Act more aggressively than normal? We are Israeli based after all! LOL

Speaking of which…when I went to Jaffa during my last trip, I tried several times to walk into some basic “deli” type places that looked like they had amazing food. At each one it sounded like the guy was yelling at me in Hebrew but I couldn’t understand the menu… they “yelled at me” and motioned for me to get out of the way so the next person could order. I was intimidated and eventually walked out of each one until I got back to the hotel…  It was quite funny!

I know what he was talking about…

I disagree.

I can’t argue that Twitter is gaining popularity but I argue that it is used by “normal people”. See, I recently joined the crowds and started to twit. Thus far, it distracted my blog(s) and some other activities…   Yes. it is becoming addicting.

Now at the holiday season I find it to be an anti social tool. According to my family’s tradition we reach out to our friends and families, wish happy holiday, visit and reconnect. Twitter is the antimatter of real life social networking: One sends (very short) messages, typically not waiting for an answer and expects in return to maintain the relationship.  In the past we had to (at least try to) work hard in order to maintain a meaningful relationship. Calling, sending emails, visiting.

As much as I enjoy it, I see it more as a research tool or a communication protocol, similar to SMS but more efficient. 

Drop me a line. I’m listening (on Twitter…) 

Do these lies work? In most cases, no. Most companies disqualified candidates after discovering their dishonest. Thirty-six percent still considered the candidate, but ultimately passed on hiring them. Six percent of hiring managers overlooked the “flawed resume” and hired the applicant anyway.

My inbox today carried a fresh bit of news from CIO magazine. An opinion column by Eric Lundquist, labelled “We need a national CIO, not a CTO” stipulated that CIO are a better match for US national role than a CTO. To paraphrase Lundquist’s message, CIO’s are firmly planted in the business realities of the day, while CTO focus on technologies “looking for uses”. Reminds me of the old adage of “legs firmly planted” vs. “head in the clouds”.

I firmly disagree.

Now I understand that I read CIO magazine and that is why I received this message. I also assume that by the nature of politics, all kinds of special interest groups raise their heads, so I would expect a similarly opinioned “Shepard’s Weekly” would have discussed a similar topic ”We need a national shepard, not a CTO” and that the international association of circus performers would like to propose “We need a national court jester, not a CTO”.

Joking aside, Mr. Lundquist put forth some good arguments. He stipulated that CIO can better manage a project. That CIOs hold the business first and technology second. To quote “Technologists are great at creating new companies, new products and new markets. They are not great at orchestrating lots of conflicting opinions, managing projects or – especially in the political realm – settling on the best possible choice given budget constraints and political realities.”. Mr. Lundquist is correct, but altogether misses the point.

YAPM (Yet another project manager) is NOT what the US needs. In a former life I frequented Crystal City often. There were many project managers there. 25% of them were very good. 50% were mediocre. 25% were awful. But there were lots of them. They crammed public transportation, caused the beltway to jam, and filled the cafeteria’s at lunch. You could not throw a rock without hitting a project manager for some obscure government entity.

The US needs a future. To be driven, its future needs to be based on a seemingly unachievable target. We had been driven like that many times in the past. The US developed the trasistor and the chip (which 40 years later made our lives mobile). The external combustion engine for the torpedo (which crammed power into tiny spaces). Composite materials for space exploration (and which later improved our golf and tennis games). It was a government sponsored program (DARPA) that created the Internet. Not Google, nor Microsoft, nor Facebook. Nor was it rear view mirror preening dudes on Sand Hill road on their way to their ranches outside Bozeman in a well appointed G5. No. It was the government. And for all the wrong reasons. A lot of it was due to the US government chasing the Soviet’s dream of ruling space. How I miss the Soviet’s for that reason (if only for that reason!).

While both the technology industry and the venture capital industry oppose “leapfrog” technologies (they can ”eat your cheese” and thus risky for business and are difficult to predict and thus risky for VCs, respectively), the US government should indeed drive technology forward. But not on a predictable, linear trajectory, as Sand Hill road does with social networking and other “me too” technologies, but in a hockey stick fashion. Sending a man to mars. Cloning sheep. Really analyzing our climate. Teleportation. Whatever.

For that you need a visionary CTO with a set of brass balls. Not a Cisco kowtowing CIO. And to address Mr. Lundquist’s example of the revolving doors for the national cybersecurity czar: Nor does the standard Symantec or McAfee worshipping CISO make a good cybersecurity czar.

And to conclude, Eric Lundquist is, however correct (even if for the wrong reason) in identifying the fallacy in the current dredge of proposed CEOs. None of the proposed CEO’s is a visionary. Sure, they navigated their ships admirably through the murky tempramental waters of the American economy, but none have really shown a vision for disruptive innovation. They have been keen followers, seeking the market scouts and then bearing down upon their cheese with their mighty heft. Cheese snatching should never be confused with vision and innovation. For that you need the likes of J. Craig Venter or even some “down to earth” science fiction writers. People who’d invest even if the future is still murky and the benefits, for now, unclear.

/al

PS – The opinions expressed are my own. Not my employer’s, Barack Obama’s, nor Cisco’s. As an entrepeneur and business man, I like my customers to stick with me. I dislike churn, except my competitor’s churn. I therefore dislike the term disruptive.

But I also know that healthcare for generations X Y and Z, as well as fuel costs, etc. are liable to eat up a vast chunk of our GDP, and the only way to prevent that is to increase our GDP. To increase GDP we need disruptive technologies, techniques and methodologies. I also know that the linear thinking preferred by the bankers that manage industry in general favors baby steps within established markets and does not foster disruptive technology.

Hence the opinion piece.

image by betta design on flickr.com

A couple of days ago I called the India consulate in Sydney, Australia. Turns out they have a new process to get a five year business visa issued:

1. Complete all the documentation necessary. This means download and print forms, complete them by hand, etc.
2. Scan all the documents and your passport
3. Email them to the consulate for approval

At this stage I stopped the representative on the phone and asked her – did you just say you want me to EMAIL you a copy of my passport? She replied with the affirmative. Could I come in person or send it by courier? No. Only email.

I congratulate the India consulate for embracing technology and using email for daily operations, allowing me to communicate electronically with the consulate. On the other hand, I think that their procedures need to be revised in as far as sending private information unprotected over the Internet is concerned.

I opted to apply for a one year visa instead, at a greater cost (the one year visa costs about half of what the 5 year does and I will have to get another one) but without going through with this procedure. I wonder how many people don’t think twice before complying. Actually, having seen people sending credit card numbers (complete with names, billing addresses and CVV) over email, I know that most people will comply with these instructions.

Two hikers walk in the wood and encounter a bear. One hiker immediately pulls a pair of running shoes and puts them on. His friend looks at him in terror and amazement and yells at him – “You can’t outrun a bear!” to which he replies – “I don’t need to be faster than the bear; I only need to be faster than you”.

I would like to use this opportunity to thank those people. Thank you! You make my life easier. By being the low-hanging fruit for identity thieves, identity fodder if you will, you allow me relative safety from identity theft by following a few very rudimentary safety precautions; See, I don’t need to be perfectly protected from identity theft, I only need to my identity to be harder to steal than your identity.

Shana Tova

by CarbonNYC at flickr.com

The term ‘identity’ means multiple things in multiple contexts. My intention here is to refer specifically to the term identity as the collection of all information objects that identifies a person. Specifically, identify the person to someone or something outside of the person. Authentication of a person, if you will.

If authentication is the domain at which this identity is relevant, we can use the classic authentication domains to break down these information objects: Something you have, Something you know, Something you are. Let’s look closer at each of these:

Something you know

Something you know is a crucial piece of information that you have which can be used by an authenticator to identify you. A password comes to mind – the authenticator (say, a computer program) verifies that you have the right password to grant you some kind of access, or a person verifies you have the right password to open the door to the secret society club. The password has to be short enough that you can memorize it, lest it is written down to become “something you have” – see post-it with password on screen. It is not necessarily something random that you memorize – it can be something you have previously memorized, such as your mother’s maiden name or the name of your pet.

If you’re smart about it, and can do a little math in your head, it can be a simple algorithm that will be part of a challenge-response system… unfortunately for practical reasons these are rather limited, but have their use. I’ve personally seen a system where you have to take the hour part of the time and perform simple math on it before you key it in.

The obvious weakness with this method is also its strength – something you know cannot be lost or taken from you because it is in your memory, but this memory is sometimes fickle and limited in the scope of what you can remember. Good luck with your 1024 bit RSA private key.

Attempts to take something you know by force (the gun-to-your-head scenario) can be partially mitigated by the use of a secondary set of credentials which behaves exactly like the primary ones but triggers the silent alarm or leads the attacker to a honeypot. Fishing is one sort of attack on these credentials, a rather serious one.

Something you have

Something you have is some piece of real world object that is used to authenticate you to some authenticator. A key is an example. It authenticates a person to the lock. Once inserted into the lock, the information in the key is transmitted to the lock by various methods – a mechanical method which is still commonly in use with mechanical locks or secure communication with smart card chips – the principle is the same. Another such object is a seal ring – it identifies the owners to people who read their mail. The information in the ring is its unique intricate design.

In all those cases, the object itself is not the part that participates in the authentication – it is the information embedded within that is the crucial part. In fact, the information in a physical mechanical key can be conveyed as a string of numbers indicating the dips and peaks in the key structure. These numbers can be used by a skilled locksmith to recreate the key. This is a clone attack on the authenticator if done maliciously. If the information on the key can be memorized by a person, and is sufficient to identify the person to the lock as a valid opener of the lock – it has become “something you know”.

Something you are

Here we delve into the world of biometrics – the information object used to identify you is a part of you that naturally holds information. A fingerprint, a DNA sample, your picture and your voice are such parts. In theory this is the ultimate method of identifying a person, provided that the information in that part of you is sufficient to do so uniquely.

In practice such identification fails because of details in the practical implementation of the technology (for example, a fingerprint reader that can be fooled by gelatin or a voice identification system that can be fooled by a recording) or non-technological means (like makeup to look like the picture in someone else’s passport and fool the immigration official). Most of today’s real world systems that use biometrics count on other methods of identifying the person.

In the real world

Identity in the real world is ubiquitously checked by photo IDs. A photo ID, based on the classification above, is “something you have” (the ID itself) + “something you are” (the photo). The weaknesses of those identity checks fall into two categories:

1. Forging what you have – forging the ID to have your picture but fake information. Some IDs are better at implementing tamper-resistant security methods to prevent that such as holograms, RFID chips etc.

2. Forging what you are – as silly as it sounds, it is actually one of the greater weaknesses, because the image comparison between the bearer of the ID and the picture on the ID is done by a fallible human being, who may or may not pay attention. Your picture may or may not be recent. People can be made to look like other people by some application of makeup etc. Embedding another form of biometric data in the ID that is machine verifiable is one way to mitigate this problem, even though it is far from perfect (there are ways to fool those machines).

Authenticating to a computer is a different matter. Because of the specific limitations of the interface, usually the only authentication method is “something you know” – a password.

Passwords suffer from the main weakness of “something you know” listed above, which is the limits of our ability to memorize. Another weakness is that the authentication token is created by the user if it is to be memorized (random strings are harder to memorize) and hence limited even more by the creativity of the user. Attempts to curb this limit by enforcing strict password rules tend to produce the opposite result – writing the password down, which is a very weak form of “something you have”, especially when taped on the monitor.

A few institutions started giving customers and employees hardware tokens of various sorts, which add a formidable “something you have” to the password authentication. Even combined though, these methods still lack the “something you are” which is the only way to tie the identity to an actual person.

The future

There is no perfect authentication method, just stronger and weaker methods. I predict that applications that need stronger authentication will eventually use all three domains. One such possible solution is a token generation device (“something you have”) that only generates a token when provided the right password (“something you know”) and the right fingerprint (“something you are”).