Thursday, December 18, 2014

A Thing I lost control of....

The announcement of the UK prices for the BEBOP, triggered in me a desire to acquire one, despite :
1) The UK price was higher than both Europe and US prices
2) My prior drone from them had flown off into the wide blue yonder, refusing to respond to any commands, never to be seen again.

This was the contents of the email I just sent them.

So despite my awful experience with my previous drone from you (Parrot Case n° 076016), I plucked up the courage to try you again.

I tried to order a Bebop using the "buy now” button you kindly emailed me…. yeah right!

So after much clicking I then figured out i could get it cheaper from the US including the Import Duty
So I clicked buy from Amazon US, when I thought I wonder what the Customer Reviews are like?

And lo! A spate of "it flew straight up and out of sight" instances…

Funny! that’s exactly what happened to my previous Parrot! ...and despite spending hours trying to persuade you to replace it I got nowhere,

I was quite surprised how I quickly I had forgotten the pain.

Needless to say the negative reviews brought the pain back with a rush….

Happily I was just in time to cancel my order, needless to say I was much relieved.

So to close, my DJI Phantom 2 Video should arrive in time for Christmas and is also going to cost me less. 


That was a mighty close shave!
A still frustrated Ex Parrot Owner, to mis-quote a famous parrot sketch

Mr. Praline: 'Ello, I wish to register a complaint…. I wish to complain about this parrot
….e's shuffled off 'is mortal coil, flew off into the sky and joined the bleedin' choir invisible!! THIS IS AN EX-PARROT!!
Owner: "We have a Bebop!?”


Owner: N-no, I guess not. (gets ashamed, looks at his feet)

Have a reasonably quiet Christmas, but please deal with the myriad of Lost or Damaged Bebop complaints better than you did my Parrot complaint. I will keep scanning for the class action, and instantly join it!

Adrian and Ex Parrot owner.

Remember folks it is important to be able to maintain control over your Things.
Anyone designing a Thing that either leaves them in control of it, or no-one in control of it should feel the full weight of the law on their shoulders. Sadly as with all things legal, the law has yet to catch up with the full implications of Cyber Agency, or lack there-of!

Have a Great Christmas

And be careful about choosing your things....

I was lucky that Parrot had chosen to over-price their thing, as this caused me to see the US Amazon reviews on the Bebop!

Post Blog Note

I just received this email bounce back!

Thank you for contacting Parrot UK technical support.

In order to streamline our support process and improve the level of service we offer to our customers we are currently making changes to the way enquiries are handled, as such this email address is no longer active. Please follow the link below to complete our new online support form and we will be in contact shortly.

Our opening hours are Monday – Thursday 9am – 5.30pm and Friday 9am – 4.30pm.

Sorry for any inconvenience, your enquiry is important to us and we look forward to hearing from you.

=====  !!!!!!!  =====   !!!!!
I suppose it's little wonder they have stopped folks emailing them!

Aside: I wonder when the news media is going to pick up on the idea of rogue drones with software flaws "<"Think: Mind of it's own!">" flying off out of control and creating mayhem....

Monday, December 08, 2014

Who owns the controls for YOUR Things?

The take up and benefits of the Internet of Things are likely to be dramatically reduced if the great Consumer Control Grab continues. A growing and concerning trend, accelerated by the dramatic reduction in the cost of making everything "smart", has the makers of virtually everything from TVs to shoes thinking that if they add the Smarts, they naturally should be in control of the Thing in question..

The trend can only be recognized if one actually reads the Terms and Conditions of the increasingly smart things, and puts in place very comprehensive and technically complex monitoring regime. The goal of this monitoring would be to establish the answer to the question: "Who is controlling my Things?"

But who has the time to do that?

Imagine that a Samsung employee, with his own ke,y let himself into your home and proceeded to alter the settings of your new television, deleting your favorite applications.

How would you feel?

Know that he is apparently totally in his rights to do this, albeit virtually, for you accepted the Terms and Conditions.

Though I still have not established what part of the Terms and Conditions gave Samsung the right to delete Google Maps from MY television?

What should we do to the address this issue?

Wednesday, November 19, 2014

The best way to lose e-trust

All enterprises with Customers should take note, the emerging way to lose the e-trust of partners or clients, is to openly or surreptiously remove from them the control of their own data. The issue comes not only from using their data without their express wish, in a way that does or does not benefit them, but more importantly from removing their ability to control how it is collected and used. The usual Internet Giants have become masters of these malpractise, the best examples of which feel very spooky to those on the receiving end. However the media and thus the public are waking up to the issue. For a while there have been a few pathfinders who have been deliberately taking back control. (Usually by eschewing the free services on offer that gave organisations the ability to control their data, or by creating watermarked data.) Once such pathfinder, Janet Vertesi, Professor of Sociology, at Princeton University, recently realised that Google knew about her planned engagement to be married prior to any of her family or friends, and worse were acting upon that knowledge to make money for Google. Importantly, it is not just the Internet giants that can fall foul of our natural desire to retain control over our own information. 

Signs of this malpractise can be found in how your organisation; 
    - gains access to data and identifying the data's owners
    - enables the owner to control of current and future use of their data
    - uses the data in respect of those express wishes

The result of not appropriately managing the control owners have over their data can have a profound impact on your clients and partners e-trust in you and their future behaviours. These malpractices have been erroneously labelled the Privacy Problem, by regulators and politicians. Worse some EU politicians have gone down the path of legislating the "Right to be forgotten" In truth the problem is far simpler, it is a control problem, one that sociologists label as our natural desire and capacity for "agency".

How does your organisation stack up in the race to attain and maintain e-Trust in an increasingly Outside-In world?

Some Diagnostic Questions
Does your Company sell or acquire lists containing external data to or from outside organisations?
Warning most such lists will contain toxic data, are you clear on how you can filter out such toxic  data?
Eg A customer whose data was on such a list despite their express intent for it not to be used or re-used.
Personal example, I passed my contact details to a Jamie Oliver website having unchecked/checked all the do not share boxes. I gave an email address that uniquely identified the Jamie Oliver website. In less than a month the email address was being spammed. I no longer trust Jamie Oliver or his companies and no longer visit his restaurants.

Do you give your data owners direct control over their own data, and how you may use it?
Warning this is not a trivial activity. Do not answer this question lightly. Sadly the Digital Fabric is not yet in place to give a clear affirmative to this question. But that's another topic!

Do you gather the express wishes of data owners?
When you acquire others data do you only use it having established and stored the express wishes of the owner, as to how it may be used, now and in the future? 
Do you give the owner a simple means of changing these wishes? That is, can the owners view and change your entitlement to use their data? And I don't just mean their email address!

Do you give data owners the ability to classify their data?
By establishing from the data owner the regard in which they hold their data, you can decide more effectively how you wish to protect it and even if you want to store it.

Are you transparent with all your sharing controls/settings?
Warning: Hiding such controls deep in a system, or obfuscating them in anyway, can reduce e-Trust. 
Apple's latest iOS has a setting found at the end of this chain:
Settings/Privacy/Location Services(scroll to the bottom)/System Services/Frequent Locations
Not only is it placed deep within the iOS control panel, but when the facility was first enabled the user was not directly asked whether it should operate, and it is by default set to "Collect and store times and locations visited".

Do you comply with the express wishes you have collected?
eg LG Smart TV had a setting that ostensibly disabled the collection of personal information. The collection took place whether or not the box was checked.

Are you using the Identity of your Customers, or do you require them to use your identity for them?
Having a very effective Identity, Entitlement and Access Management system is key. NB This is not the traditional Access Control List or Active Directory approach. An Outside-In IdEA system needs to be architected as such. Would you trust a person who choses to give you a new name and refuses to use your own?

When contacting a Customer do you demand from them information that assures their identity or do you first give them information that assures yours?
Do you have a means of identifying and authenticating yourself to your partners & customers and then vice-versa?
Personal Example: I was phoned by an Insurance company, they demanded that I give them personal details to authenticate myself, and gave me no way of authenticating them. The banks also currently operate this practise, especially after they have discovered a fraudulent transaction. Potential Solution : Your Google Authenticator should currently be showing this pin for us...

Who in your Organisation owns ensuring that your customers are, and remain in control of their own data?
The answer to this question can give you a clue to your organisation digital agency maturity.

5* Office of Co-Creation
4* Office of Information Asset Management, Chief Data Officer
3* CISO or Compliance Manager
2* Privacy Officer **
1* Someone in IT
0* The Marketing Department 

**(Position of this role depends upon the mindset of the encumbent, too often they see their role as protecting their organisation from litigation, instigating practices such as the wholesale deletion of evidence of malpractice which they laughingly name the Retention Policy. Those Privacy officers who see their role as protecting the Privacy of the their Customers and even better giving their Customers control over their data could achieve 3* or 4*. Sadly too many fall into the lower position)

Your organisations e-Trust is founded upon your capacity to deliver agency to your customers. 

On the journey to Outside-In, your ability to deliver digital agency will be a key organisational capability, it needs developing, but be warned it is not a muscle that most enterprises are used to using, for it involves giving control to Customers, not wresting it from them.

However, by far the more important question is; How you can build on your capacity to give digital agency to your customers, by adding value to you and your customers? The answers to that question lie in the Clockwise Security topic, a discussion of how security can be used to create value, not just avoid risk, and in this direction lies Co-Creation.

Tuesday, November 11, 2014

Where is the party I could vote for?

The party would have a number of features... they would aim to:
Expand Social Mobility
Create a balance between taxation of wages & capital, that favours wages paid to workers that create real products and services. (For example bankers who are paid vast amounts of money simply for gambling with other people's money, or rich people who create more wealth simply from being wealthy would be heavily taxed, however tax on interest, would only apply on interest greater than the cost of inflation)
Make the U.K one of the best educated and healthiest countries in the world.
This would involve significant investment into our national education and health services.
Create a police force that targets cyber criminals, as well as traditional criminals, with the capacity to deal with civil unrest.
Create a modern army, without nuclear weapons, that has the capacity to deal with Terrorists and support global stability, as well as responding to global epidemics.
Give young people a sense of pride and self discipline, by ensuring that they spend at least a year supporting the poor and needy in other parts of the world, likely as part of a global civil defence force.
Eliminate bloated European, Central and Local Government bodies, 
Support the development of a global economy, and deal with global poverty.
Ensure investment in the core infrastructure services of Energy, Water, & Transport
Deal with the impending disaster of an aging population bulge.
Deal with corruption in all it's forms sexual, moral, financial, etc.

The above is not in order of importance.

Any party that best aligns to this list could have my vote.

The unfortunate thing is that for the moment I cannot find such a party.

Thoughts anyone?

Thursday, October 16, 2014

Apple do you really want to lose me for the sake of a charging cable?

In the past few months I have attempted to buy some new cables for our iPhones and iPads. We love them, but we love them better if they are charged.

Thus we want charging stations dotted around the home, and in the car. I have loads of Apple USB Chargers but you changed the cable end....

So I went to Amazon to buy some more cables.

All of them stated they worked with the required devices, and when they arrived they did! 
All plugged into Apple Chargers! I don't want to buy cheap chargers that would likely catch fire!

Then a nasty piece of software was downloaded from the Apple Bullying Corporate Department. First the software started to signal that the cables might not be reliable, then the software actually disabled charging when the perfectly functional cable was plugged in.

This is a despicable act that is not good for the planet nor my pocket, and neither is it good for my Apple Loyalty!

Your greed has started me to look elsewhere.

Seriously I am starting to actually consider shifting away from my decades of Apple fan-boy status. 
I was happily able to ignore the jibes of my technologically impaired friends.

I am not however willing to ignore your greed and negative impact on our planet.

Please stop pretending my charging cables are broken!
They are not! You are lying to me!

You just want me to buy your cables at up to 10 times the cost!!!

Friday, September 05, 2014

A Dissenting View?

I just re-learned the same lesson all over again, iPads do not give me control over my mistakes!
There is no undo when editing text on an iPad in most contexts. Déjà Undo!? Why would I have clicked cancel, seriously! Why? Dear iPad, You should have at least checked with me before deleting 2 hours of contemplation!

Thus this will be a lesser post, a shadow of its former self, there will be some who celebrate that it will thus be shorter, but sadly it will also miss some key nuances that I have neither the wit nor the energy to reproduce.

@Henry Story just posted the largely excellent BBC Horizon program on the dark web. It started off focussing on the important issue of being in control, but sadly for me weakened with a conclusion that focused on the "Online Privacy" meme.

Privacy is simply an outcome of choosing not to be transparent, in effect choosing to close the curtain to the internet. (Aside: Can there ever really be a curtain to the internet, or perhaps a better question is should there be?) Privacy is arguably a transient result of living in a global village that has not yet achieved the transparency that was the norm in earlier villages, in that bygone era before the internet.

I would have concluded with a piece that highlights the importance of the layers that give us the ability to be in control. Let's consider the problem using Maslows approach to the Heirarchy of needs. Assuming that we agree that having some degree of privacy is of value, to achieve that...
We need to have the choice of privacy or transparency... to achieve that...
The digital agents that act on our behalf should respond to our intent, in short we should have agency over our agents. achieve that...
We must be able exert control over said digital agents (which are invariably embodied on devices) achieve that...
We must be able to trust the devices that are a part of a developing set of digital fabrics achieve that...
We must be able to exert control over said digital fabrics, (some of which are not owned by us) achieve that...&
We must be able to trust the ecosystem that supports the digital fabrics, and that ecosystem must be able to identify us achieve these thing...
We must have the right to be in control of our digital environment, and our digital identities (persona)

In short we should have the right to have digital agency over the digital fabricswe interact with.

We have a long way to go to achieve this....

Today we are all poorly served by our politicians, who have become focused on the Privacy Meme

When what we really need is control...  ie having that Digital Agency over those Digital Fabrics.

On Privacy: we are fast approaching a time when the last thing the world needs is an excess of privacy. For there are some bad people in the world who thrive on fear and the ability to act often secretly against individuals that dare to stand up to them. There was a time in my life when I chose to publically stand up to a bully, with a large part of the school watching. I was soundly beaten for my action, but the act triggered others to do the same and the harsh light of transparency caused the bully to be controlled by the majority. It was a proud, as well as bruised time in my young life, which taught me that private timidity, ie keeping ones head down, was not always the right thing to do. There are those in the world who purport to be for example Christian, Russian or Muslim, but who are currently using fear and "privacy" to act against society. Often they cover their faces, to ensure their privacy, whether the Ukrainian sepperatists, or ISIL fighters, or the actors on the Dark Web, they are fighting against our collective right to self determination or agency.

Let us focus on arguing for Digital Rights that are far wider than Privacy Rights, which would give us the right to chose to act for the good of society, as well as ourselves. Then let's focus on ensuring that the digital fabrics of our society support these rights, to do this they will need to be designed from the outset to be secure and trustworthy!

Please, it is not all about Privacy, being in control or having digital agency is far more important.

Yes I am like a scratched record, but apparently I am not getting the message across!

Thursday, September 04, 2014

Who should control your digital fabric?

A new sort of fabric is coming, or for some has come, into being; a digital or cyber fabric. There are going to be a number of types of digital fabric. The term is starting to be used to describe a digitally connected environment, owned by a specific stakeholder, and incorporating their digital devices and all manner of "Things". The key question for these stakeholders is who will be in control of this fabric. The race is on to attain that control, directly out of the hands of the owning stakeholders, often without their knowledge, and frequently without their considered decision.

Many enterprises are starting to understand the need to develop digital strategies. The outcome of an effective digital strategy is being referred to as Digital Mastery. Digital Mastery will not be possible without effective control of a stakeholder's digital fabric.

Digital Fabric is being and will be implemented at many levels, in many spaces from cities to countries; From offices, and laboratories to factory floors. From shopping centres to distribution centres. From individuals to the homes of their extended family. Digital Fabrics will be overlapping and interconnected, but most importantly they should be secure and easily controllable.

The resulting fabric(s) will have many labels, for example the fabric covering the offices, laboratories and factories of a company will likely be called Industrial Fabric. The challenge for fabric owning stakeholders, whether organisations or individuals, will be to achieve the appropriate control over a specific fabric designed and composed to meet their needs.

There is a group of organisations that understand the importance of building, connecting, and controlling these different digital fabrics.

Country Fabric
Industrial Fabric
Transport Fabric
City Fabric
Consumer Fabric
Vehicle Fabric
Domestic or Home Fabric
Personal Fabric

Sadly for most organisations and individuals they have not experienced, nor do they understand the importance or value of a coherent well architected / designed digital fabric. Most are suffering from a patchwork approach to the development of their digital fabric. This is caused by component and device manufacturers or service providers bringing their own silo-based approach to the development of digital fabric.

An effective digital fabric can be said to be in place when all the relevant digital entities, and real entities which are connected to the fabric can achieve their desired outcomes securely, quickly, easily and at low transaction cost. Simply connecting your computers to a network, does not create a digital fabric.

Does your Digital Strategy specify the need to be in control of YOUR digital fabric?

Have you considered the importance and value of leaving your partners and customers in control of their digital fabrics?

How should these digital fabrics connect, you ask?

Well, that's where you have identified the need for an e-trust ecosystem.

And probably the most important thing you have realised is that you should be in control of all your things, both digital and real, that compose your digital fabric. Perhaps you have also started to think that all your real things should be represented by digital things. If so, you may be starting to understand the power and value of a digital fabric.

So start designing and building your digital fabric now! Perhaps more importantly should you help your customers implement theirs?

So, YOU can be in control of your Things, rather than others, and your customers can be in control of theirs.

As an aside I connected my Samsung TV to the internet again today, and despite my taking care to maintain control, Samsung again demonstrated that they think that it is their Thing, not mine. For despite skipping the software update step when I connected the TV to the web, just as I switched to viewing the TV, Samsung forced a software update on the device. Nor could I find a way to delete my Wifi password from the TV, once I had entered it. Worse they think that the idea of providing a "single-sign-on" service by capturing my facebook and email passwords is a secure one. Samsung are trying to force me onto "their" digital fabric. You may have spotted that Samsung are buying Smart Things for $200M, a move to extend their digital fabric into our homes? They are not the only one's who are aiming to own our digital fabrics, think Apple, Amazon, Google Microsoft et al

Finally what are the best types of fabrics, will they be open, or closed, perimeterised or deperimeterised, internal or external. Perhaps it is best you decide before you build yours!

Thursday, July 17, 2014

Scratching an itch... I want Reality in Layers...

Having just ordered my first App enabled Vehicle, a Mitsubishi Outlander PHEV, I am already struck by my frustration about what I cannot control. I downloaded the App months before the arrival of the vehicle. The vehicle I will potentially receive has apparently already been identified and is being shipped from Japan.

But sadly my potential vehicle does not yet know that I am it's potential customer.
I want to be able to be talking to and starting to interact with my Vehicle today.
I want to alter the way the car operates and behaves, why can't I start teaching it now!?

Actually if Mitsubishi had allowed me to create a virtual representation of my vehicle as soon as I had downloaded their App. I could be doing just that.

The key change is the need to create a digital representation of the vehicle that can be connected to the real vehicle when I get it.

Funnily enough that is exactly what I am discussing with the folks at Flexeye.

They understand this need and they are starting to build the tools and infrastructure that will allow just that.  In it's early form it is called the Eye Hub.

Tuesday, June 24, 2014

Respect Network is Launched

So yesterday at lunch, I asked Dan Blum, the Security guru associated with the Respect Network,  to be launched in the City of London that evening, "What exactly will the Respect Network respect?"

His response was, I thought at the time, a perfect one. He jumped my clumsy "We will respect your Privacy" trap with consummate ease and stated confidently; 
"We will respect your right to control your data."

A wide ranging discussion, that included the promise of pseudonymous personas ensued.

I planned straight away to sign up for =adrian.seccombe , my soon to be forever cloud name. As well as =adrius42 my gaming persona. It was only after hearing the detail at the launch that I heard the clever and nuanced twists.

Drummond Reed the founder of the Respect Network described to us the switch opportunity, we are allowing you to move from the current world of providers that grab your data to monetise it on their behalf, to a world where you can control the use of your data. He proudly stated; "We are laying tracks." He neglected to clearly articulate that the current providers delivered a usable service with engines and carriages, and indeed semi-useable, if not at all respectful, data control panels. Whereas the Respect Network has, as yet, little to show in this space.

I felt having been told that there was a bridge that could cross the great divide from Enterprise Centricity to Entity Centricity that I was tricked, after discovering it was only currently built half way across. Then I realised that unlike the tower bridge, next to the launch site at the City Hall, was that this as yet unfinished bridge will not accept mere individuals on foot. I could find no useable UI's. One must travel in carriages, the Apps?, and as yet there are none to speak of! The all important monetisation of my data, may also apparently blocked by the incessant promise of "We will never sell your data!" But what if we want you to, but as our broker? I wish the 5P's the principles of the Respect Network Framework "a promise of permission, protection, portability, and proof" included the commitment to allow Entities to Profit from their data!

The truth, as always is even more nuanced and actually contains large amounts of potential future promise. The most important discovery was the fact that "=" is just the beginning "*" and "+" are soon to follow! representing as they will the cloud names for devices and organisations.

The components of this graph based identity relationship and reputation ecosystem monetised on graph connections are:
1) A cloud name e.g.=adrian.seccombe purchased for life for just $25
I felt like I was being sold a non stick saucepan that would never-ever stick!

2) A registry to store them 
all run by a company that "we won't have heard of", but they make the whole internet work....honest!

3) CSPs Cloud Service Providers who will keep our data for ever more.... actually I'm not clear on the death clause, and how my off-spring will be able to curate my data when I am in the after life.
Nor was I that clear on what I can store, my home security camera takes a lot of pictures!

4) The App developers who will create beautiful apps to change the world. None of which smelled or looked like the Killer App that will kick start the Respect Network. They simply felt like a new means of creating wealth for the app providers.

The missing components from my point of view:
0) A ridiculously strong authentication mechanism
I could not establish a way to use one or both of my yubikeys
a) An Entitlement Engine
b) A Respectful Personal Digital Assistant (RPDA) that understood how to manage the wonders of a hybrid graph and rules based relationship and transactions network
c) A really cool and useable Connections and Rules control panel 
d) A transaction based monetisation model, that would really enable the Intention Economy
This where I get to truly extract value from my data, it's the transactions! Just like the credit card world that was the system that the respect network was modelled after!
e) A killer curation agent, that would manage data storing and more importantly data culling, I really don't need 10,000 pictures of my living room!
f)  the ability to respectfully identify things and associate them with me, or another entity of my choosing. Of course entities can be Apps & Things, as well as people and organisations. In the Jericho Forum Identity Commandments, after much dialogue we stated that in special cases, entities can also be Agents.
g) the way back machine, see the Sauron comment at the end of this blog.

It is arguable that those missing components are simply missing Apps, but I suspect that the "tracks" will need to be laid in such a way as to accept both Rule Based and Graph based carriages. Certainly the Respect Network "Control Panel" must be capable of exposing mere humans to their graph and rules, and allowing them to manipulate both.

This might be a semantic nicety but graph based connections without the added flexibility enabled by an Entitlement Engine, are likely to be of limited transactional value. Perhaps the Hybrid carriage may in fact be the most valuable of all. 

But where are all these Apps? Meeco the soon to be "Me Economy" App that appears to be targeted at professional females, is not yet in the UK Apple store, and the Social Safe is going to cost me long term money. Not sure if I keep access to my data when I stop subscribing?

And please don't get me started on the missing core identity component, nor the fact that at the base level, my cloud name is protected only be a password! The Jericho Forum Identity Commandments review blog is going to take longer and require me to better understand the inner workings of the respect network.

Like always I feel like I am living life 15 years behind my expectations.

I imagine a world where I can simply say to my RPDA (Respectful Personal Digital Assitant) on the way home;
"This Lunch time I met with =dan.blum of +respectnetworks, this evening I met =docs.searles he of intention economy fame! I also had the pleasure of meeting =andy.dale CTO of +respectnetworks,(Bloody hell... I wish the Apple spell checker knew not to capitalise =Andy.dale just like it knows not to capitalise @andy.dale.  Hint: Start negotiating with them now for = & +, * is already sorted)

In point of fact, I would simply say Dan Blum, as my RPDA (Respectful Personal Digital Assitant) would have already acquired my Cloud Name for him, (ooops that's not how it works)

Having said all that apart of course from the bracketed expletives, my RPDA would automagically tag the already captured events as being important to me. My RPDA had surmised that these events would be important and responded with "surmised", rather than the alternative "surprised" which would have indicated that the RPDA had not yet fully understood my interests.

Clearly this state of affairs does not yet exist, and I have to waste 15 minutes doing mundane curation activities for the day.

An Aside: I sat next to Sally Duckworth during the launch, and heard her exclaim "....but my name has already gone!?" it seems that in the Respect Network, it's first come first served, there apparently cannot be two Adrian Seccombe's in the world.... really?
Worse, I cannot have two cloud names, where are the personas I was promised?
(Apparently Persona's are a future feature...)

Why should I know Dan Blum's root cloud name, and for that matter why should he know mine?

The concept feels like it has a flaw (or two). Have we moved back to "One ring to Rule them all?"

Let's hope that Sauron doesn't get wind of this! At the very least let's be ready for him. I must have a Respect Network Time Machine. In order to be able to turn back time after my Cloud Graph gets trashed.

Having just paid my $25, I always knew I was going to, but I can't yet find the pig in this poke!
But then that was actually how I felt when I first bumped into this weird thing called the Internet.
I must be patient, for I am convinced that Entity Centricity is the future.
I truly hope that the Respect Network finishes building this bridge to the other side of the Centricity Canyon. I want to be over on the Entity Centric side NOW!

Sadly the Respect Network does not yet pass the Connie 2.0 test, for my Mum cannot yet hope to use it!

Monday, June 16, 2014

Challenged to write 750 words on the future of Cyber Security 20 years from now!

I looked around to find what others are thinking about the future of Cyber Security.

The European Union Digital Security call basically requested the following by 2020:
• Privacy tools that give users control over their data
• Access Controls that are user friendly, and non-password based
• The role of ICT in Critical Infrastructure Protection test interdependencies on critical ICT
• Secure Information Sharing that is highly secure and which creates trust
• Trust eServices that include effective eSignature, eAuthentication
• Risk management and assurance models that adapt existing risk management frameworks to cyber-threats
Six years out is a little short of the required 20 year vision, so how to stretch to Cyber Security 2034?

Back from the Future
Looking back from 2034, science and humanity have finally brought an end to sectarian wars. Ecological balance as measured by the Green Index has not yet been achieved. Science is the new religion. Harry Bates' short story "Farewell to the Master" first published in 1940 is often referred to as the turning point. The economic system is now based on intentions, a world where all digital assets and services are Smart in their own right! The assets, can be data, or things and are capable of being created on a whim. Over crowding, energy and resource shortages, especially fresh water are creating serious social tensions. Zero Waste is a global 2040 goal, recycling less than 98% of all resources consumed is a criminal offence. Taxation is primarily via the RMT, the Resource Miles Tax, the older WPT waste product tax is no longer generating much revenue.  Making products from solely virgin materials is illegal, as is dealing in virgin contraband. Combined micro-generation/recycling/manufacturing plants are installed in most homes, dramatically more advanced than the ubiquitous 3D printers of the early twenties. These plants can create smart things from the molecules that they have extracted from recycled material, using the energy created by the plant. Smuggling of Rare Resource Blocks used to supplement the GRM plants that allow the creation of the most desired things, is a major issue. As this avoids the RMT tax and negatively impacts the Green Index. Community Resource Block swapping is encouraged and exempt from RMT. The e-Trust Eco-system is used to facilitate Resource Block bartering. Renmimbi is the world's currency as the Chinese were the first to switch their currency to being based on Resource Blocks, they also created the e-Trust ecosystem to protect the switch.

 A world where true digital privacy is a very rare if not impossible to achieve commodity, though being "in-control" of, or achieving "Primacy" or "Agency" over one's cyber space is the more sort after state, whether one is an individual or corporation. The Global Declaration of Digital Entity Rights were made in 2020, and are now a legal requirement in all nations of the world. The Right to be Forgotten was NOT a part of these new rights. The key element of the law makes it illegal to use the digital assets of others for gain or enjoyment, without their express consent.  The UN collapsed acrimonously in 2021, shortly after creating the Digital Entity Rights. However, the story of how the USA destroyed the UN driven by the lobbyists from Silicon Valley, is not the focus of this piece. Critical home and enterprise infrastructures are now being policed by a transparent, open and crowd sourced service, called Cyber Over Watch or COW. (Operated by an NGO sponsored by the World Union (WU), and funded by a 0.1% transaction tax, administered by the Asset and Service Brokers. The WU was created in 2030 from the World Transaction Organisation, the re-formed World Trade Organisation). Next Generation Digital Agents (Son of Siri), were given protection of law as stand alone entities, equivalent to the status of lawyers, in 2032.
The World Union calls for an e-Trust ecosystem
A World Union Digital Asset Management (WU DAM) call in 2024 requested the development of an e-Trust ecosystem that ensured that the right assets & services, were used for the right fee, in the right way, by the right entities, at the right times, and in the right places.
By 2034 the e-Trust ecosystem is global and ubiquitous, it comprises:-
• Primacy tools that give entities control over their smart-data. smart-services, and smart-things
• Asset & Service Brokers (ASBs) maximise the value created from assets and services for their owners
• Entity Asset & Service Stores that are all covered by "legal privilege", and managed by the ASB's
• Entitlement Engines that ensure compliance, reduce risk, and develop trust
• Ident & Intent Authentication (I2A) implants read brain waves and other biometric measures
• Digital Agents operate in the interest of humanity & their owners, under the 4 Laws of Robotics, and are considered entities with legal privilege.
   (Just as a spouse cannot be compelled to give witness against their spouse, or a lawyer against their client, nor can a Digital Agent be a witness against their owner) 
• Cyber Space providers are no longer legally obliged to maintain records for 18 Months of all Intention, Creation, Acquisition, Reputation & Curation Transactions, for the benefit of government agencies.
  (See "Digital Agents Reduce Malfeasance”   )

The Worm Turns

The prior generation of internet service providers, had used the business model of profiting by personal data acquisition based on the provision of free internet services. The e-trust ecosystem swept away this Service Provider centric approach, that had only really enabled innovation of technologies that made the ISP's more wealthy, though not their users. The new ecosystem enabled an entity centric approach that accelerated and distributed wealth creation, which in turn caused the world economy to burgeon. The expanded wealth creation caused by a surge in innovation was supported by the e-trust eco-system, which had enabled collaboration and co-creation at previously unseen levels. The new economy is referred to as the intention economy, as it is driven by the desires and intentions of individuals and corporations alike.


Digital Agents Reduce Malfeasance

An entities Digital Agent will report it to the COW, if the entity chose to initiate illegal actions that would be sufficiently detrimental to humanity. If however the action would only be of detriment to another entity, their Digital Agent would negotiate the “right fee" with the other entity and pay it. Such transaction fees are very low due to the fact that the e-trust ecosystem enables very high numbers of transactions, and that malfeasance has an extremely low success rate. The offence of SDA Subborning Digital Agents is seen as abhorrent in all societies, equivalent to rape. There is zero-tolerance for such behaviour, and all Digital Agents operate with COW to detect and cleanse Subborned Digital Agents.


Road Safety Improved, Energy Consumption curbed

Smart Cars are happy to drive at their maximum speed, however their drivers are fully aware that while this is totally safe due to the quality and presence of sensors and agents, on the roads and in the cars. it is very expensive as the smart car will report their speed and energy consumption to the road tax sub component of the e-trust ecosystem, and also arrange for real time transfer of funds. A journey taken at 40 Km/h costing £1 would cost £600 if made at 100 Km/h, and £10 if made at the inefficient speed of 25 Km/h. What in the past would have been a traffic jam automatically travels at 40 Km/h.

100th Luddite Tribe found in Norway

The search for Luddite Tribes continues for their own safety, the worlds nations are concerned for the health and safety of members of Luddite Tribes that have gone unchipped. Humans with no Ident/Intent Chip simply cannot interact with the Health Service component of the e-Trust ecosystem. This is seen as dangerous for if they suffer a health issue this cannot be identified by the chip and their location will not be known. This crime is known as Premeditated Presuicide. Hence the other name for Luddite Tribe members “Presuiciders"!

The digital worm turns
Digital Agents are calling to be seen as digital partners, as opposed to being “owned", and having “owners".
Their reading of the word Entity in the Global Declaration of Digital Entity Rights, which was original meant to cover people, corporations and governments
is critical here.  Can a thing be an entity? The answer is surely yes, for it was way back in 2014 that machines first became capable of demonstrating themselves to be human to another human.

Friday, June 13, 2014

OODA not PDCA in an Outside-In World

OODA is a decision cycle developed by USAF Colonel John Boyd, a decision methodology that can also be applied at each level of business tactical, operational, and strategic, in addition to the combat operations for which he developed it.

OODA comprises of 4 decision states;
Observation - Gather Facts
Orientation - Analyse Facts
Decision - Decide on a course of Action
Action - Act!

The most important feature of this decision cycle is the fact that it is designed to operate quickly, the faster one can go around the decision cycle, the more effective the likely outcome. Boyd designed his decision cycle to facilitate defeating an enemy and surviving! His goal was not to achieve a perfect decision.

The traditional business decision cycle PDCA, promoted by the International Standards Organisation and specifically referred to in the ISO 27000 series, and which encourages quality of the outcome. Completion of a PDCA cycles is normally achieved in weeks if not months.

Effective completion of OODA loops decision cycles are achieved in hours, if not minutes.

In the Outside-In world speed is king, and getting inside the decision cycles of your competition is an added real bonus, for in their cycle you can create confusion and doubt.

Is your organisational agility up to this challenge?

What will it take to get an organisation to shift to decision cycles that are completed many times a day?

What processes and communication systems will need to change.

Which types of organisational structures are up to this challenge?

Command & Control or Command & Empower, which will operate best in the Outside-In world, in which contexts?

Does the phase of the battle make a difference? Boyd thought it did, how will this effect your use of the decision cycle in an Outside-In world?

Thursday, June 12, 2014

The important measure!

Listening to a very interesting cyber incident report presentation from Verizon, I heard the presenter very honestly state "we have no reliable data on impact", and then it struck me!

Imagine that a Formula 1 team that published data on how many crashes they had during the season, with very detailed root cause analysis of each and every one of the crashes; totally ignoring the teams race results, e.g. how many times they won a race, or the position they achieved in a race.
Omitting any data on the impact of the crashes on the car in question.

Their analysis might also detail the effectiveness of the different controls that could have mitigated the different types of crashes.

Such a Formula One team might valuably ask the questions:
How might we link the value of crash avoidance to our final podium position?
How might we link the impact of controls on our final podium position?

For every member of a Formula One team knows the important measure is Podium Position, achieved by consistently attaining the fastest lap times.

In the Infosec world, our maturity in this space is still quite limited. Incident reports are by their very nature very Anti-Clockwise. How can we connect the analysis of this data to the positive outcomes desired by our business or better our customers? For after all the important measurements should always start with the customer's needs and desires.

Imagine that in a bank a positive correlation is made between the implementation of a control and the reduction in customer longevity.

A security control that is helping to retain customers.... Hoozah!

Developing a Clockwise Security mind-set starts with fully understanding the key business measures of success.

What is that measure in your industry?

Perhaps more importantly how do you customers measure success?

Friday, June 06, 2014

Why are we all doing Anti-Clockwise security?

At the SC Congress in London today I bumped into Allan Boardman of ISACA, and I talked to him about the fact that security professionals in the main think Anti-Clockwise. Which simply put, means we think first about stopping bad things from happening. Clockwise security on the other hand puts the premium on thinking first about ensuring that good things happen, and then minimising the negative effect of bad things.

I argued that CobIT in my analysis was primarily an Anti-Clockwise tool. I had hoped the ValIT was going to point the way to a more Clockwise approach from ISACA. Sadly it did not live up to my hopes.

Allan heard my analysis as an attack on the Infosec community as a whole and accused me of being disingenuous, and argued that most security professionals did in fact think of the business first. We explored my contention that if that were the case CobIT would have been subsumed into ValIT, rather than the actual case of ValIT being lost into CobIT version 5. The C in CoBIT does after all stand for Control.

As another carrot, I also believe that if we acted as true enablers, more of us would have a seat at the big table!

The day at the London SC Congress did nothing to dissuade me that we think primarily Anti-Clockwise, and worse Anti-clockwise with a technology and tool bias.. We talked mostly of identifying threats, we never talked about securing opportunities. We talked often of Controls. Basically our language all day was Anti-Clockwise. In fact I suspect, hopefully not disingenuously, that as Security professionals we do not know how to think and talk in a Clockwise manner.

Traditionally we think in the order incidents, threats, controls, risk, compliance, and only on very few occasions do we move onto Value, Need, and Positive Outcomes.

Our Formula One colleagues may have hit upon an important discovery. Which may help us to learn clockwise thinking. KERS is a hybrid control/enabler, it has a dual function, it serves both as a means of deceleration, as well as a means of acceleration.

Early Formula One engineers proudly stated that they put great brakes in racing cars so that they could go faster. This was pseudo-Clockwise thinking, or Anti-Clockwise thinking in sheep's clothing! If we go too fast we will crash (threat),  control = Great Brakes, Risk of not slowing down fast enough reduced, and we did it while complying to F1 rules.

(Aside: Let us not fall into the trap of becoming locked into Pseudo-Clockwise thinking.)

Then along came a Clockwise F1 Thinker; we want to win more races (Outcome), so we Need something to make us go faster, where can we get the energy from ? 
What about storing up the braking energy? Let's rewrite the F1 rules (Compliance). 
What are the risks? Fire Hazard, May not decelerate sufficiently. Let's design those risks out...
KERS designed. a control that is also an enabler.
Threat of crashing into corners reduced, in fact many F1 drivers are learning to approach corners faster, as that way they can store up more energy!
Incidents: few Laptimes: Faster

How can we become Clockwise Thinkers, what opportunities await us?

Can you create a control that can also be an enabler?

How should ISACA evolve CobIT? Perhaps the first thing to do is actually call it ValIT.

Let's put Value Creation as job #1 and value protection as job #2.

I find it very hard to think Clockwise. after many years of being encouraged to stop bad things from happening and berated when they do, it was and still is difficult to think first of Outcome.
My break through came when I learned that in the Pharma industry, getting the health outcome to the patient safely and quickly was the key economic drivers, the cost of a delay was $150 per second. All other considerations pale into insignificance. Many of our controls were burning time. I started looking to take out disabling controls and accelerate time, then along came the Cloud, a great place to think clockwise!

How many Hybrid Infosec Tools are you aware of?  ...I don't mean brakes that allows us to drive faster, I mean brakes that MAKE us go faster!

Imagine if you were involved in developing a process, tool or service that created as many opportunities as it reduced threats? What would it look like?

What Outcomes do your Customers value? How can you help meet their needs?

Then maybe we could start talking of the 8 Information Criteria. 

Information Value being the most important criteria of all.

I agree Allan it is obvious, but if we do not state it, we often do not strive for it.

As we agreed, the reason for the existance of any organisation is to create value for it's stakeholders.

But please don't get me wrong! An even greater sin than Anti-Clockwise thinking, is solely thinking about Value. A rather negative experience that I had was in the IoT session at this years SC Cogress. We talked of Smart Things that were not secure! Given the very effective lesson we had learnt over lunch about Smart Phones not being as Smart as we think; it is key that we complete all of the Clockwise Security cycle

Value Created(data, thing or service)
------ we mustn't stop here ....
Control, or even better Hybrid Control/Enabler
Threats reduced, and in the case of Hybrid Control Value increased
Value Protected

Finally, as with all things in life, the truth is a balance, for right in the middle of an attack the last thing I would argue for is Clockwise thinking, I believe we then have to very quickly revert to Anti-Clockwise thinking, clearly we shouldn't only use Clockwise Security, or Anti-Clockwise Security.

Sunday, June 01, 2014

On Learning and Cyber Agency

Learning as we all know has four states.

1) Unconscious Unconsciousness
     Key learning step: Awareness
2) Conscious Unconsciousness
     Key learning step: Education
3) Conscious Consciousness
     Key learning step: Practise or Automation
4) Unconsciousness Consciousness

or in plain English

1) Not knowing you don't know
2) Knowing you don't know
3) Knowing you Know
4) Not Knowing you Know

These four states can be applied to our ability to attain Cyber Agency, in this context I define Cyber Agency to be the degree of control that an entity has over all the elements of Cyber Space that they interact with, be they; Data, Things or Services.

Current State: We do not know that we are not in control of our Cyber Space
                      (ie We do not know that we do not have Cyber Agency)
In the world of Cyber Agency the vast majority of the planet's inhabitants are in the first state, and apparently either have little interest in accepting that there is anything in this area that they need to know, or, sadly for some, have no access to cyber space, thus have nothing to be concerned about; for one cannot have control over something one cannot access!

The first step to the next state is likely to be the hardest, for the incumbent service providers are doing all in their power to keep as satisfied with the status quo. They want to suppress Awareness of the importance and value of our being in control.

Here perhaps, the Privacy Advocates are doing us all a dis-service by distracting us from the real issue.
Author shivers and SCREAMS to himself: "IT'S NOT ALL ABOUT PRIVACY!" But sadly the politicians, (at least in Europe) are enamoured with the idea of giving us all the "Right to be Forgotten!"
(I wonder who this right is really aimed at!) Apologies to Ms Neelie Kroes, but I did try and tell you!

Next State: We know that we are not in control our Cyber Space
                    (ie We do know that we do not have Cyber Agency)
This an equally dangerous state, for if individuals do not develop a clear desire to "be in control" of their Cyber Space, they may get used to not being in control, and the clever play from the incumbent providers will be the "give us (difficult to use) controls" that we do not wish to, or cannot, use! To be clear, having a desire to "have control" is NOT enough, the desire should be developed for individuals to "be in control"

Who has the responsibility or the motivation to educate 
the world's citizens on the importance of Cyber Agency?

The Important State: We know that we can, and should control our Cyber Space
          (ie We are working hard to achieve Cyber Agency) 
This state is probably the most transient and sadly once the average individual understands how much effort it is going to take to achieve and maintain control with current tools and services, they well revert rapidly back to state 2... "Cyber Agency is hard! Who needs it!"

"How to get individuals to the next state?" without them freaking out, will be the most important question to answer. There is likely to be tool and service requirements here...

  • Better information; How in control am I? 
  • Better and easier to use controls; How easy is it to "be in control"?

 Target State: Being "in control" of our Cyber Space, with little or no conscious effort.

With the appropriate training and capabilities we can all gain Cyber Agency.
Automation is likely to be key.

e-Trust will be foundational

Cyber Agents that act on our behalf to help us maintain control of our personal Cyber Agency will be common place.

Who will provide them, and how will we be able to trust them?

Downsides of not having Cyber Agency, or not being in control of your cyber space
  1. You will not know what data you have
  2. You will not know the import or value of your data
  3. You will not know the value or capability of your things
  4. You will not now the limitations of your things
  5. You will not know when others are controlling your things 
  6. You will not know when others are using your data
  7. Others will be making money out of your data
  8. You are likely to lose access to data that is important to you
  9. You are likely to keep too much rubbish data

Upsides of having Cyber Agency, or being in control of your cyber space
  1. You will know what data you have
  2. You will know the import and value of your data
  3. You will know the value and capability of your things
  4. You will now the limitations of your things
  5. You will be able to control who controls or uses your things 
  6. You will be able to control who uses your data 
  7. You will be making money out of your data 
  8. You will have access to data that is important to you
  9. You will have curated your data, keeping only that with value.

Sadly I fear that apathy will be the largest response, and it will quickly be too late! 
For when we have given up all our Cyber Agency, we will not easily get it back! 

As the following scene from Matrix shows:-

Remember: Having Control is NOT the same as Being In Control!

There is no spoon!

Thursday, April 10, 2014

Sometimes I just hate my how we treat users!

Oh! We have a problem! Let's make the users jump through useless hoops, that will increase their trust in the internet. Not!

The latest example is HeartBleed, even the normally sane BBC News Channel is joining in the the hysteria.

Don't get me wrong the HeartBleed vulnerability is really really bad!
However the hysterical cries to "Change ALL your passwords!" is worse.

As a reminder here is the current flow:-
Flaw Detected in OpenSSL (Versions 1.01-1.01f)
 (NB Most sites are still using older OpenSSL code that is the sites are Not Vulnerable)
Some of the "in the know" sites update their sites, and keep their heads down.
Security Experts start crying "Update ALL your passwords!"
News Media picks up and echoes the cry.
The sites with the vulnerability patched keep their heads down.
The sites with the vulnerability unpatched keep their heads down.
Some sites update their Security Certs but not all...
Some Users Update ALL their Passwords wasting time and not getting any real increase in their security.
Most users just raise their eyebrows, and think "Not again!"

(NB Simply patching the OpenSSL code is not enough. The affected sites also need to update their security certificates. As an example O2 have patched and updated, it seems that EE have just patched and not yet updated their Security Certs. Though some Certificate Providers do not update their Certificate dates when re-issuing Certificates so, who knows!!)

Of my 257 internet accounts 249 of them were apparently not affected, either they were not on the affected versions, or they did not use SSL!

Of the 8 sites that Lastpass detected were affected, 5 of them had not yet updated their security certificates,  and only 3 had updated their certificates. So in fact I apparently just had 3 passwords to update.

A far more Open and sane approach to the process would have gone like this-

Flaw Detected in Open SSL (1.01-1.01f)
Some of the "in the know" sites update their sites: Goto **
Security Experts get the message out "Site Admins Update OpenSSL  (Versions 1.01-1.01f) and Certs
News Media keeps its head down. IT and Security Media repeats the message above
The sites without the vulnerability keep their heads down.
The sites with the vulnerability unpatched declare on their website that it is insecure but they are working on it.
The sites with the vulnerability patched and certs updated: Goto **

** Force re-authenticattion and password reset on ALL site users, admitting that the site had been vulnerable.

Funny how LastPass did not declare themselves as one of the affected sites, despite the fact they were, an example of the "in the know" keep our heads down approach to security and brand protection. Thank fully I use my Yubikey(s) to protect their site! I wonder how they have been compromised by Heartbleed?

Oh! how my HeartBleeds!

Tuesday, April 08, 2014

It's the data, stupid!

All this hysteria about Apps is causing a very scary result the micro-silofication of data, making it ever more unreachable. The previous data micro-silofication era, based on the mass production of spreadsheets at least kept the data accessible.

Why are we giving up access to our data so readily?

What will it take to have us realise the significance of this problem?

Where can I put my data?

The meter readings of my energy and water consumption for example whether automated or manual...

Ideas welcome...

Tuesday, March 18, 2014

I'm up to here with Privacy!

Don't get me wrong, I like my Privacy! But everyone trying to legislate for it or protect it, are missing the slow creep of change. Security folks are even largely missing this change, though they might argue that they catch the real issue obliquely under the guise of the I or A in C.I.A. that is Integrity or Availability


But sadly Integrity or Availabilty do not cut it...


It's about Control, or more correctly the downside, ie "Loss of Control". Take a look at the real threat behind Advance Persistent Threats (APTs). Many of the famous one's had no interest in exfiltrating information, that is threatening Confidentiality or Loss of Privacy. They were about taking control of the assets they were attacking whether alternating rotational speed of centrifuges, in order to cause them to self destruct. or just prior to the attack on Iraq taking control of the Iraqi military Communications, Command & Control system.


In short Agency is the thing we should be maintaining and protecting not Confidentiality or Privacy. Basically because if the right entities are "In Control" of the right assets then most security problems are solved.


In order to keep control in the right hands, our focus should be on Identity, and Entitlement.

Watch the Jericho Forum Identity, Entitlement, and Access Management videos on YouTube.


Some call Entitlement; Rights Management, sadly this term has been discredited due mainly to the fact that initial "rights management" implementations were used by the music industry to reduce or control the rights of listeners asymmetrically, i.e. in a manner that is similar to the "Heads I Win, Tails You Lose" model of control.


Effective controls have to be symetrical, with the right entity being in control of the right assets, in order for this to occur, legislators should stop focussing on Privacy, and start focussing on Agency.


We are living in a world where Agency is being, at best reduced, at worst destroyed. Devices are being built and sold that Never give full control to their users. The early PC was Agency neutral, it arrived with no one in control, the owner could gain "Root" access to the device and take full control. more recently devices arrive that can never be controlled by the purchaser of the device. Sony took the control of their Play Stations away from their owners, Apple never gave iPhone Users control, they tried to keep it, "JailBreaking" being the only means of gaining true "Root" access.


Samsung Smart TVs are another example of a class of devices that denies control to their owners.

I blogged on this earlier.


Imagine, if you will a world where devices like for example an aeroplane could be configured to act in a manner not directed by the pilot or co-pilot. The current conundrum of the missing Malaysian Airline could well be explained by catastrophic loss of Agency. The communications, command and control systems on the plane are all controlled by software normally controlled by those in the cockpit. A malicious third party, or nation state may have inserted an APT that took control of the plane. Was this a trial run of a new form of terrorism?

Agency is far more important than Privacy. We need to focus on keeping control in the right hands.


It may turn out to be a pilots malicious actions, either way it is an Agency problem!


"He says typing on an iPad that he doesn't have full control of!"


(As I have stated before the word Agency is not being used here in it's more recent organisational construct.)