden helpfully demonstrated. Once you have given your information to a third party you have lost control of it, so take care about who you trust and what you tell them. For example, does my cable company need to know my real date of birth? Invent an “Internet Birthday” and only tell banks and governments your real DOB (banks so your credit check works and governments as they get grumpy when citizens don’t co-operate!)
Ashley Madison were bordering on the insane to claim (as reported by the Independent) that their servers where “kind of untouchable”. The only untouchable server is turned off, buried and disconnected!
Even after the data breach, the Ashley Madison website has pictures of padlocks and assurances of discretion. However, if you think that the value of the information to the user and compare it to the funds available to Ashley Madison to keep it secure, it doesn’t add up. The fact that a user’s email is “on the list” has potentially life changing consequences. At least, it will risk their relationship and family. Some people might say that they deserve that, although for the purposes of this post, we are not making moral judgements and just considering the relative value of information in different contexts. However, most people would be concerned about those users who have listed gay preferences and are therefore exposed to physical danger in the countries where they live (as reported in the same Independent article.)
Of course, if you live in the wrong country, there are all sorts of lists that might get you into danger. Political activism in repressive countries is one of the things that the TOR Router was invented for, although it’s better known in the mainstream media for facilitating unsavoury transactions on the “dark web”. Data security is not the same as anonymity and in the case of paid-for services, anonymity is only an option if you can pay by Bitcoin.
Lesson 2 - users should consider how damaging a piece of information would be if revealed. This is really a variation on lesson 1, but with an emphasis on risk management. Because we mediate an increasing proportion of our lives via the Internet, there is more and more information that could potentially be taken out of context. This might be a youthful indiscretion posted on social media and picked up by a potential employer. It may be photos intended only for your partner. It may be that you are on a list of activists or a site like Ashley Madison. Most people would not want any of these things shared, but users can be naively trusting. You need to ask if the protection of said information will be given the same priority as you would give it and given the persistent nature of digital information, for how long?
The Mumsnet Data Breach provides an interesting contrast. Although users may have been inconvenienced by the breach, there is nothing on Mumsnet that anyone would be ashamed to own up to, or at least is not in (semi) public view already. From the reports, the only valuable information that seems to have been revealed from Mumsnet are personal details such as user email / password combinations and some postcodes. As Mumsnet have reset all their passwords, this only becomes a problem for users that use the same password for many sites. Unfortunately a depressing number of people do this and are vulnerable to breaches and phishing.
Lesson 3 – use a different password for each site. If you can’t remember that many passwords, append your password with some letters from the site name e.g. “passwordMU” (by the way “password” should not be used as a password!) This approach will stop automatic bots from reusing your password on other sites. Alternatively, use the browser function to store passwords. I would recommend Firefox as it allows you to share passwords across several systems using a “zero knowledge” protocol, meaning that their servers can never know your passwords (even if hacked.)
I haven’t talked about banking or financial websites and apps so far. From a user’s point of view (at least for the time being) the risk is more about inconvenience that loss of funds. The banks are still bearing the loss of data breaches to keep consumer confident in on-line banking. To be fair to the banks, there are also improving on-line security with two factor authentication as standard for most on-line banking systems.
Lesson 4 - Email addresses are not secure identifiers. As email addresses are public, it’s quite easy to “borrow” email addresses. Spammers do this all the time as real email addresses stand more chance of traversing spam filters, especially if they are previously known to the intended recipient. There are reports that some of the email addresses on the Ashley Madison list were not put there by their legitimate owners. Of course, they would say that wouldn’t they! However, I am inclined to be sympathetic to such claims as Ashley Madison did not require emails to be verified and their “freemium” model is likely to attract “spam” profiles. These may be to initiate “Nigerian” scams, build botnets, etc.
Lesson 5 - This is well made by Paul Mason in the Guardian and is about the value of aggregated data. The examples of passwords and specific data points (“this user is an adulterer”) are easy to see. What is less obvious is how seemly innocuous data (location, buying patterns, etc) can by combined to make predictions about users and gather intelligence. On one level this is just creepy. For example, predicting women are pregnant before they know themselves. However, given what we know about the power of loyalty cards, it is more than likely that harvesting such rich data will give huge insight into our behaviour and intensions, conscious and unconscious.
We are moving towards a world of “total information awareness” - in fact, the name of a post-9/11 spying programme but nicely descriptive. Although recent events have highlighted the risks, there could be many positive sides. For example, your doctor could call you to say that you might be ill, rather than the other way around. However, we should go into this brave new world with our eyes open.
Thursday, August 20. 2015
Grauniad reports that Google now has to cut links ti stories talking about the right to be forgotten:
I wonder if Google will be ordered to to remove links to our story about '‘right to be forgotten’ removal stories own ' removal stories'. Ah, the curse of recursiveness....
But this is the EU law - so of course, by using a Google browser from another country or Google.com this will not happen, as it does not apply (Yet - the EU is trying to make Google implement Right to be Forgotten across all its assets).
Or just access another browser without assets operant in the UK that needs not follow the law - DuckDuckGo, for example.
Quack Est Demonstratum...
Wednesday, August 19. 2015
Comparison of Byzantine and Osmanli Leadership Social Networks
I've been looking at research around what can be discerned about organisations and their effectiveness due to various organisation structures, and this paper, Calculating Byzantium, by Johannes Preiser-Kapeller
of the Institute for Byzantine Studies, Austrian Academy of Sciences came up. Compared to much of the worthy stuff and (frankly) dross I've been reading, it was fascinating, just the sort of thing Broadstuff readers may enjoy. The other useful thing about networks of the past is that you know what happened next, so thay are, to some extent, predictive.
It has a section looking at the social networks of the Byzantine Emperor and the Osman Turk statelet (one day to be the Ottoman Turks) who were eventually to overrun Byzantium (there are also some other interesting sections about calculating ancient social networks, fits nicely into Jared Diamond & Robin Dunbar's work).
The two commanders' network diagrams are shown in the picture above, and what is clear is the Turkish command system is smaller and - looking at the stats (see below) has many advantages. The paper notes that:
It's easy to jump into the assumption that the Turks are far more integrated, clearly far more information can be moved fast, and thus the Turkish system is more flexible, more responsive, more effective, and the inevitable Fall of Byzantium is merely a matter of time (took c 100 years from this period to get parity, mind you, and another 100 to finally take Byzantium out - a lesson that big old dinosaurs are still no pushover for fast moving startups).
But there are a few caveats:
Firstly, Byzantium at this time was a bigger, far more complex state than Osman's Turkish statelet so needed more people to run it and - very unusually - was running with 2 Emperors (older one + nephew) and broke into a ruinous civil war in 1328 (half way through this map's timespan) so the network would be massively bi-modal, with 2 opposing camps, by definition.
Secondly, the Byzantine system had been relatively stable for 800 years (just how they managed that that would really be worth studying) so its not a slam dunk that Osman's system was "better", Byzantium had seen the likes of Osman (and far worse) come and go many times over the centuries. Arguably he got lucky, being around just at the time the Empire was busy tearing itself apart (and Andronikus II was by all acounts one of the crappest Emperors they ever had) and other challengers - the Venetians, Bulgarians and various Latins - were also attacking it at the same time.
Thirdly, as the paper notes, in Osman's network "the potential flows of power and resources are more centralised in the hand of the ruler". This works if the leader is able, and can keep on top of the decision flow. Not so good a system if the leader is not so able, and/or the system becomes more complex.
If there was a modern lesson for the "flexible structured, small and nimble giant killer startup school" its that its not enough to be just that to succed, your large and ossified dinosaur opponent also needs to be in total disarray internally, and probably beset on a number of other fronts simultaneously. That the Ottoman state system started to look more and more like the Byzantine as it grew is a salutary lesson.
Or, to rephrase, that the [Insert your favourite Unicorn] system started to look more and more like the [insert your most hated Corporate Dinosaur] as it grew is a salutary lesson.
Thursday, August 13. 2015
It would appear Facebook's Messenger service not only knows your location, but packages it in the data stream when polled. The fate of the prospective Facebook Intern, Aran Khanna who found this out and built an App on the back of it, however, is more interesting - Boston.com:
The app also showed the locations, which were accurate to within three feet, in a group chat with people he barely knew. That meant complete strangers could hypothetically see that he had messaged them from a Starbucks around the corner, while he could see that they had messaged from their dorms.
And, in classic Facebook one step back, two steps forward mode, after Shooting the Messenger (App Maker) they then...
...released a Messenger app update trumpeted as follows in a news release: “With this update, you have full control over when and how you share your location information.”
The lesson, should you wish to learn it - again - is that Facebook's view on your privacy is to exploit it until caught at it, and even then to try everything to keep it ongoing.
The other lesson, of course, is that Social Media SNAFUs must always be blamed on the Intern
Wednesday, August 12. 2015
The Online Trust Alliance — a group made up of such staunch civil liberties and privacy advocates as Target Stores (?), Microsoft and home security firm ADT — on Tuesday released a draft of its IoT Trust Framework (PDF), which offers voluntary best practices in security, privacy and what OTA calls "sustainability" (read "lifecycle management") for home automation, and wearable health/fitness technologies.
More about it here, in summary:
The OTA guidelines set a high bar for IoT device makers. On the security front, the framework calls on manufacturers to employ end-to-end encryption, including device connections to mobile devices and applications and wireless communications to the cloud or other devices. Device makers should include features that force the retirement of default passwords after their first use and to configure multiple user roles with separate passwords for administrative and end-user access.
About time. Of course, it means tearing up some of the favoured #IoT business models du jure, so will probably be seen more in the breach than the observance, but it's a start.
Sadly, the one thing we have learned about the Consumer from countless loyalty schemes and social media systems is that they largely don't understand the importance of privacy and will sell their data for a pittance.
Tuesday, August 11. 2015
Google has become Alphabet - Grauniad:
The tech company announced on Monday that it would rebrand itself as Alphabet – a new holding company whose largest wholly owned subsidiary will be Google.
It's being spun by the more breathless pundits as Being Different, being Google-ley, and there to guarantee innovation. Clearly spinning out the non core businesses into small "start up" units outside the main engine helps ensure they don't get squashed by the main business, but making it structurally visible to the market is the last thing you want to do to "fostsr innovation" - it gives your shareholders visibility of how much of their fmoney you are blowing on moonshots" Thus this move is probably more a prosaically conventional old school thing, as the Grauniad notes:
The tech giant has come under pressure as its founders have used the enormous success of its search engine to fuel riskier bets on autonomous cars, smart household devices, internet-delivering balloons and cutting edge medical research. The major restructuring will ostensibly give investors greater insight into how the money is being spent.
It will be interesting to see how transparent it will be.
PS Interesting that Android is still within Google, there is very little similarity in those businesses
Friday, July 31. 2015
Uber is now valued at $50 bn - WSJ:
Uber Technologies Inc. has closed a new round of funding valuing the five-year-old ride-hailing company at close to $51 billion, according to people familiar with the matter, equaling Facebook Inc.’s record for a private venture-backed startup.
This is...extraordinary, for a business that essentially bases all its economic value on arbitraging a section of the labour market, essentially the newly emergent (and thus poorly regulated) zero-hours-contract, dead end contract job market, or whatever the equivalent is in whichever country you look at. History tells us this will inevitably be regulated at some point in OECD countries.
Plus, all public service markets (like taxis, hotels etc) were eventually regulated to protect providers (eg drivers) and customers (eg passengers) after the inevitable high profile abuses, this one will be too at some point. (The recent scalping of Uber customers in London during the Tube strikes didn't help their cause)
But also what also fascinates me is the view is that it is a sustainable high margin business among many people who really should know better, i.e. those handing over the money at these values, with all that implies. The dream is that efficient algorithms match supply to demand and the customer pays the value added surplus. That is fine in startup scale, when most customers are time starved salarimen with brass in pocket, buts its not a mass market proposition. The cost of running a taxi is little different no matter who is running it (unless you want people to skimp on all those regulated issues like maintained cars, drivers licences etc...), so when it tries to scale to this valuation it is going to have to offer rides to teh kless cash-flush hoi polloi. So unless Uber is being run as a not for profit (and the $50 bn valuation rather belies that) then the bulk of the money taken out of the business model will be from the drivers' wages. And when that is dis-allowed (see - skimping, abuses, etc above) , where are the margins and who takes the hit?.
I guess its more that the backers are betting on Uber being able to
Do you believe this will lead to higher or lower standards in the industry? Do you believe that there will be public pressure to regulate this part of the taxi industry? Do you believe it will come sooner, or later?
Answers on a share application form for the impending IPO.....
BTW - there is an implication for all those building the "Uber for X", they maybe better think carefully about their business model (or their IPO date), as it will probably have the same (low) returns that the other regulated players they are trying to disrupt have, unless there is some other cost pool in that X value chain they can take surplus from other than arbitraging unregulated labour. (Hint - one doesn't get Unicorn values if one takes it from one's own cut...)
*Definition of IPO post Facebook - to sell unicorn-poo for a lot of dollars to those people who believe in unicorns
Tuesday, July 21. 2015
Ashley Madison, an online site which in essence is a market for meeting others interested in infidelity* (as opposed to dating sites where people pretend to be single) has had its data hacked. Including the data of the credit cards used, as it is a pay-for site - Grauniad:
Apart from a certain feeling of schadenfreude for c 37 million very worried people, to me this is more a sign that yet again, on t'Internet, sex sets the trends that others will soon follow. As porn showed us how video and credt card paymenst would work, this shows how personal data hacking and trading will operate. As the Grauniad notes, at the root it is:
the mass scale of the hack attack has to be recognised for what it is: a gross invasion of privacy.
Anyone who thinks this sort of hack will be limited to sex sites is extremely naive....as human data's monetisation increases, so its value will increase. If Information is the new oil, it will be mined.
*I guess to show our hipster street cred I should call it an Uber-for-Adultery
Monday, July 20. 2015
...is in my view a seminal post from fellow UK blogger Nic Brisbourne, Managing Partner at Forward Partners. Nic makes (in my opinion) 3 very perceptive points in his post (here is my expurgation for the attention deficited Broadstuff audience , the whole article is over here on The Equity Kicker and more nuanced):
As Nic says, the new opportunity for retail, therefore, is to solve the paradox of choice. Also As he notes, recommendation engines, Social Media recommendation etc are just the start. Now Nic's company has invested in some startups (it's what they do after all). Here in Broadstuff Towers we don't have a clue who will win this race, you can imagine a number of possible axes of success, but I think this is a very useful way to think about the "Future of Retail"
(Page 1 of 278, totaling 2775 entries) » next page
More Broad Stuff
Poll of the Week
Will Augmented reality just be a flash in the pan?
Creative Commons Licence
Original content in this work is licensed under a Creative Commons License