Thursday, August 27. 2015
No sooner to we pontificate on MumsNet et al on Monday, than they hit the headlines again with a second DDoS attack within a week, brought the system down on Monday night - Times:
Mumsnet has been hit by a second wave of cyberattacks after a hoax campaign this month led armed police to the home of its founder.
From an information security point of view it's an "interesting" problem - the truth is that people with IT skills can create quite a sophisticated digital attack these days at fairly low cost and effort. The big players spend a lot of money on their defences, but how does a "midcap" digital enterprise protect itself without spending all its money on sophisticated technology and an army of skiled techies?
From what has been written so far there seem to be three main areas to look at:
(The Swat attacks are reprehensible, but they are not specifically due to system hacking per se - that has a separate risk profile, ie the amount of personal data that is publically available and triangulatable - see a talk we gave on that over here)
Surviving DDoS attacks is non trivial, but it is the simplest problem to solve, as it is purely technical - in essence one needs a hybrid architecture of a scalable cloud based infrastructure to be able to deal with the volumes, and an on site system that keeps the lights on and is watching for the probe hacks that will often come under the cover of the DDoS.
Data theft attacks are more subtle, and hackers often use the confusion created by a DDoS. If a company is hacked, it is highly likely that links will be redirected to false sites in order to phish for more data. This data often comes in droves after a DDoS attack as people try to log in to re-establish contact while there is still systemic confusion. The "worst case" attack is that an internal system has been subverted, typically a careless (or occasionally malicious) employee is the problem. This is exacerbated by modern "bring your own device" policies. In these cases they key is to ramp up secure procedures and discipline, and unfortunately also impacts users.
But ultimately, the cost of maintaining continual high security is, well, high, and no system is 100% secure against determined attack - it is also necessary to try to neutralise both the reasons for being attacked, and/or the attackers. It would appear that it's some posters on MumsNet who say things that these activists don't like, and thus the activists are mounting these attacks. The problem with activists (of all stripes) is that they probably won't go away anytime soon. As yet its not clear where they are coming from, but it is even harder to manage this process if attacks are coming from other countries.
We think this will be an emerging trend, the use of (fairly low cost & effort) cyber-attacks to stop people one doesn't agree with having their say (or in the case of Ashley Madison, doing things one disagrees with) as it plays to an increasing tendency towards online polarisation and intolerance. Unfortunately the "systemic" endgame solutions will be some time away - which doesn't help the companies being attacked early up. MumsNet has some tough decisions to make on content vs discontents.
Thursday, August 20. 2015
Grauniad reports that Google now has to cut links ti stories talking about the right to be forgotten:
I wonder if Google will be ordered to to remove links to our story about '‘right to be forgotten’ removal stories own ' removal stories'. Ah, the curse of recursiveness....
But this is the EU law - so of course, by using a Google browser from another country or Google.com this will not happen, as it does not apply (Yet - the EU is trying to make Google implement Right to be Forgotten across all its assets).
Or just access another browser without assets operant in the UK that needs not follow the law - DuckDuckGo, for example.
Quack Est Demonstratum...
Wednesday, August 19. 2015
Comparison of Byzantine and Osmanli Leadership Social Networks
I've been looking at research around what can be discerned about organisations and their effectiveness due to various organisation structures, and this paper, Calculating Byzantium, by Johannes Preiser-Kapeller
of the Institute for Byzantine Studies, Austrian Academy of Sciences came up. Compared to much of the worthy stuff and (frankly) dross I've been reading, it was fascinating, just the sort of thing Broadstuff readers may enjoy. The other useful thing about networks of the past is that you know what happened next, so thay are, to some extent, predictive.
It has a section looking at the social networks of the Byzantine Emperor and the Osman Turk statelet (one day to be the Ottoman Turks) who were eventually to overrun Byzantium (there are also some other interesting sections about calculating ancient social networks, fits nicely into Jared Diamond & Robin Dunbar's work).
The two commanders' network diagrams are shown in the picture above, and what is clear is the Turkish command system is smaller and - looking at the stats (see below) has many advantages. The paper notes that:
It's easy to jump into the assumption that the Turks are far more integrated, clearly far more information can be moved fast, and thus the Turkish system is more flexible, more responsive, more effective, and the inevitable Fall of Byzantium is merely a matter of time (took c 100 years from this period to get parity, mind you, and another 100 to finally take Byzantium out - a lesson that big old dinosaurs are still no pushover for fast moving startups).
But there are a few caveats:
Firstly, Byzantium at this time was a bigger, far more complex state than Osman's Turkish statelet so needed more people to run it and - very unusually - was running with 2 Emperors (older one + nephew) and broke into a ruinous civil war in 1328 (half way through this map's timespan) so the network would be massively bi-modal, with 2 opposing camps, by definition.
Secondly, the Byzantine system had been relatively stable for 800 years (just how they managed that that would really be worth studying) so its not a slam dunk that Osman's system was "better", Byzantium had seen the likes of Osman (and far worse) come and go many times over the centuries. Arguably he got lucky, being around just at the time the Empire was busy tearing itself apart (and Andronikus II was by all acounts one of the crappest Emperors they ever had) and other challengers - the Venetians, Bulgarians and various Latins - were also attacking it at the same time.
Thirdly, as the paper notes, in Osman's network "the potential flows of power and resources are more centralised in the hand of the ruler". This works if the leader is able, and can keep on top of the decision flow. Not so good a system if the leader is not so able, and/or the system becomes more complex.
If there was a modern lesson for the "flexible structured, small and nimble giant killer startup school" its that its not enough to be just that to succed, your large and ossified dinosaur opponent also needs to be in total disarray internally, and probably beset on a number of other fronts simultaneously. That the Ottoman state system started to look more and more like the Byzantine as it grew is a salutary lesson.
Or, to rephrase, that the [Insert your favourite Unicorn] system started to look more and more like the [insert your most hated Corporate Dinosaur] as it grew is a salutary lesson.
Thursday, August 13. 2015
It would appear Facebook's Messenger service not only knows your location, but packages it in the data stream when polled. The fate of the prospective Facebook Intern, Aran Khanna who found this out and built an App on the back of it, however, is more interesting - Boston.com:
The app also showed the locations, which were accurate to within three feet, in a group chat with people he barely knew. That meant complete strangers could hypothetically see that he had messaged them from a Starbucks around the corner, while he could see that they had messaged from their dorms.
And, in classic Facebook one step back, two steps forward mode, after Shooting the Messenger (App Maker) they then...
...released a Messenger app update trumpeted as follows in a news release: “With this update, you have full control over when and how you share your location information.”
The lesson, should you wish to learn it - again - is that Facebook's view on your privacy is to exploit it until caught at it, and even then to try everything to keep it ongoing.
The other lesson, of course, is that Social Media SNAFUs must always be blamed on the Intern
Wednesday, August 12. 2015
The Online Trust Alliance — a group made up of such staunch civil liberties and privacy advocates as Target Stores (?), Microsoft and home security firm ADT — on Tuesday released a draft of its IoT Trust Framework (PDF), which offers voluntary best practices in security, privacy and what OTA calls "sustainability" (read "lifecycle management") for home automation, and wearable health/fitness technologies.
More about it here, in summary:
The OTA guidelines set a high bar for IoT device makers. On the security front, the framework calls on manufacturers to employ end-to-end encryption, including device connections to mobile devices and applications and wireless communications to the cloud or other devices. Device makers should include features that force the retirement of default passwords after their first use and to configure multiple user roles with separate passwords for administrative and end-user access.
About time. Of course, it means tearing up some of the favoured #IoT business models du jure, so will probably be seen more in the breach than the observance, but it's a start.
Sadly, the one thing we have learned about the Consumer from countless loyalty schemes and social media systems is that they largely don't understand the importance of privacy and will sell their data for a pittance.
Tuesday, August 11. 2015
Google has become Alphabet - Grauniad:
The tech company announced on Monday that it would rebrand itself as Alphabet – a new holding company whose largest wholly owned subsidiary will be Google.
It's being spun by the more breathless pundits as Being Different, being Google-ley, and there to guarantee innovation. Clearly spinning out the non core businesses into small "start up" units outside the main engine helps ensure they don't get squashed by the main business, but making it structurally visible to the market is the last thing you want to do to "fostsr innovation" - it gives your shareholders visibility of how much of their fmoney you are blowing on moonshots" Thus this move is probably more a prosaically conventional old school thing, as the Grauniad notes:
The tech giant has come under pressure as its founders have used the enormous success of its search engine to fuel riskier bets on autonomous cars, smart household devices, internet-delivering balloons and cutting edge medical research. The major restructuring will ostensibly give investors greater insight into how the money is being spent.
It will be interesting to see how transparent it will be.
PS Interesting that Android is still within Google, there is very little similarity in those businesses
Friday, July 31. 2015
Uber is now valued at $50 bn - WSJ:
Uber Technologies Inc. has closed a new round of funding valuing the five-year-old ride-hailing company at close to $51 billion, according to people familiar with the matter, equaling Facebook Inc.’s record for a private venture-backed startup.
This is...extraordinary, for a business that essentially bases all its economic value on arbitraging a section of the labour market, essentially the newly emergent (and thus poorly regulated) zero-hours-contract, dead end contract job market, or whatever the equivalent is in whichever country you look at. History tells us this will inevitably be regulated at some point in OECD countries.
Plus, all public service markets (like taxis, hotels etc) were eventually regulated to protect providers (eg drivers) and customers (eg passengers) after the inevitable high profile abuses, this one will be too at some point. (The recent scalping of Uber customers in London during the Tube strikes didn't help their cause)
But also what also fascinates me is the view is that it is a sustainable high margin business among many people who really should know better, i.e. those handing over the money at these values, with all that implies. The dream is that efficient algorithms match supply to demand and the customer pays the value added surplus. That is fine in startup scale, when most customers are time starved salarimen with brass in pocket, buts its not a mass market proposition. The cost of running a taxi is little different no matter who is running it (unless you want people to skimp on all those regulated issues like maintained cars, drivers licences etc...), so when it tries to scale to this valuation it is going to have to offer rides to teh kless cash-flush hoi polloi. So unless Uber is being run as a not for profit (and the $50 bn valuation rather belies that) then the bulk of the money taken out of the business model will be from the drivers' wages. And when that is dis-allowed (see - skimping, abuses, etc above) , where are the margins and who takes the hit?.
I guess its more that the backers are betting on Uber being able to
Do you believe this will lead to higher or lower standards in the industry? Do you believe that there will be public pressure to regulate this part of the taxi industry? Do you believe it will come sooner, or later?
Answers on a share application form for the impending IPO.....
BTW - there is an implication for all those building the "Uber for X", they maybe better think carefully about their business model (or their IPO date), as it will probably have the same (low) returns that the other regulated players they are trying to disrupt have, unless there is some other cost pool in that X value chain they can take surplus from other than arbitraging unregulated labour. (Hint - one doesn't get Unicorn values if one takes it from one's own cut...)
*Definition of IPO post Facebook - to sell unicorn-poo for a lot of dollars to those people who believe in unicorns
Tuesday, July 21. 2015
Ashley Madison, an online site which in essence is a market for meeting others interested in infidelity* (as opposed to dating sites where people pretend to be single) has had its data hacked. Including the data of the credit cards used, as it is a pay-for site - Grauniad:
Apart from a certain feeling of schadenfreude for c 37 million very worried people, to me this is more a sign that yet again, on t'Internet, sex sets the trends that others will soon follow. As porn showed us how video and credt card paymenst would work, this shows how personal data hacking and trading will operate. As the Grauniad notes, at the root it is:
the mass scale of the hack attack has to be recognised for what it is: a gross invasion of privacy.
Anyone who thinks this sort of hack will be limited to sex sites is extremely naive....as human data's monetisation increases, so its value will increase. If Information is the new oil, it will be mined.
*I guess to show our hipster street cred I should call it an Uber-for-Adultery
Monday, July 20. 2015
...is in my view a seminal post from fellow UK blogger Nic Brisbourne, Managing Partner at Forward Partners. Nic makes (in my opinion) 3 very perceptive points in his post (here is my expurgation for the attention deficited Broadstuff audience , the whole article is over here on The Equity Kicker and more nuanced):
As Nic says, the new opportunity for retail, therefore, is to solve the paradox of choice. Also As he notes, recommendation engines, Social Media recommendation etc are just the start. Now Nic's company has invested in some startups (it's what they do after all). Here in Broadstuff Towers we don't have a clue who will win this race, you can imagine a number of possible axes of success, but I think this is a very useful way to think about the "Future of Retail"
Friday, July 17. 2015
The IoT is 70% Hackable, says HP. Only 70%? It's hardly even growed up yet! PIcture Source
My colleague David Short has long been concerned about the hacking potential on "digital cars", as all intelligent devices in a car typically share the same databus, and as they become more wired to "the grid" the probability of hacking will grow, whereas so far the probability of manufacturers to take preventative measures is at best static. (And, as David often says, "preventative measures" will only deter the casual hackers, taking care of the real professionals requires considerable redesign of any such simple system)
What does this mean - well, anything from me being able to lock your car and demanding ransom money be paid to an anonymous bank account to deliberate sabotage.
But this is just the tip of the iceberg, now that the IoT is officially on top of the Hype Curve, it means that any hacker worth their salt will be sharpening their code, and the truth is - (having been doing IoT stuff for nigh on 30 years, since long before IoT was called IoT), there has been absolutely minimal interest from the promoters in either mentioning or preventing the possibility of hacking, mainly as (i) it tarnishes the hype, (ii) it makes the seamless simplicity of those IoT solutions a lot less so and (iii) it costs money - theirs to shore it up or yours if they don't.
And we are not talking about good old datahacking and datascraping, the thing about the IoT is it controls devices, so hacking them not only gets the data, it lets the hacker control those devices. At its simplest it is swiping cycles like a botnet does, at its most malign its causing dangerous malfunctions, at its mainstream use cases its probably going to be used to facilitate crimes we already know and love - theft, extortion, etc. And not all teh bad guys will be bad guys - ther are quite a few corporates and quasi governmental agencies who see a benficial paycheck from controlling more of what YOU! used to do for free.
Now I watch the Economist with interest, as its my "mainstreaming" litmus test - as in when something is mentioned in The Economist, it means its about to get mainstream publicity. And today they let the cat out the bag....Dr Graham Steele of Cryptosense, quoted below, sounds just like David:
...many of the firms making these newly connected widgets have little experience with the arcane world of computer security. He describes talking to a big European maker of car components last year. “These guys are mechanical engineers by training,” he says. “They were saying, ‘suddenly we have to become security developers, cryptography experts and so on, and we have no experience of how to do all that’.
As The Economist notes, this is the InnocentNet of the 90's, replayed:
the biggest difficulty is that, for now, companies have few incentives to take security seriously. As was the case with the internet in the 1990s, most of these threats are still on the horizon. This means getting security wrong has—for the moment—no impact on a firm’s reputation or its profits. That too will change, says Dr Anderson, at least in those industries where the consequences of a breach are serious.
One difference is the 'Net has generated a huge community of hackers, they were a rare breed 20 years ago, now not at all, and the IoT is the biggest unlocked toybox you an imagine. Now you can be sure thet critical devices worth a lot of money will have some attention thrown at them, but for the rest...
So what to do - well, I don't mean to be a killjoy - there is a typical trend for new technologies liek this - first comes the hype, then the arbitrage, then the cowboys, then regulation to clean up Dodge City, then it settles down. our advice. For practical purposes for now, we are not even in Cowboy phase so best is to be a "laggard early adopter"and let others experience the delights of being first into the Internet of Hacked Things for a good few years, but if you must adopt these New New Things:
(i) Don't sign up to any current metering or "smart" devices - none of them have any anti-hacking capability yet. If the control button is not yours and yours only, caveat emptor!
(In fact, never mind "intelligent wearables" - the other hype curve No 1 contender, I reckon the high value market is in cybercloaking wearables)
(Page 1 of 273, totaling 2722 entries) » next page
More Broad Stuff
Poll of the Week
Will Augmented reality just be a flash in the pan?
Creative Commons Licence
Original content in this work is licensed under a Creative Commons License