The DOBlog

Category: Tools

  • Daisy (chain) cutters needed

    Brian Honan (@brianhonan on twitter) has been keeping me (and the omniverse) updated via Twitter about the trials and tribulations of Wired.com columnist Matt Honan who was the subject of a Social Engineering attack on his Amazon, Apple, Gmail, and ultimately twitter accounts which resulted in every photograph he had of his young daughter being deleted, along with a whole host of other problems.

    Matt writes about his experience in Wired.com today.

    Apart from the salutary lesson about Cloud-based back-up services (putting your eggs in their basket leaves you at the mercy of their ability to recover your data if something goes wrong), Matt’s story also raises some key points about Information Quality and Data Governance and the need to consider Privacy as a Quality Characteristic of data.

    Part of the success of the attach on Matt’s accounts hinged on the use of his Credit Card number for identity verification:

    …the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification. The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices.

    So, Amazon view the last four digits as being useful to the customer (quality) so they can identify different cards on their account so they are exposed. But Apple considers that short string of data to be sufficient to validate a person’s identity.

    This is a good example of what I call “Purpose Shift” in Information Use. Amazon uses the credit card for processing payments, and need to provide information to customers to help them select the right card. However, in Apple-land, the same string of data (the credit card number) is used both as a means of payment (for iTunes, iCloud etc.) and for verifying your identity when you ring Apple Customer Support.

    This shift in purpose changes the sensitivity of the data and either

    • The quality of its display in Amazon (it creates a security risk for other purposes) or
    • The risk of its being relied on by Apple as an identifier (there is no guarantee it has not been swiped, cloned, stolen, or socially engineered from Amazon)

    Of course, the same is true of the age old “Security Questions”, which a colleague of mine increasingly calls INsecurity questions.

    • Where were you born?
    • What was your first pet’s name?
    • Who was your favourite teacher?
    • What is your favourite book?
    • What is your favourite sport?
    • Last four digits of your contact phone number?

    In the past there would have been a reasonable degree of effort required to gather this kind of information about a person. But with the advent of social media it becomes easier to develop profiles of people and gather key facts about them from their interactions on Facebook, Twitter, etc. The very facts that were “secure” because only the person or their close friends would know it (reducing the risk of unauthorised disclosure) are now widely broadcast – often to the same audience, but increasingly in a manner less like quiet whispers in confidence and more like shouting across a crowded room.

    [update: Brian Honan has a great presentation where he shows how (with permission) he managed to steal someone’s identity. The same sources he went to would provide the data to answer or guess “security” questions even if you didn’t want to steal the identity. http://www.slideshare.net/brianhonan/knowing-me-knowing-you)

    The use of and nature of the data has changed (which Tom Redman highlights in Data Driven as being one of the Special Characteristics of Information as an Asset). Therefore the quality of that data for the purpose of being secure is not what it once may have been. Social media and social networking has enabled us to connect with friends and acquaintances and random cat photographers in new and compelling ways, but we risk people putting pieces of our identity together like Verbal Kint creating the myth of Kaiser Sose in the Usual Suspects.

    Building Kaiser Soze

    Big Data is the current hype cycle in data management because the volumes of data we have available to process are getting bigger, faster, more full of variety. And it is touted as being a potential panacea for all things. Add to that the fact that most of the tools are Open Source and it sounds like a silver bullet. But it is worth remembering that it is not just “the good guys” who take advantage of “Big Data”. The Bad Guys also have access to the same tools and (whether by fair means or foul) often have access to the same data. So while they might not be able to get the exact answer to your “favourite book” they might be able to place you in a statistical population that likes “1984 by George Orwell” and make a guess.

    Yes, it appears that some processes may not have been followed correctly by Apple staff (according to Apple), but ‘defence in depth’ thinking applied to security checks would help provide controls and mitigation from process ‘variation’. Ultimately, during my entire time working with Call Centre staff (as an agent, Team Leader, Trainer, and ultimately as an Information Quality consultant) no staff member wanted to do a bad job… but they did want to do the quickest job (call centre metrics) or the ‘best job they thought they should be doing’ (poorly defined processes/poor training).

    Ultimately the nature of key data we use to describe ourselves is changing as services and platforms evolve, which means that, from a Privacy and Security perspective, the quality of that information and associated processes may no longer be “fit for purpose”.

    As Matt Honan says in his Wired.com article:

    I bought into the Apple account system originally to buy songs at 99 cents a pop, and over the years that same ID has evolved into a single point of entry that controls my phones, tablets, computers and data-driven life. With this AppleID, someone can make thousands of dollars of purchases in an instant, or do damage at a cost that you can’t put a price on.

    And that can result in poor quality outcomes for customers, and (in Matt’s case) the loss of the record of a year of his child’s life (which as a father myself would count as possibly the lowest quality outcome of all).

  • Stuff wot does work

    Regular visitors to this blog will know that I always appreciate stuff wot does work. Be it the excellent OnlineMeetingRooms to a humble bluetooth keyboard, I am a ferverent champion of kit that humbly bows its head and goes about doing what it sez on the tin in a competent and reliable manner.

    I was faced this week with the god-awful challenge of upgrading the first of my wordpress installations. I f*cking hate wordpress because of the complexity of its upgrade (let’s be honest -it’s a full monty reinstall) process, so I usually hold off for as long as possible. 2.3 passed me by. 2.5 made me sit up and ponder that perhaps I should bite the bullet. The announcement of 2.5.1 made me realise that soon I’d be spurned by the masses for being a lazy barsteward who didn’t bother to update his install.

    Also 2.5.x has some nice improvements in structure, layout and design of wordpress that I was hoping to to try out (I am, they are nice).

    But the pox-bottle dilemma of the upgrade had me frankly underwhelmed as my WP install was not broke so there was no urgent need to fix it. So I was quite happy when I came across the appropriately titled “WordPress Automatic Upgrade“. This spiffy little plug-in takes a lot of the heavy lifting out of doing a wordpress upgrade.

    It is not perfect but it allowed me to upgrade the DoBlog to 2.5.1 in a matter of moments with relative comfort that all was going well. Being a tad paranoid about these things I’d already taken my own backups of the DB and filesystem, but WAU did it automagically for me as well. All I need to know was an FTP login and FTP path for my host (which as I run the shebang meself I do).

    Some minor hiccups with things not quite happening in the order the screen messages said they would but other than that a spiffy simple tool that did what it said on the tin.

    I’ll miss Ultimate Tag Warrior (specifically being able to select from existing tags) but look forward to using the improved tagging support promised in WordPress.

  • Good kit that just works.

    I’ve been playing around with e-Touch meeting room from Onlinemeetingrooms.com for the past while. To put it bluntly… this product does exactly what it says on the tin.

    • It is a meeting room
    • It is online
    • It just works

    Recently an event I was involved in as a speaker had a problem. A speaker had a last minute problem travelling to the event. In conference land this is usually a crisis situation. The conference organiser called on me to see if I could do a second presentation at the conference, but was concerned as the speaker who was to travel had been ‘ticked’ as one they wanted to see by a lot of delegates. I would very much be a ‘surrogate band’ and people might not welcome the change in running order (particularly if they’d paid mainly to see that presentation).

    Being a cheeky bugger I dropped a quick email to Joe Garde in Onlinemeetingrooms.com to see if he might be able to help. A few additional facts are important here. I emailed him around 18:30 on the Friday of a Bank Holiday weekend. The conference started on Monday in the UK. Monday was a Bank Holiday in Ireland (where Joe is based) and the speaker was due to present on Tuesday afternoon.

    This left a window of Monday to sort something out that we could be confident would work.

    Joe phoned me on Saturday morning and we discussed options (while I furiously texted the conference organiser in the UK to let him know what was happening). With Joe’s help a clear plan formed… we’d use the OnlineMeetingRoom system to video link the speaker into London from Dublin. Ideally we’d need a wired broadband connection, but Joe and I were confident we could make it work.

    Over to London with me… Monday afternoon we did a test (24hrs before the presentation). Over the hotel’s wifi network. No wired broadband available…

    Worked perfectly. No fuss or hassle, no installing equipment (I had a webcam in my bag and the roadies… sorry AV professionals took care of figuring out the hook-up to the PA). The roadies liked it so much they wanted to get in contact with Joe as they do a lot of conferences and seminars that it could add value to… I do hope they buy it.

    Fast forward to the day of the presentation… room full of people, nervous conference organiser and conference chairperson… me very calm and confident because I knew we were using good kit that just works.

    …Presenter comes on from Dublin, audio good, video good, presentation content good. Slide timings a little off because I was running the powerpoint in London to keep as much bandwidth for video and audio as possible and got distracted by how well things were going.

    …everyone happy. Kudos for everyone all round.

    Looking back, I could have done one or two presentational things better but the kit worked. That was the main thing.

    I work in Telco and I’ve seen a fair share of ‘cutting edge’ tools that just don’t cut the mustard when the shit is hitting the fan. My experience with the e-touch Online Meeting room has always been excellent. When the chips were down the tool just worked. And Joe helped out co-ordinating on the Dublin end to make sure that the presentation went as smoothly as possible, which on a Bank Holiday was support above and beyond the call of duty.

    It is so straightforward even my pointy-haired boss could use it…

    Now that’s good kit that just works.

  • Web2.0 Tools test

    I’m increasingly fond of the very powerful web2.0 tools that are available, including ThinkFree.com and suchlike.

    The attached document continues this post…
    Powered by ThinkFree Some rights reserved