SSL Decryption is becoming the norm

June 22, 2010 in Forensics, Privacy and Anonymity, Surveillance with 3 Comments

A couple of years ago I was at a client’s site in Dubai.  The client was an telco, and I was doing some security consulting for them.   Like many countries in the Middle East, Dubai actively monitors data entering and leaving the country.  Privacy laws as far as I could determine do not exist.  All internet communications are actively monitored.  It is quite common to suddenly see a web page pop up explaining in Arabic that the site you are trying to view is not authorized and you have been denied.  Telcos there have spent millions of dollars on infrastructure in order to enforce these requirements.  The design is not as complex as one might think, just resource intensive.  Resources are required to process the data real-time and staff is required to maintain the infrastructure, look into events and other tasks.  Telcos do this because it is required  by law.  You can not obtain a license as a Telco unless you have monitoring capabilities deployed.

My first day in Dubai, I went to lunch with one of the executives of the Telco.  During our lunch, I asked him how they manage encrypted connections.  He explained that they were currently getting ready to deploy a solution to solve that.  The infrastructure was being upgraded to decrypt all SSL sessions and parse the data as required.   Aside from opening my eyes to the difference in privacy between North America and the Middle East from a privacy perspective, I found it interesting that SSL decrypting was so easily available.   Previously, I had seen software that law enforcement used for this purpose.  I myself had done it for clients using available tools during a engagement.  But these tools were designed more for targeted surveillance, not mass scale.  Like all technology, it improves and gets less expensive over time I guess.

Today, there are many more companies in North America and abroad that either have deployed SSL decrypting capabilities or are in the process of doing so.  Security, diagnostics, audit and legal requirements to know what is coming and leaving their networks and being able to log and trace back data transmissions to the originator are some of the reasons.  One driver is Data Leakage Protection (DLP), currently a very ‘hot’ topic with many new vendors jumping on the opportunity with solutions.  In order to look for data leakage, you need to see past any encryption that might be present.  Cisco, Bluecoat, PaloAlto, Fortinet are just a few companies that offer products for SSL decryption.

With Google deploying encryption for Gmail and more recently searching, plug-ins such as the EFF Firefox plug-in to help secure your communications, companies are feeling more and more concerned about what data is coming and going.  What worries me is that all these security, legal and audit requirements companies face are actually not helping them in the long run.   If these companies are decrypting SSL sessions that egress and ingress their network, you can be sure that other companies are doing the same to theirs.  The net result is that everything is decrypted and no one has any privacy.

Next time you connect to your bank, doctor’s office, insurance company, Gmail or any site and see secure indications from your browser similar to these

along with the companies re-assurances that the site is secure, keep in mind things may not be as they appear – today even more so than yesterday.

Do you deploy any type of decryption on your network?  If it is deployed are you aware of it?

photo credit

LinkedIn and the new ‘Follow’ feature

June 14, 2010 in Profiling, Social Networking with 0 Comments

LinkedIn has a new follow feature.   If there is a company you are interested in, selecting ‘follow’ will send you notifications when people join, leave, or get promoted in that company.

Up until now, the main reason I used LinkedIn and Facebook was to keep abreast of what is happening in my contacts lives.  Typically LinkedIn are people that I have worked with, and Facebook is more social friends.  This is a really useful feature to myself for a couple of reasons:

Are people leaving a company? If there is a increased rate of people leaving a particular company and you are considering working for that company, you might want to re-consider. Or you might see it as an opportunity.  Regardless of your decision, it gives you valuable insight.  Insight that was not as easily available before social networking.

Transparency. It forces transparency for companies as they do not have any control over LinkedIn.  I love this.  If suddenly there is an increased rate of people leaving a company, public announcement or not, something is up.  Good information to have, especially if you are considering them as a potential candidate for employment or contract work.   The reverse (where a company is suddenly hiring) is also true.

One can suggest that it is not ‘official’ information, but in reality that doesn’t matter.  Forgoing statistics and math,  ask any investigator or law enforcement detective.  If you get enough information from enough people, eventually you will get to the truth.  Sure each piece of information is biased, leaves something out, or has added  titbits for colour, but if you get as much information as you can (sample size), you will start to see what most likely is the situation. At the very least where to focus your efforts to answer the question.  The same applies to information from LinkedIn.   It may not be official, and sure maybe one or two people are potentially mis-representing their position or title, but if there is a sudden change in a company’s employees, there is usually a common set of reasons for the change.

A few months ago when I was looking at changing careers, I was actively on LinkedIn.  Even without the follow feature, it became obvious to me over the weeks that one company I was interested in, was letting people go.  Looking at the profiles of individuals that were leaving,  they had been at the company for a long period of time, and were typically in senior management positions.   The company was not officially downsizing.  Curious, I contacted a few of individuals at the company.  My assessment based on LinkedIn was correct.  They were quietly removing higher paid employees for lower paid ones.  Correlating this information with their hiring positions published, you could see this was clearly the case.

What fundamentally worries me is that companies start to see this as a problem and attempt to ‘fix’ it.  They could do this in several ways.  Dis-courage employees from posting to LinkedIn, offering LinkedIn money to change the perception of their company, or LinkedIn could see it as a business opportunity and offer perception control as a ‘service’ to companies.  I hope this will never be the case, but money talks.  I recently saw a tweet about Facebook, but the concept applies to LinkedIn as well:

RT @ruv: “The most important thing to understand abt Facebook is that you are not fb’s cust, you are its inventory” via @davehyndman

The risk of social networking in this case is we have to trust LinkedIn.  LinkedIn is the control point of this information and we have to trust them to do the ‘right’ thing.  While this might seem okay, one only needs to look at the recent happenings at Facebook to understand what can happen when a company gains a clear majority of followers and controls the information.

I do like this stuff though!  Isn’t behavioural analysis awesome?

Passing an audit does not imply you are secure

May 31, 2010 in Auditing, Security with 0 Comments

I have been reading up on a few of the auditing standards such as COBIT and PCI.   I have dealt with audits at clients in the past.  Financial institutions take them very seriously.  Given the nature of their business and the recent financial crisis last year this approach makes complete sense.

There is a need to ensure audit compliance across the entire banking infrastructure.   From a financial perspective, compliance with the various audits is a must if you wish to stay in business.  Of course, my background is in network security.  Network security is not the same as auditing.   Although I have not met anyone that would say if you pass a particular set of audits you are secure, I have noticed across the audit industry in general there seems to be a unstated understanding that if you do pass audits you are secure or more secure than if you don’t.

Passing an audit does not mean you are secure.  Here is one of a few, but simple examples I have come across.  One of the audits requires that your entire internal network has address translation from inside to outside.  Effectively, the idea is that if I as a outside user browse to http://michaeldundas.com, that address would appear to the requester as 216.240.0.43.

From the quick diagram above, you can see how the client thinks that it is directly connected to 216.240.0.43/32, and it is.  Based on the audit requirement of having complete address translation with the untrusted Internet, you would have to configure a device that would convert the IP address the client has, to a different IP address.

The second diagram shows a router configured with Network Address Translation (NAT) to convert the IP address in both directions.  In this way the client does not know the real IP address of the server.   Any attack that you could do without NAT, you can do even if NAT is there.  Anyone that is active in attacking servers knows this.  It offers no additional security, just extra work.

Auditing does have its place and is necessary.  Complying with audit requirements for many industries is not an option and your staff must understand that.  But don’t let yourself or your staff be fooled into thinking audits make you more secure.  Audits help but they are not a substitute for good and proper security.   Passing an audit does not mean you are secure.

The wrist watch is dying, yet I still wear one.

May 29, 2010 in Personal Brand with 0 Comments

I love wrist watches.  As a kid I had several, a mix of analog and digital.  From about 5 or 6 years of age, I would always be found wearing one of the watches I owned.  Even today, I have 3 wrist watches, a military certified one, a Raymond-Weil, and one given to me by a former employer when I left that has their logo on the face.   To this day I still keep abreast of the wrist watch market.  My watches work fine and yet and I keep toying with the idea of purchasing a Breitling.   I have a passion for the design, attention to detail, precision and expertise this company puts into their products.   Compared with the typical “get it out the door and fix it later” approach with many of today’s companies, what Breitling promotes is refreshing.  While I understand why most technology companies run their businesses with the “out the door” approach and the necessity in today’s market, it makes me feel sad inside.

I just finished watching a Ted presentation by Sir Ken Robinson.   It is a informative and entertaining presentation on how the education system of today does not need an evolution.  Instead it requires a revolution.  Much of what he says parallels what Seth Godin wrote about in Linchpin.  One of Ken’s analogies is how our children do not see the point of a wrist watch.  A single purpose device that is no longer necessary but people over the age of 25 typically wear a wrist watch simply because we always have.   I have to admit, I am well over the age of 25 and I still wear one.  I also have a PDA, tweet, blog, and am very current in the latest technology, networks and security.  I don’t need a wrist watch.  Not only do I still wear one,but I still want a Breitling.  Why?

I love their website.  It is current and artistic, constantly being updated.   It shows you the ‘flashy’ look of their products, yet those wishing to obtain technical details of a specific product can do so easily.  It doesn’t send you to a PDF, technical specifications and flashy displays are all integrated into the site design.  It is well thought out and well designed.  This is important.  It tells the viewer that is how they do everything including how they design their wrist watches.  The design of the site, shows their personal brand.  There are lots of videos of their jet team.  You might wonder what a jet team has to do with the wrist watches.  My wife joking said “That is why they have to charge so much for their watches.”   Just like the design of their website, the videos of the jet team re-enforce the Breitling personal brand.  Jet teams flying with accuracy, speed, timing, focus, trust, taking risk.  That is how they make their watches, their website, train their jet team, how they view their trade craft.  How they do everything.

I want a Breitling watch because I like watches and the attributes of the Breitling brand resonate with me. I feel sad sometimes with the “get it out the door” approach of many companies, because they ignore what I value.  Precision, speed, timing, attention to detail, trust are attributes I have valued since I was the age of 6.

Untrusted devices on a trusted network; Resitance is futile!

May 15, 2010 in Security with 0 Comments

This is probably the biggest ‘no no’ in security theory.  Don’t let an untrusted device onto your network.   Most security professionals know that is an ideal, but not really achievable.  Companies are forced to let  customers connect via the Internet with any system they choose to.  Browsers such as Firefox, Safari, Opera, Internet Explorer; Windows, Mac, Solaris, Linux for an operating system.  In most cases for the end user shopping it is all acceptable.

In an attempt to mitigate this problem, we use firewalls, Intrusion detection/protection systems (IDS/IPS), and other devices along with design principles to create Zones.  These Zones then have policy applied around them indicating levels of trust to be permitted into a particular zone.  All this is very similar to physical security principles, just stop and think about an airport.

Most large companies apply these theories described above on their internal network as well where they have enjoyed much more control.  Often an organization has a laptop they give you.  It has their chosen Operating System, their selected applications, and is locked down by a policy they have chosen and enforce via Active Directory or some other mechanisms.  Combine this with internal security devices, apply “Zoning” and appropriate policy and you feel safe — you have control of your internal network right?

But there are always the exceptions.  These exceptions represent the outside pressure to change your security stance.  A consultant or vendor is a good example.  In comes a consultant to do a 8 month project.  She needs access to certain aspects of the systems.  Access to employees calendars, access to critical systems for the project, external access to the VPN of her own company, external resources on the Internet that are ‘bocked’ by your particular policy.  She doesn’t use Windows, but her own flavor of Linux she created herself.   Taking a security stance you can say no, but that only works for a while.  Eventually a project comes along that is too critical, costs the company a lot of money to complete, and completion means bigger sales.  Now you and the security principles you enforce are perceived as a roadblock to accomplishing a key objective.  Inevitability, you are forced to make an exception.  It is at this point all your hard work is nullified.  Not only that, you loose the respect of others in the organization.  You are seen as a inhibitor, a constant roadblock, a team that no other teams wants to deal with.

This problem which has been around for years is accelerating and getting worse.  With PDAs, netbooks, iPads, iPhones, and every other network enabled device that is becoming common for everyone to have.  They are going to want to connect them to your corporate network.  You can resist for a while, but resistance is futile.  Like the common consultant example above, you will make exceptions and eventually the number of exceptions will be greater than the non-exceptions.  Bruce Schneier recently commented on this when he was interviewed at RSA.

More and more companies now have to get used to the fact that people are going to come in with the technologies they want and that is what they are going to use.  So we are going to see a lot more security around connecting random untrusted devices into a trusted network.

When you get to the younger generation, they are not going to work and get a computer that is less powerful than the one they use at home.  They are not going to be given a second cell phone.

“I’ve already got a cell phone, I’ve already got a PDA! … I’m not going to use two.”

We need to shift how we design security.  Rather then resist these new devices, we need to design our security on our internal networks and systems so that we can manage the security around these untrusted devices connecting to our networks while allowing these devices to function.  Resisting this will end up just like trying to resist the consultant or vendor, being forced to make an exception, being perceived as the team that is difficult to work with, and loosing the respect of your colleagues.  With the number of Android phones, iPhones, iPads, and other portable network devices coming onto the market, the exceptions to most security policies are about to sky rocket.

Is your organization working pro-actively to address, incorporate and manage untrusted devices in your internal network?

photo credit

Why I transitioned out of the telecommunications industry

May 2, 2010 in Careers with 0 Comments

Now that it is public knowledge that I have accepted a new position in the financial services industry, I have been getting questions from many people on my choice to leave the telecommunications industry.  It has been a decision I have been contemplating for at least 2 years now.  I initiated looking outside the telecommunications industry back in August 2009.  Technically, I was working for a vendor who provided telecommunications companies with hardware and services, but anyone that works for a vendor will tell you that the goals and beliefs of your customer are your goals and beliefs whether you want them to be or not.  Here are the main reasons I chose try a different industry.

Telecommunications companies are not concerned about security, or more specifically their customers’ security.  They are concerned about security that affects their systems or their brand image.  But if you are trying to get them to spend money on technology that will help secure their customers or make the Internet a better place, it is a much more difficult sell.  Basically, unless there is some way it will affect the customer directly or they will look bad if it becomes public or they experience downtime that might tarnish their image, they are not interested.   There are international differences with telecommunications companies and security, but even in these cases you can boil it down to laws or issues that will affect the customer directly in some way.  When they do engage in security, if the telecommunications company can spin it so it looks better for the them taking care of their customer, all the better.

The telecommunications industry should be regulated. Just as gas, hydro, and emergency services are regulated industries, so should the telecommunications industry.  The Internet is an essential service now, for those that disagree I encourage you to go and pull the plug on your Internet service during a peak time and see what happens.   These companies should have simple and clear business objectives.  You deliver bits of information.  Your job is to deliver packets to their destination as quickly and efficiently as possible.  The type of packet or data it contains is not your concern, just deliver it and charge accordingly.  And yes, charging accordingly should be regulated, just like electricity.  I am not suggesting there is not a need to prioritize certain traffic over other traffic, just that the telecommunications companies should not be concerned about that.

They are fighting against becoming a commodity. When I started at my previous employer, they were easily one of the top in their field and the best at what they did.  There was and still is a great group of people that work there to make that happen everyday.  Although there was competition, they were easily the leader.  Move ahead 5 years and there are many players that are as good.   Cisco, Juniper, offer comparable feature sets in their existing hardware and that didn’t exist before.  From a security perspective, some of their ideas were ahead of their time.  But they have been surpassed in this area now due to increased competition and smaller companies with a focus in specific areas.   The big focus in the industry over the last year or so has been wireless.  While wireless offers many opportunities, the competition is not as it was when broadband became popular.  Lessons learned from broadband will be applied to wireless by everyone.  The playing field is much more level now than it was in the past.

Net Neutrality. While a recent decision has the market declaring that net neutrality is dead, I don’t believe it is over.  Rather the fight has just begun.  Personally I feel the way to end the debate is to force everyone to pay for what they use, and regulate the industry and what they can reasonably charge, like other essential services.   Given the increase of encryption, privacy awareness, and detection avoidance practices, the current methods of deep packet inspection will become useless.  A different approach has to be developed.

These are the major reasons for wanting to leave telecommunications for the time being.  I did look at and consider other offers  in the telecommunications field and I may go back someday.  For now I’ll enjoy watching what happens from a distance.  In my new position, I will still be working with telecommunications carriers and vendors, just as a customer.   Albeit a customer with a lot of experience and knowledge from the other side.  In a future post I will write about my reasons for choosing the financial services industry.

Do you ever consider changing not just your current employer, but an entire industry?   What would make you consider such a switch if at all?

photo credit

On the lookout for attacks

April 8, 2010 in Profiling, Security, Surveillance with 0 Comments

After school, my first employment opportunity came in the financial services industry.  I worked for a bank and was initially responsible for a group of firewalls that separated the Internet from the internal bank network.  It was a little more complicated than I am describing as there were technically several networks with different ‘trust levels’ and the firewalls deployed policy in an attempt to enforce these levels of trust.  Aside from my role of ensuring the policy accurately reflected the business requirements, I spent time ‘looking’ for anomalies, potential attacks or issues.  This work involved writing lots of Perl scripts to parse and correlate logs, analyzing packet captures, running vulnerability and penetration tests and the other typical functions a security analyst performs.   While it sounds very proactive, the amount of actual proactive work was in reality minimal.   You get bogged down with other projects, meetings, lack of resources, a deadline here or a emergency there.  I eventually switched to a different team that designed the networks and security.  My new manager who till this day I have the utmost respect for and who is now retired wanted to have myself and another individual be given permission to spend a week or so of dedicated time to snoop around the network, servers, and systems.  We would attempt to gather what information we could obtain authorized or not. We would be given free rein to see what we could gather.  The only restrictions were no DoS attacks or causing outages and we were to remain stealth.  We would put all this information in a confidential report for management.  He presented this, but was told no.  I was very disappointed.  The project sounded very exciting and fun and I was so looking forward to it.  My manager was disappointed as well, although he said he expected that response and shared with me why that decision was made.  He is a very smart man and was ahead of his time.

Over the Easter weekend, I had the opportunity to speak to a friend who has worked for the federal government for over 30 years.  My friend was telling me about a security team who’s  sole responsibility is to be proactive.  This team searches the network looking for vulnerabilities or attacks that are in progress, usually under the radar using a variety of open source and other tools.  My friend was very positive about them, indicating the team has done really good work and produced excellent results.  I was happy to hear that a large organization such as the federal government had a full time team dedicated to this purpose.

In my years consulting for many different industries both large and small, I have seen a very obvious increase in proactive security monitoring, analysis, and investigation.  Most financial industries have teams in place today as well as other large organizations.  Unfortunately, in some cases, these teams are not dedicated full time, rather it is one part of their many responsibilities.  In my opinion, this is where a mistake is being made and the effectiveness of having proactive security teams starts to be a problem.

One of the biggest reasons that proactive security analysis teams are not present, or only part-time is cost and lack of measurable valid metrics.  How do you measure the effectiveness?  It is possible the team might go for weeks, not finding any big vulnerabilities.  Maybe there are not currently any attacks present on the network.  Maybe there are active attacks, but they are currently not looking in the right places?  Maybe they don’t have the expertise required to see the attack in progress?   From a financial perspective, one sees large sums of money for the team of experts and you may or may not get tangible results.  It is a tough justification.  If money gets tight within the organization, this problem often worsens.  Research often falls into very similar circumstances.  There is an intrinsic value to having these types of teams, but how does one represent that financially?  I haven’t figured out an answer to this yet.

For industries that provide infrastructure or financial services, or deal with data that is sensitive, I believe that regulation from government is necessary for this type of activity to be provided with guarantees.  I think as a society we will eventually get there, but it will be a long battle with industries pushing back indicating that they can self-regulate.  Given the types of attacks that are now prevalent, proactive analysis with expert people is absolutely necessary.

If you ask any organization large or small they will all state they take information security very seriously.  But would you expect a different answer?  I have spent the last 8 years consulting, and this has given me an insight into those statements.  In my experience, the reality of those statements contain quite a bit of variance.  From my Consulting engagements in many different parts of the world, I find that this is somewhat geographically based.  If you head over to the middle east for example, I have found that proactive security is present in many organizations and it is not new.  The attitude is different as well.  Proactive security is expected, from senior management down and if you mention the idea of not having it, the reaction is to look at you as if you are nuts and in most cases that reaction is a truthful one,

How serious is your organization about security?  Do there actions match their statements or are they just words?

A GM Equinox, end user experience and security

April 5, 2010 in musings, Security with 2 Comments

We own a 2007 Equinox built by General Motors.  Besides being a little heavy on gas usage by today’s standards, it is a good vehicle.  It is comfortable, handles well in winter, has plenty of room.  I have never been a fan of North American vehicles.  I personally tend to favour Acura, Audi, and Mazda, but the Equinox at least got me feeling better about GM vehicles.  Then I had to change the headlight.

The passenger headlight was no longer working.  When I went in to get the oil changed, one of the technicians informed me that it was out.  I asked if they changed light bulbs.  He said they do, but not on this vehicle as they did not stock the bulb.  What he said made sense and I knew he wasn’t lying, but something about the way he said it bothered me.  A couple days later, my Mazda was at Canadian Tire getting the brakes done and the summer tires put on.  I asked the mechanic if they could replace a light bulb on a 2007 Equinox.  He said they could but it would be at least an hour in labor charges.   How hard could this be I thought to myself?  So I purchased the light bulb for $10.00 and thought I could put it in myself.  The manual had a single page with 3 diagrams and 4 steps each a single sentence.  With instruction manual, light bulb and required tools I was Clear to go …. or so I thought.

In order to get at the light bulb to change it, I had to remove 11 screws, one of which is way down through a tiny hole that you can barely get your arm in, let alone the ratchet tool needed to undo it. The first 8 screws loosen the front grill, so you can bend it back, so you can get at the light.  You have to loosen and pull the light unit out to replace the bulbs.  The actual bulb replacement was easy, took 2 minutes.  Then you get to put everything back together.  Needless to say I was happy I accomplished it, but frustrated it was so much work.  I now understand why mechanics charge an hour of labour to replace a headlight.

I think something went wrong during the design of the Equinox, they lost the perspective of the end user.  I expect to have to do certain tasks to maintain my vehicle in good working condition.  The end user will have to put gas in it, check the oil level, check the washer level, check the tire pressure, change light bulbs. When designing a vehicle these things should be easy to do.  Removal of an entire front grill, reaching to find screws in small confined places to remove a headlight assembly are just silly.  Where was the person that during the design process said “Wait a moment.  The end user will not be able to replace a burnt out light easily. We need to re-think this.”?

This whole situation reminds me of the security industry I am a part of.  So many of us are paranoid, constantly trying to ‘lock’ things down, create multiple steps that a user has to go through to get access or maintain access to networks and data, often to the point of inconvenience and annoyance.  One of my first managers, now retired constantly complained about this type of behaviour.  He was a very smart person and I learned a lot from him technically.  I also learned a lot from him about large financial institutions and people.  One example was the password requirements.  It was required that every 3 or 4 weeks, you had to change your password.  The password had to have so many characters, including a numerical as well as a ‘symbol’ character or two.  He kept changing between two passwords.  Then someone in security got the brilliant idea that in order to increase security, they would remember the last 30 passwords so that users would be forced to create new ones.  That would increase security right?  He was so annoyed that he changed his two passwords to a single password with the month and year on the end.  Every time he needed a new password he would simply change the month and year.  Problem solved.  It was unique and predictable.

If we are designing vehicles, applications, network security, or procedures it is important to include in the design the answers to typical human behaviour.  How will end users will respond and react to design decisions?  Is this response what we wish?  What ways could it be mis-used?  If you are not satisfied with the answers, you should re-consider the design.  In the case of security, it is important to accurately assess what you are protecting and design security accordingly.  By attempting to enforce more security than is necessary, you may actually increase and not decrease the risk of what you are trying to protect.

One thing for sure, the next time I purchase vehicle, I will be checking how much work it is to change a headlight.

Linchpin

March 13, 2010 in Leadership with 3 Comments

Linchpin by Seth Godin was a really good book and was released at the perfect time in my life and career.

Linchpin discusses many topics including how it is necessary for individuals to exert emotional labour while at work, the need to stand out and be indispensable, how our brains are wired to naturally resist becoming a linchpin.  How management, history, and school has taught us to follow the rules, work hard and you will be rewarded and why this no longer will ensure a happy and prosperous future.   These and other concepts are tied together very well, and give the reader a new perspective.

For some it will drastically change their perspective on work and their interactions with others in all areas of their life.  For others that are already on their way to becoming a linchpin, it will provide guidance and ideas for growth and improvement.

While I believe that many industries will and do resist the ‘Linchpin way of thinking’ due to historical concepts of what worked in the past, eventually it will take hold in all industries.  It has to, and this becomes more and more obvious as you read the book.  The previous and in some cases current ways of running businesses, working with customers, and fellow employees are no longer viable.  Clear real world examples are given as well as science to back up the concepts and ideas presented.

Although the entire book was excellent, two sections that ‘registered’ with me on a very intimate level were More cowbell and Honest signals in every day life. More cowbells is something that I have realized my mother taught me growing up.  Basically, if you are going to do something then do it.  Don’t do it half way, or partially, do it.  Honest signals in every day life discusses concepts such as micro-expressions and the basic idea that we as humans naturally detect who is honest and sincere and who is not and we react accordingly.  The non-verbal communication registers with us much more than what is said.

A few of my favourite quotes:

When your people do what they do because they love it, it works. Even if they’re not as technically adept as the competition.

The reason start-ups almost always defeat large companies in the rush to market is simple: start-ups have fewer people to coordinate, less thrashing, and more linchpins per square foot.

It is okay to have someone you work for, someone who watches over you, someone who pays you. But the moment you treat that person like a boss, like someone in charge of your movements and your output, you are a cog, not an artist.

People are not going to follow you because you order them to …. Linchpins don’t need authority. It’s not part of the deal. Authority matters only in the factory, not your world.

People follow because they want to, not because you can order them to.

The linchpin is able to invent a future, fall in love with it, live in it — and then abandon it on a moments notice.

Management, entrepreneur, leader, worker, mother, father, or spouse there is a message for everyone.  All in all this book is about growth.  Learning to become a linchpin while respecting the needs and concerns of others.

In addition, here are some great quick videos, where people speak about Linchpins.

Verified by Twitter is just silly

March 4, 2010 in musings, Security with 0 Comments

Have you ever seen the Verified by Twitter logo.  It is suppose to give the public assurance that the person that holds the account is the real person and not someone pretending to be them.  Off and on over the last few weeks I have been trying to find out what the procedure is? What are the requirements?  How to they prove the individual is who they say they are?  Does Twitter intend to role it out to everyone?  I have had no luck.  Any queries seem to go into a vacuum.  They have this page which says:

To prevent identity confusion, Twitter is experimenting (beta testing) with a ‘Verified Account’ feature. We’re working to establish authenticity with people who deal with impersonation or identity confusion on a regular basis. Accounts with a Verified are the real thing!

The first and last statements are what interests me, “To prevent identify confusion” and “Accounts with a Verified are the real thing!”.

I have always been a fan of the music group The Corrs.  One of the members, Sharon Corr has gone out on her own and is creating some songs and getting ready to release an album.  I have been following her on Twitter. She has a Verified by Twitter account. Her twitter ID is @Sharon_Corr.  If I look at her account, from the picture and links to her website and videos I can be reasonable certain it is her.  However, what if you were looking for a different Sharon Corr.  There must be more than one Sharon Corr in the world.  So I randomly tried @SharonCorr.  This person appears to be someone who writes poetry.  But is her name really Sharon Corr?  What if it is and she applies for a Twitter verified account?  Will Twitter verify it and give her the Verified by Twitter logo?  If her name is Sharon Corr, then they should.  But that might confuse someone like myself, looking for the singer Sharon Corr, so maybe they won’t.

How does Verified by Twitter make me feel safe as a user of Twitter?  If they fully roll this program out, they will encounter multiple people with the same name that all have verified accounts.  Maybe they use the URL on the profile page as the key.  If I see that the URL points to Sharon Corr’s website and there is a Verified by Twitter logo I can be certain that the person that has the website URL, also owns the Twitter account.  Of course that would confirm the relationship between the twitter account and the website, not the actual person Sharon Corr.  This of course assumes they know what I am looking for?  How do they know which Sharon Corr I want?

I looked up Taylor Swift for fun.  Her account is Verified by Twitter.  Her ID is @taylorswift13.    There is also a @taylorswift13x.  If you look at the two accounts they are very similar.

Taylor Swift’s real account (I think)

The website doesn’t help, because the URL points to itself.  We know Taylor Swift is popular so if you look at the followers count and combine that with the tweets and news articles you can conclude this is her account … maybe.

A fake Taylor Swift account (I think)

This is probably the fake one because of the follower count.  But then again, maybe this persons name is Taylor Swift and maybe this is the person I am looking for, not the popular one.  I am very confused now and Twitter said in their statement above that they were going “To prevent identify confusion”.  In order to do that, you actually have to know what identity I want to find, you can’t just guess. But that is what they are doing ‘guessing’ what I want based on popularity.  I think Verified by Twitter is just security theater.  The verified account doesn’t help.  Verifying someone is a complex problem and  putting a logo on a page just doesn’t cut it.

Maybe the logo should really be “Twitter verifies this to be the popular person you might be looking for logo”?

Page 5 of 23« First...«34567»1020...Last »