Self-driving buses are coming to San Ramon, California. The EZ10 is a driverless bus designed for short hops within a campus-like environment. Each vehicle carries up to ten passengers and has a ramp for wheelchairs and strollers. They are designed to carry you that “last mile” from a public transit stop to your workplace or appointment, and then back to the public transit connection when you are done.

EZ10The EZ10 is an electric vehicle with an eight-hour range that uses GPS to follow pre-programed route, with laser sensors to avoid obstacles and people.

Made by Ligier, the EZ10 is already in use in Finland and France, and soon to be used also in Spain. By the end of 2015, The Netherlands plans to use them on a seven-kilometer route between a major train station and the campus of Wageningen University and Research Center.

Probably one of the best features of the EZ10 is that it is another step in making the general public comfortable around driverless vehicles.

Some of us are old enough to remember the introduction of driverless rail-based public transit and the fear, uncertainty, and doubt that it caused. The first such system was the Victoria line as part of London’s Underground which opened in 1967. At this point, trains like Copenhagen’s Metro are capable of operating completely automatically, including door closing, obstacle detection and handling emergency situations. Copenhagen’s Metro carries about 55 million passenger trips per year.

Ligier Automobiles was founded in 1968 by Guy Ligier, a former racing driver and rugby player. It has specialized in small cars (microcars). One of the world’s first prototypes of automatic parallel parking was developed on a Ligier electric car in the mid 1990’s. As the name implies, microcars are small, seating only a driver and passenger, with a small gasoline engine or electric motor. Different countries have different rules on what is defined to be a microcar, but often they can be no more than 3 meters in length. In addition to the obvious fuel efficiency of such a light vehicle, in some countries they are treated like motorcycles for tax and insurance purposes. Austria, France, Germany, Italy and Spain do not require a driver’s license to operate them. Some microcars do not have a reverse; simply pick up one end and shift it around to park.

The last word:

KirobiMiniIf you would like to take a small step into driving automation on your own, consider getting a Kirobo Mini. Designed by Toyota, the cup-holder sized Kirobo Mini is a four-inch tall robot that can gesture, read your mood, and talk to you while you drive. Actually, you can’t get one just yet, but Toyota may install them in future Toyota vehicles to help keep you alert and calm. It could also collect information about driving habits that Toyota engineers could potentially use to build better features into their cars.

The original Kirobo was a slightly more than foot-tall robot that went to space in 2013 with Japanese astronaut Koichi Wakata. Kirobo was designed to remember Wakata’s face so it could recognize and have conversations with the astronaut on the International Space Station and even relay information to him from Earth.

The Kirobo Mini might even be useful to help us keep alert during those interminable virtual meetings we all have to sit through.

Comments solicited.

Keep your sense of humor.


If your IT security folk tell you they need to strengthen your network perimeter, they are probably right. If they tell you that is all they need to do, they are probably wrong. Far too many companies are being hacked because someone stole valid credentials from an employee or a partner’s employee. As I mentioned earlier, in 2011 Lockheed Martin suffered a serious data breach of confidential defense and proprietary information because Chinese government hackers were able to steal credentials from an employee of a partner’s parent company.

Your own employees and contractors are also a security risk. After all, you have given many of them access to your sensitive information, including information protected by laws and regulations. As you move more to the Cloud and BYOD (bring your own devices), you have wittingly or unwittingly opened your network to devices and locations you cannot monitor nor control. Either by intent (e.g., Edward Snowden) or by accident, these employees or contracts could suddenly expose your information.

You can’t tell whether the credentials are used by the person you gave them to, or are being used by someone who has stolen them. In any case, if they are doing something strange, you better find out about it quickly.

The bottom line: securing content with access controls alone is not sufficient in the current threat environment.

Microsoft SharePoint is a web application platform in the Microsoft Office suite that combines content management, document management, business intelligence, workflow management and an enterprise application store across local, wide-area, and Internet-based networks. SharePoint is used by many mid-sized companies and large departments within larger companies. As of 2013, 80% of Fortune 500 companies use it, and Microsoft was adding 20,000 users every day.

If you use SharePoint either in the Cloud or just within your own datacenter, you should look at Metalogix ControlPoint. Announced on November 2, 2015, ControlPoint 7.0 adds real-time situational awareness into suspicious SharePoint user activity. ControlPoint 7.0 introduces a learning detection engine that analyzes user behavior for suspicious activity, and automatically takes action when it finds suspicious activity patterns.

Consider an employee who works primarily from the office and sometimes from home largely during normal business hours, and who looks at about a dozen sensitive documents on an average day. You might like to know if it appears like that employee is downloading hundreds of documents at 2:30 in the morning from what looks like a Chinese IP address. Actually, any of the attributes of that access are suspicious. This is the kind of activity that ControlPoint 7.0 is looking for.

ControlPoint 7.0 features and benefits:

  • Mitigates the risk of data loss due to unauthorized access to content, whether by an employee, contractor, or through the use of stolen credentials.
  • Provides audit trails of content access.
  • Provides details of content growth and user activity.
  • Provide automation of governance policies.
  • Minimizes security breaches.
  • Meets compliance requirements for access control.
  • Anticipates future IT needs for growth.
  • Eliminates human error with policy driven security across SharePoint farms.

Right out of the box, ControlPoint 7.0 will provide significant security benefits. It will take it probably two or three months to learn the behavior of your users; the sooner you start the lower your risk.

Metalogix is a Washington DC-based software company founded in 2001. Metalogix provides a unified platform to manage the entire lifecycle of SharePoint users and their collaboration content centered around optimization, security and management. In 2013, it acquired Axceler’s SharePoint business including ControlPoint for SharePoint. MetaLogix continues to put significant resources into enhancing and supporting ControlPoint; ControlPoint 7.0 follows the release of 6.0 just seven months earlier.

The last word:

The Cloud has moved on to the hybrid cloud. Get the latest insights on how to use it from top leaders (like me) in the industry.

Comments solicited.

Keep your sense of humor.


I recently posted a series on driverless vehicles, including long haul trucks, farm vehicles, and taxis. Is anything happening in the field? The short answer is a resounding “yes.”

I mentioned the Freightliner “Inspiration Truck” in my earlier post. Freightliner Trucks is headquartered in South Carolina and is the largest division of Daimler Trucks North America. But they are not alone in developing autonomous long-haul trucks. In Europe, a standard Mercedes-Benz Actos with their intelligent “Highway Pilot” system travelled about nine miles on the Bundesautobahn 8 motorway in southern Germany. Like the Freightliner autonomous truck, there was a human driver behind the wheel, but he did not touch the wheel or other controls.

MB Autonomous TruckAutonomous car development is moving forward at an ever-increasing pace. Right now, there are dozens of companies working hard on achieving a real driverless car. Here is a brief look at current trends at a few of them.

  • Google is probably in the lead, with a goal to not build cars but to provide the software necessary for others to manufacture the production vehicles.
  • QNX is a Canadian software company specializing in on-board systems to provide infotainment, movies, music, and control your car. Probably more than anyone else today, they understand the requirement that the software system cannot crash, because if it does, so does the car.
  • Delphi is known as a one of the world’s largest parts suppliers, which realizes that car components, including smart car control and software solutions, must be cost effective. Delphi is working on ways to reduce the complexity, cost and weight of these systems.
  • Cisco Systems in known for its network products, and is working with Continental Automotive on producing the security software and message routing hardware that are required to deliver connected autonomous car services.
  • Continental Automotive is a large European parts supplier similar to Delphi in the US. It announced in 2013 that automated driving is the core of its long-term business strategy, and is working on connecting cars to provide better real-time traffic and navigation, entertainment features, and hazard warnings.
  • Covisint is a Detroit-based company that is developing a secure communication and collaboration system to enable autonomous cars to communicate with traffic lights, emergency vehicles and other external factors.
  • Codha Wireless designs hardware and software that will allow to vehicles to form ad hoc networks while on the road. Cars and trucks within those networks will be able to share critical information including their speed, direction, whether they are braking or accelerating. The result could be a a larger Cloud-based intelligence that will allow each vehicle to see danger around a corner and what is ahead of that big truck they are following.
  • Autotalks is an Israeli company in the same space as Codha. It has produced the world’s first automotive-grade chipset ready for mass production. This technology analyzes the data transmitted by the on-board systems in nearby vernicles to, initially, warn drivers of any imminent danger and communicate with external transportation infrastructure such as traffic lights. Eventually this becomes part of the roadway control infrastructure.
  • Mobileye is another Israeli company that provides inexpensive monitoring technology that uses a single camera to warn cars of dangers such as pedestrians, leaving your lane, or a forward collision, plus provides intelligent high-beam lights, recognizes traffic signs including speed limits, and adaptive cruise control.
  • Nvidia is a California chip manufacturer that has specialized in game controllers. Their experience in crunching real-time images and spatial data makes their chips ideal in driverless car systems. One of their biggest aims is to make car systems upgradeable.

Most current cars and trucks contain computer systems were designed at least two years before the vehicle goes into production; driverless technology has moved on in that time.   Today, an “upgrade” requires a trip to the dealer. This is unacceptable when a safety upgrade needs to be done “NOW!”

None of these companies actually build cars. Car manufacturers will take all of these technologies working together to get to the goal of safe driverless vehicles. I would bet it will all happen sooner than the experts expect.

The last word:

The future driverless vehicles are dependent on the cloud. As these companies have proven, we either have or are close to the connectivity we need. My biggest concern is security. So far, car control systems are extremely vulnerable to attack, as was recently proven on a Jeep.

I am looking forward to self-driving rental cars: no more getting off a long cramped airplane flight in a strange city trying to figure out how to get to you destination.

With the near-universal adoption of autonomous vehicles, bars will be happy. MADD should be happy and may be able to disband in a few decades.

Comments solicited.

Keep your sense of humor.


Fun with Statistics

I like statistics. When properly used, they can tell you what has actually happened in the past. Statistics can provide valuable information to help you run your company or for the government to run the country. Statistics can tell you how closely two sets of data are related, their correlation. You might notice, for example, that since you introduced pastel colored widgets, your sales to teenage girls have significantly increased. You might jump to the conclusion that teenage girls prefer pastel colored widgets, and you might be right. On the other hand, the increase in sales to teenage girls could be due to your increased marketing of widgets in women-only high schools and colleges.

When statistics tell you that two quantities vary together, most people will believe that they are related in some way. You should always beware of jumping to conclusions. Correlation does not equal causation. Here are three very high correlation examples from Tyler Vigen’s book Spurious Corrections.” I suspect there really is no relationship between the two quantities in each case.

CorrelationEven if there is an actual cause and effect relationship, it may not be in the direction you think.

Your company collects more and more data about its operation, products and customers. Additionally, thousands of data sets are available from public and private sources about behavior, health, poverty rates, driving accidents and just about anything you can think of. Given enough processor power, you can search for correlations among these data sets. Sometimes these “strange” correlations can prove valuable. A dozen years ago, an almost random check of the correlation between auto accidents involving personal injury or death across the counties of one state had a very high correlation with the number of people over 55 who were taking a specific medicine. The resulting investigation by the pharmacy company that manufactured the drug led to increased warnings to doctors and patients about a previously unsuspected age-dependent side effect.

When someone brings you one of these correlations, pay attention, but apply reason. Correlation is not causality

The last word:

President Obama and many other politicians on the left want to make it illegal for law abiding citizens to own a gun. In their view, only the government should have any weapons. They want to eliminate the Second Amendment to the US Constitution. The primary reason the first session of the US Congress included that amendment in the Bill of Rights was the recent experience with their prior government. The British Government severely limited gun possession in towns and cities; they could not police the rest of the colonies. They feared, rightly it turned out, that the colonists could use those weapons against the British government. The US Founding Fathers wanted to make sure that a future government could not take away citizens rights without the citizens having a last resort to deal with a run amok government.

President Obama will tell you that eliminating all legal guns is the solution to these tragic mass-shooting events. But we know that is a false argument. Almost every one of the mass shooting events in the past two decades has been in a “gun-free zone.” We have been steadily increasing the number of these zones, so it includes virtually every school, sporting event, shopping area, government facility, and even most portions of our military bases. We actually put signs up to indicate to potential terrorists of where they will have five to thirty minutes of unbothered time to kill as many unarmed victims as they can.

Consider the recent Oregon tragedy. Chris Mintz is student at Umpqua Community College. As a decorated Army veteran, he tried to stop the gunman before he entered the classroom where the gunman killed nine students. Mr. Mintz was shot seven times for his bravery. If Mr. Mintz had a weapon with him, the results could have been vastly different.

Oregon state law actually requires that colleges allow guns on campus in some circumstances. At a minimum, a college must allow a visitor with a carry permit to bring a gun on campus, but not necessarily a student. Until police arrived, the gunman was the only person with a weapon on the campus.

Gun control laws do not keep guns out of the hands of criminals and terrorists; they only keep them out of the hands of law-abiding citizens. Chicago, with restrictive gun control laws, had over 400 murders in 2014. That is the equivalent of an Umpqua Community College event every 8 days.

We are painting a target on the back of our children.

Comments solicited.

Keep your sense of humor.


Cybersecurity experts will tell you there are two kinds of organizations: those that have been hit by cybercriminals, and those who do not know they have been hit. This is not a joke. Cyberattacks will continue to grow in volume and sophistication. Anyone or anything that is connected to the Internet is vulnerable. When your customers’ data is compromised, you are responsible. If your physical building is compromised or your IT infrastructure is destroyed, your company may be out of business. No masked man on a white horse nor the Seventh Calvary will come riding over the ridge to save you.

Why can’t the government do something about this? One would expect that the natural reaction of governments to national security, financial and privacy attacks would be to militarize cyberspace and police the Internet with centralized bureaucracies and secret agencies to protect us and themselves.

That won’t work, and we unfortunately have an example of this: the War on Terror. The United States government vowed in 2001 to destroy the responsible terrorist organization, long before it had a clue what the enemy really was. Other powerful nations have joined the fight. Where are we after more than a dozen years? We have proven that the most powerful military force in the world can clear out terrorists from a specific physical area at unreasonable cost in dollars and lives, only to have the terrorists return as soon as the US forces leave. But they cannot stop an attack in Europe, the Middle East, or the US.

The bottom line: governments have demonstrated that they cannot win the War on Terror. They cannot even define “winning.”

If the US, or UN, tried to apply the same logic to the Internet, they would of necessity fail, but as Keren Elazari’s TED talk and Scientific American article demonstrate, just trying could actually make things worse.

One of the problems with the War on Terror is that there is no single entity that controls “the other side.” There is no geographic definition of a “front line.” The terrorist organizations keep morphing, recombining and dividing, with new ones appearing in the news with disturbing frequency.

Wait, that sounds like the Internet. The Internet is not like a public highway, or even international waters or a wilderness area. It is not even a collection of territories that governments could control, or even locate. Most of the physical components of the Internet are owned and operated by hundreds of multinational for-profit companies. The number of components is growing at an incredible rate. Cisco systems forecasts that by 2020 over 50,000,000,000 devices will be connected to the Internet. Every one of those devices is a target, and many of these are part of industry, military, and utility operations. The more devices that are interconnected, the more ways there are to gain access. For example, in 2011 an employee at RSA’s parent company EMC opened an innocuous-looking Excel file in an email. The resulting malware compromised RSA systems, enabling hackers to steal Lockheed Martin’s security tokens, thus giving access to the defense contract’s data including highly sensitive product information. The hackers were part of the Chinese government. RSA has been in the encryption business since 1982, and was acquired by EMC Corporation in 2006. Since 1979, EMC has been a global leader in IT and business transformation. Both of these companies take security very seriously, yet still had a serious breach that impacted one of their customers and sensitive national security data.

Which brings up another reason why governments can’t fix the problem: they are conflicted on whether they should. Organizations like the Department of Homeland security have a real interest in protecting US companies and individuals from cyber attacks. That part of the government recognizes the serious national threat a successful attack against the electric grid or the financial infrastructure could be more disastrous than Pearl Harbor and the 9/11 attacks combined. No one on the attacking side even needs to be in he US.

However, other components of the US government, like the National Security Administration and certain other defense organizations, have a vested interest in using the Internet as a weapon, and invest millions of dollars in finding, managing, and perhaps creating flaws that they could use. Remember Stuxnnet, a deliberate and successful physical attack against Iran’s nuclear weapon program done entirely with malware? That was a government attack, probably with US assistance if not direction. Governments, including the US government, participate in the worldwide hacker market, buying and selling information about security flaws. Edward Snowden believes the NSA spends more money on offensive cyber research than on defensive cyber research.

To further complicate the problem, new vulnerabilities are introduced every day. Intense market pressures push technology companies to produce new products and new features at an increasing rate. As these products become more intertwined and interdependent, the probability of introducing flaws increases. “Time to market” pressures reduce the testing that companies feel they can afford to do. As one company executive told me, “that’s what beta testers are for.”

Cybersecurity is like public health. The Centers for Disease Control and Prevention have a very important role to play, but they cannot stop the spread the disease by themselves.

Who can help? According to Ms. Elazari, hackers can help and have been helping. Back in 1995, Netscape Communications created a bug bounty program. It paid independent researches to report security vulnerabilities. If you are trying to remember why “Netscape” sounds familiar, it was the name of the web browser introduced in 1994 that was giving Microsoft’s Internet Explorer a real run for market share.

Largely spurred by significant leaks like those of Edward Snowden, the technology industry and the hacking community are actively working together. Hundreds of companies now have similar bug bounty programs, and are finding it to be a cost-effective way to reduce security vulnerabilities. In addition, private and public communities of security professionals now share information about malware, threats and vulnerabilities. The goal is to create a distributed immune system for the Internet.

What should you do?

  • Expect things to get worse over the next few years, with more targeted attacks, more breaches, and attacks that do physical damage initiated by other governments or terrorist groups.
  • Demand that companies make the software and hardware products your company depends on more secure. Yes, hardware products, too. There is more processing power in the average new car then in a multi-million dollar computer 20 years ago. As recently demonstrated, most if not all of these systems are vulnerable to cyber attack with the possibility of injury or death to the vehicle occupants and others nearby. I suspect a cyberterrorist attack that took over 100 cars scattered on LA freeways in rush hour would be interesting.
  • Demand that the penalties for failing to report a data breach involving personal or proprietary data are increased substantially, with jail time for executives who fail to consistently use best practices to secure that data.
  • Protect yourself and your company. Wash your hands and get vaccinated. If you don’t take care of yourself, you cannot expect anyone else to be able to help.

The last word:

My wife and I met Jim Murray and his wife on a dance floor in Valparaiso, Chile, in 2008. Since then we have managed to get together on a dance floor somewhere about once a year. Jim Murray writes a blog about the intersection of murder and medicine, which I have referenced before. He has just published Lethal Medicine, a thrilling tale of international intrigue, murder and deceit. The hero, Jon Masters, is a well-established pharmacist in San Antonio with a growing statewide company that provides medicinal injection services for people in their homes as they recover from illness or injury, or are under hospice care. When he discovers that the investigational drug study he is managing is a cleverly disguised scam, he finds himself in trouble with both local and federal authorities. One step ahead of the law, he races to Mexico and China to uncover the international conspiracy that threatens to destroy his business, his reputation, and his life.

Early on, Jim told us a scary story about one rainy night when he worked as the midnight shift pharmacist in a mid-city pharmacy. That story is now a short story “Cuffed” which is available in a collection of short stories Unforeseeable Consequences. The collection includes another story by Jim and a story Jim edited from each of five other authors.

I recommend both books, and they are available in Kindle editions on Amazon at the links with each book title above.

Comments solicited.

Keep your sense of humor.


We live in a transparent world; it is almost impossible to keep secrets. Last time I wrote about The Half-Life of Secrets, and I defined a secret as something that if revealed to the wrong entity could cause harm. The secret could be in a document, or could have been something you did or did not do. The “entity” could be a specific individual (e.g., spouse), a group of people (e.g., your customers), a competitor, an organization that provides services (e.g., your insurance company or health care provider), or a government organization.

The Cloud is the primary enabler of the severe reduction in the half-life of your company’s secrets. If you put your business process applications in the Cloud, then your employees, contractors, partners and maybe your customers can access the critical data they need to do their job or buy your products or services from anywhere at anytime.

Unfortunately, that same information is potentially available to cyber-criminals.

You can reach potential customers via Facebook, Twitter, LinkedIn, text messages, email, or a dozen other social media mechanisms. You can target a specific customer, a class of customers, or reach out to a tailored set of prospects. It all happens “now!” and at small fraction of the cost of doing it via putting a physical letter in a mailbox.

Years ago I had a secretary. Don’t yell; that is what they were called back then. If I needed to send a letter to a customer, I could dictate it to her (and it was always a “her”). In an hour or so I would have a letter for my review and signature. Frequently, she had made changes to my letter, and almost always these changes made it better. More importantly, the process provided a time cushion for me when I reread the letter. For reasons of cost and time, very few people have that option anymore. We just type the email or text message or tweet and ship it. How many messages have you received that contained inappropriate information (i.e., secrets), an inappropriate tone or went to the wrong people (often the “reply all” mistake)? Every such message, once you throw it out there, can be forwarded to anyone anywhere. With a great marketing message, these forwards provide a positive multiplier effect along with an implied recommendation. If the message exposes a secret, it just magnifies the problem.

Just like Las Vegas, what happens in the Cloud, stays in the Cloud. Forever. But, unlike Las Vegas, it remains vulnerable to attack.

In his 2004 book In the Blink of an Eye Andrew Parker describes how about 543 million years ago, the chemistry of Earth’s shallow oceans and the atmosphere suddenly changed to become more transparent. Parker’s theory is that this increased transparency led to the Cambrian explosion, a relatively short (20-25 million years) evolutionary event that produced major diversification in life including most of today’s major animal phyla. Increased transparency led to eyes to see prey or predator, which led to new means of locomotion to chase or escape, claws, jaws, shells and other defensive and offensive body parts. Those species that did not evolve fast enough went extinct.

In a Scientific American article and TED talk, Daniel Dennett and Deb Roy talk about how companies must adapt to today’s new transparency, or go extinct. By analogy, organizations must adapt their external body parts to not only take advantage of the new transparency (e.g., FaceBook, Twitter, text messages), but also must create defensive capabilities. A successful organization must create information-handling organs of control and self-preservation as integral parts of its public relations, marketing, and legal departments.

These defensive organs cannot behave like they did ten years ago, or maybe the way they still do today. Your company must join the conversation on your distractors’ terms. You have to respond intelligently, honestly, and in a conversational way. You can’t deny, obfuscate, or preach. The whiff of a secret, and the carnivores will swarm until they dig it out, make it up, embellish it, and sell their story, not yours. In particular, you cannot let your legal department delay your response by weeks or months while approving a communication strategy, nor can your marketing or PR department spend days or weeks trying to figure out how to respond. You need to respond today.

Thus a significant part of your defensive evolution must be proactive: you have to do everything you can to prevent secrets from escaping in the first place.

  • Protect your company data not only in the Cloud but also within your own datacenter. Mostly that means keeping careful track of who should be allowed to access specific types of data, updating each person’s access right every time their role changes, and periodically auditing to ensure that the process works as required.
  • Take advantage of any security options that your Cloud Service Provider(s) can offer you. It is far less expensive and usually more effective to rely on them than your own IT department. As part of that, make sure your contract with any CSP includes what they must do to completely remove old archives according to your documentation life-cycle requirements, and audit that process at least annually.
  • Write, update frequently and publish your security policy. This policy should cover everybody with physical access to your datacenter(s), everybody who has electronic access to your data. It must cover your own computer equipment and your employee, contractor and partner equipment including personal devices. Everyone with non-public access to your data should be required to review your security policy, pass a test, and certify that they reviewed it at least annually.
  • Define who is permitted to “be the voice” of your company through any and all mechanisms. These are the people who can participate in external conversations. Ideally, there should be someone reviewing everything that goes out. This doesn’t have to be a long process, just make sure someone else is looking over the “voice’s” shoulder with the authority to say, “Hold on one minute.” You probably already have such a process for discussions with the press.
  • Set guidelines for different types of situations ranging from annoying to disastrous. You will have to define these terms based on your company’s situation, but it might range from an unhappy customer who posted a bad review to a partner leaking that your next major product is facing a significant delay due to a technical glitch. For each type, decide the ideal response time, who has to approve any message, and what documentation should be kept so the event can be reviewed.
  • Often, one situation will change its severity over a short period of time. You will not get it right everytime, so give the “voice” people the authority to raise their hand to get help. When things go wrong, the first response should not be to fire the “voice,” but to get the message back on track and learn from the situation.

Don’t count on the government for help – they are fairly helpless themselves, and react far too slowly. Country laws are also way behind the times, not able to even keep up with phone technologies.   Even further behind is the ability of a government to prosecute anyone, TV shows like CSI: Cyber aside.

Just like during the Cambrian explosion, it is a jungle out there. Make sure your company survives.

The last word:

NextGen Cloud recently named my blog as one of the 50 Top Cloud Computing Bloggers for IT Integrators. My thanks go to NextGen Cloud, and many thanks to all of my followers and readers.

Comments solicited.

Keep your sense of humor.


A “Half-Life” is the amount of time required for the amount of something to decline to half its initial value. Those of us of a certain age remember that from the discussions of how long the fallout from nuclear explosion would be dangerous, and rest of you get periodic reminders of that from events like Fukushima. When we were in Norway this summer, there were radioactive reindeer; seems they were eating moss still radioactive from clouds that had drifted over from the 1986 Chernobyl accident.

Secrets have half-lives also: how long does it take for half of your secrets to become known to others. Countries have millions of secrets, companies thousands of secrets, and people maybe dozens of secrets. Each secret represents a fact that if revealed to the wrong entity could cause harm. Countries “classify” documents or even individual facts, and establish large organizations and complex processes to protect those secrets. Countries usually also have large organizations whose sole purpose is to steal the secrets of others. Companies have trade secrets, often about exactly how their products or services are created or delivered, but also about their internal financial processes and contracts with partners and customers. People have secrets about things they have done, or didn’t do, that they would rather their spouse, employer, doctor, or tax collector never found out.

Patents are not secrets. Patents are published in the one or more country’s Patent Office and are freely accessible. International law protects, to some extent, the owner of the patent. In order for the patent owner to reap the financial benefits of the patent, the patent must be shared.

Secrets also have time limits. The foreign travel plans of high-ranking government officials are often classified to enhance the safety of the individual but often so as not to reveal where or why the individual is traveling. Consider the case of National Security Advisor Henry Kissinger’s visit to Beijing in 1972. These kinds of secrets are only secrets for a specific period of time, often measured in days or weeks.

But many secrets need to be kept secret for years or decades. One such trade secret is the formula for Lena Blackburne’s Rubbing Mud that is used to fix the feel of baseballs for major league play. That formula, and the location of the mud hole, has remained a secret for over 75 years.

The half-life of secrets used to be measured in decades. A person could designate that their boxes of papers would not be opened until their death or longer. That worked for Mark Twain and his autobiography, which was not published until 100 years after his death. That did not work for Harper Lee. She kept her first novel locked up saying she did not want it published. Go Set a Watchman was published this year while she is still alive.

With todays cybercriminals, including government and organization sponsored cyberterrorism, the half-live for secrets on computer networks is measured in months.

Almost always, secrets must be shared. Lena Blackburne is not the only person making that NBA Rubbing Mud, especially since he died in 1968. Every trade secret is shared with those in the company that need to know the secret in order to actually build the product. The trick to keeping a secret is to minimize those who know the secret and pay attention to each of those people.

One of the biggest dangers to a secret is sharing-creep, the phenomenon that occurs when you add just one more person to the “need to know” list, or someone who knows tells someone else. At the highest levels of government classified documents, security agencies try to keep track of every individual who has the right to know the secret and the places where the secret is stored at all times. This is why, for example, that one of the Department of Homeland Security’s jobs is to know where every computer system containing government classified information is physically located, determine what secrets are on the system, and check that the system is protected by appropriate physical and network security mechanisms, and that everybody who has access to that system is also cleared for the information on the system. Companies with critical trade secrets have similar processes. One of the key activities for a government or commercial organization after an identified data breach is to determine exactly what information was compromised.

A related issue for secret loss is the velocity of the loss. In 1750, a secret could not move more than about 20 miles in a day – the speed a man or a horse could walk. If you discovered that a secret was stolen, you could often literally run down the culprit in a day or two, and severely limit the damage. With the Internet and the Cloud, it takes your secret less than a second to get anywhere in the world, and to dozens or millions of individuals. A single misdirected email or text message, or a singe disgruntled employee or contractor (e.g., Edward Snowden) or employee or contractor not following your security policy (e.g., Hillary Clinton) can put a significant number of secrets at great risk.

Figure out what your company’s critical secrets are, and pay attention to whom those secrets have been shared. Remember that any meeting, whether in a conference room or virtual, that has a smart phone or tablet present is a potential leak. You cannot tell what is being recorded and what will be done with the recording.

The same is true in your personal life. Any stupid thing you do can be on YouTube in seconds, and the more stupid the more likely. Of course, the same is true if you do something great, like the passengers who subdued the Islamist terrorist on the train in Belgium. Video of the attack was on YouTube before it appeared on breaking news announcements.

The last word:

The biggest example of sharing-creep is your Social Security Number. Originally implemented in 1935 as part of the New Deal, it was solely used to track individual’s accounts with the Social Security Program. In the original law it was illegal to use the SSN for any other purpose. In the late 1970’s, Virginia was using your SSN as your Driver’s License number, and that use was struck down as illegal in Federal Court.

In addition, the IRS was prevented from sharing information with other agencies. Decades ago I worked with someone whose father was a Bookie (i.e., worked in the numbers game for organized crime). He always indicated on his Federal Income Tax form that his occupation was Bookie, and reported every cent he illegally earned. He did not want to get in trouble with the IRS over his taxes, and knew that the IRS could not pass that information on to law enforcement at any level.

But now, thousands of individuals have access to your SSN; it is your key identifier for almost all financial relationships, and, thanks to Obama Care, all health care related activities. The United States uses the Social Security Number as the identification number for every member of the Armed Forces. All of this information is stored on the Internet, which varying degrees of vulnerability

Comments solicited.

Keep your sense of humor.



Get every new post delivered to your Inbox.

Join 116 other followers