Saving Science



“I believe one of the greatest dangers in modern society is the possible resurgence and expansion of the ideas of thought control; such ideas as Hitler had, and Stalin in his time, or in the Catholic religion in the Middle Ages. . . . . .”

“I think that one of the greatest dangers is that this shall increase until it encompasses all of the world”

These prophetic words were spoken by Richard P. Feynman at the Galileo Institute in 1964.  Feynman, a Nobel prize-winning physicist, was noted  for his seminal work in quantum mechanics and particle physics. The dangers he described in his 1964 talk have probably never been more under siege as they are today

Science, scientists, and evidence-based policymaking are under attack. Budget cuts, censorship of researchers, disappearing datasets, and threats to dismantle government agencies harm us all, putting our health, food, air, water, climate, and jobs at risk. It is time for people who support science to take a public stand and be counted.

People who value science have remained silent for far too long in the face of policies that ignore scientific evidence and endanger both human life and the future of our world. New policies threaten to further restrict scientists’ ability to research and communicate their findings.

The March For Science is the first step of a global movement to defend the vital role science plays in our health, safety, economies, and government. We face a possible future where people not only ignore scientific evidence, but seek to eliminate it entirely.

Staying silent is a luxury that we can no longer afford.  We must stand together and support science.

Posted in Uncategorized | Leave a comment

Google (Waymo) technology misappropriation claim against Uber

If you are intrigued by technology ‘whodunits’ there is an epic drama unfolding over alleged misappropriation of self-driving vehicle technology. Waymo, the self-driving vehicle unit of Google parent Alphabet, has filed a legal complaint against Uber Technologies for trade secret misappropriation This action could have a potentially crippling impact on Uber’s future business in self-driving cars, in the form of permanent injunctive relief.

It would seem that Uber is fielding a technology solution strikingly similar to that developed by Waymo. Although I am not an expert in intellectual property law, I do have some background in technology IP ‘conflicts’. Based on that, determining whether these two technologies were in fact developed separately, and are similar only coincidentally should be a fairly straightforward process; presumably, those details will be part of the discovery process in the legal action.

The design of a complex, multi-domain systems consisting of hardware, software, sensors, etc. takes considerable time, and involves hundreds of engineers from multiple disciplines. Further, there would be thousands of engineering artifacts, from concept, design, development, and manufacture. The existence (or absence) of proof of these efforts, and existence of the derivative artifacts, should present compelling evidence of what was invented and by whom.

In any case, this will be a fascinating story as it unfolds.

For more details, see Daniel Compton’s blog. He presents a great assessment and timeline about the run-up to the legal filing.

Posted in Uncategorized | Leave a comment

Ominous Trend in Cyberattacks by Foreign Powers

There has been a dangerous escalation in the impact of cyberattacks over the last several years attributed to foreign state actors and their proxies. Attacks from these actors are termed Advanced Persistent Threats (APTs): highly competent, well funded and organized actors, with the discipline to conduct cyber attacks requiring months or years laying groundwork for an eventual attack.

APTs were identified over a decade ago, with traditional targets in recent history being government entities and defense subcontractors; notably the United States Office of Personnel Management (OPM)breach attributed to China. Many assumed APTs to be an ‘espionage problem’ (unless of course you were among the >20M government employees whose private information was exfiltrated in this breach), and not a direct threat to private citizens or businesses.

The SONY data breach, attributed to North Korea, was among the first APT breaches where (in addition to physical damage to computer equipment) entertainment media, corporate emails, and operating data were made available to anyone with an internet connection.

The recent ‘hack’ of the Democratic National Committee, attributed to Russian state actors upped-the-ante, by exfiltrating email data, and subsequently made available to the public via an intermediary, Wikileaks. Manipulation of a US presidential election was the presumed objective; an ominous raising-of-the-stakes.

A more recent and disturbing breach is the ‘hack’ and exfiltration of alleged NSA-developed exploit tools. These ‘tools’ are essentially ‘kits’ that can be downloaded and deployed by amateurs with rudimentary computer skills. Although the most recent of which were developed in 2013, they remain very sophisticated and include zero-day exploits (essentially software vulnerabilities unknown even to the authors of the software).These exploits are being offered on the ‘dark web’; some for ‘free’ and others for a nominal investment.

The most frightening aspect is this: NSA-grade exploits were exfiltrated by a foreign power, and made available indiscriminately to criminals or others with malevolent intentions for a price. This is the internet equivalent of equipping amateur thieves with weapons-of-mass-destruction.

These are extraordinary developments that have the potential to equip more criminals with an upgraded capability to wreak havoc.

Posted in Uncategorized | Leave a comment

Those ‘verification codes’ (for two-factor authentication) sent to your mobile phone via text messaging are vulnerable……….

There are known vulnerabilities in mobile phone networks that enable eavesdropping of voice and SMS (text) communications. What has changed:  NIST issued a DRAFT publication that is now explicitly warning of this vulnerability (NIST Pub 800-63B, Sec. Out of Band Verifiers). Also, an ‘exploit kit’ is available on the ‘Dark Web’ for a few hundred dollars enabling an attacker with minimal technical skill to ‘hack’ your mobile phone (BBC did a great piece with a layman’s description how this works). Consequently, two-factor authentication using ‘verification codes’ via text should not be considered secure.

Posted in Uncategorized | Leave a comment

Cyber Risk – where to begin for small & mid-size firms

Visiongain estimates that the 2015 worldwide spend on cybersecurity solutions at $75.4B. Gartnerestimates project that spend to exceed $100B in 2018. Despite the continuing investment there is no evidence that a precipitous drop in the number of cyber incidents, nor the economic losses per incident, will accompany that spend. There will be exceptions, specifically large corporations, notably those in financial services. Expect to see improvement, based on the sheer size of their investments, and ability to deploy highly sophisticated cybersecurity infrastructure. Cyber risk for a financial services firm is not simply an operational risk; their existence is dependent upon maintaining the information security tenets of confidentiality, integrity, andaccessibility, and the emerging requirements of information attributes of custody, privacy, sensitivity, and acceptable use.

The challenge is more acute for industries that are relatively new at deploying information technology in an environment where their intellectual property and value are increasingly in a digital form. Unlike the financial services industry, where cybersecurity is a required core-competency, it is less intuitive to newcomers to digital transformation, and especially small and medium size firms. Determining what constitutes an adequate information security strategy is elusive. Compounding this challenge are the following dynamics.

Cybersecurity Market Immaturity: A review of the recent RSA Conference, an annual gathering of ~ 30,000 cybersecurity professionals convened in San Francisco shows all the signs of an early technology market. Approximately four hundred exhibitors featured products and/or services in ~ one hundred different categories of information security. Even for cybersecurity practitioners, this is a mind-numbing universe of solutions, which address a wide array of challenges. Small and medium-size enterprises without the resources of a ‘deep bench’ of information security professionals are challenged to comprehend this collection of technology. Prioritization, of which assets to protect, which threats to address, and what technology to be applied are overwhelming to many outside the core cybersecurity professionals. This industry is also characterized by active merger and acquisition activity. Many of the exhibitors at the RSA Conference will survive only as part of an acquisition or merger, not due to deficiency in the technology, but for reasons that may have to do with an inability to fund growth of sales or marketing.

Rate of Technological Change: compounding the complexity of information security solutions being an ‘early market’, are advances in the computing environment that could be described as no less than ‘revolutionary’. VMware’s CEO Pat Gelsinger demonstrated some of this capability on stage at RSA.Microarchitectures present opportunities on how workloads are deployed, utilizing virtualization and containers. Software-defined network architectures have security risks, but also offer opportunities to further secure information assets. The concept of embedding software-based security within application workloads that can be dynamically established and torn-down challenges the very notion of an identifiable perimeter that must be defended. Traditional hardware-based network security will be further challenged. Consider inline intrusion protection analysis, which will become less practical with the migration from 10GbE to 100GbE networks. There is an order-of-magnitude reduction in the time window between frames, not much time to conduct packet analysis. Here is an example where one technology undermines the utility of another. Also consider the proliferation of the sheer number of endpoints, through which new exposures and threats will evolve. In an ‘IoT’ future, many of these endpoints will possess media-rich content streaming capability, (audio, video), and in the case of industrial applications require real-time and high-integrity services; all areas where vulnerabilities and exposures may occur.

Organizational Factors: The gap between demand and supply of cybersecurity professionals is well known, as discussed in this recent Forbes article. My belief is that organizational role definitions exacerbate this shortage, by treating information security as a ‘bolt-on’ responsibility to traditional IT functions (e.g. network administration, etc.). There may be validity to this in some cases, but this dynamic causes a severe shortage of viable candidates. From an organizational structure (particularly in smaller enterprises that perceive scale economies) cybersecurity operations are traditionally part of the information technology organization. This creates the problem of ‘role scope’ previously mentioned, but also creates an environment where budget / investment decisions for information security are arbitrated against IT infrastructure spend. This is sub-optimum risk management. IT organizations are thrust into the realm of risk management, making investment decisions with which they may be wholly unfamiliar. Indeed there are similarities within the two functions (e.g., Business Continuity and Disaster Recovery), but risk and compliance exposures override that combination. The financial, reputational, and regulatory risks through exposure of Personally Identifiable Information (PII), Personal Health records (governed by HIPPA), or payment information can cripple an enterprise.

Conclusion: There are no silver bullets, but there are steps responsible executives can take to find order in this complexity, and implement a baseline of effective cybersecurity policies. The fundamental objectives should be an understanding of cyber risk exposure and managing that risk accordingly, specific to your enterprise. Some good news, the most commonly used cyber threat vectors are well understood, and many of those can be mitigated through controls that are relatively straightforward. There are frameworks and other tools that illustrate the elements of a cybersecurity program, such as the NIST Cyber framework. Also, useful are an overview of controls from the Center For Internet Security. The use of these tools and frameworks implemented by knowledgeable cybersecurity professionals can form the basis of a comprehensive information security management program.

Competitive dis-advantage due to scale of companies and/or new participants in the digital economy cannot be erased. However, clearly identifying the risks specific in your environment, and managing them accordingly are an effective risk management strategy.

Don Guiou

Posted in Cyber Risk, Uncategorized | Leave a comment

Economic Implications of CISA and Sovereign Data Privacy

The European Union Data Protection Directive protects how personal information of EU citizens is collected, used, and retained. It prohibits the transfer of personal information to countries outside the EU that do not have similar standards and policies in place.

A ‘Safe Harbor’ agreement was negotiated between the US Department of Commerce and the EU to make it easier for US companies to comply with the Directive.

In October of this year, in an action brought before the European Court of JusticeMaxmillian Schrems v Data Protection Commissioner , (as well as general angst in the EU of NSA ‘wire-tapping’) that Safe Harbor was ‘struck-down’.

This was a bombshell for information technology firms that promote ‘data without borders’; i.e., the ability to store, and seamlessly access corporate data that includes personal information across the enterprise, wherever it may be.

Amazon Web Services and Microsoft Azure lost no time in announcing plans for new data centers in the EU to address this. Fortune Magazine reports that Microsoft went so far as to vest custodianship of its encryption keys with its partner Deutsche Telekom. It has opened opportunities for smaller, more nimble service providers that can ‘stand-up’ infrastructure ‘in country’; IntraLinks andSyncplicity are two such companies that deliver technology that address compliance issues related to sovereign personal information.

The strike-down of the EU Data Protection Safe Harbor reflects the growing distrust of US-based data custodians. It is not unreasonable to speculate on economic consequences of mis-informed actions of legislators in the name of national security, as you can read here Ferocious Opposition Not Enough To Stop CISA

In a letter appeal to President Obama on July 27, 2015, forty organizations and thirty individuals articulate how CISA will actually make us less safe; Read Her

Posted in Cyber Risk | Leave a comment

The Unintended Consequences of Encryption ‘Backdoors’

For those vested in the integrity of web commerce, there is a must read blog post by Matthew Green, a cryptographer and professor at Johns Hopkins University:

If you are too busy, at least read my summary.

Juniper Networks recently posted a security advisory enumerating two separate CVEs (common vulnerabilities and exposures); CVE 2015-7755 and CVE 2015-7756 in the DHS National Vulnerability Database, a repository of known software flaws that compromise FIPS regulations (Federal Information Processing Standard).

These CVEs describe software flaws in firmware of  Juniper Networks Secure Services Gateway (SSG) models SSG 50 & SSG 5xx. These devices provide ‘firewall’ and VPN gateway services. CVEs score the vulnerability attributes and criticality; CVE 2015-7755 is an authentication’ flaw, with a score of 10.0 (CRITICAL).

These two CVEs in combination provide a ‘back-door’ into the firmware implementing a widely used encryption algorithm for Elliptic Curve Cryptography, but more ominously  involve a ‘backdoor-on-the-backdoor’ which when exploited, allows adversaries to read all communications (thought to be encrypted) in plaintext.

 This illustrates of how requests by ‘three-letter’ federal agencies (to provide encryption keys and/or add backdoors), if implemented,  can introduce yet more dangerous vulnerabilities.

Posted in Cyber Risk | Leave a comment

Carefully Consider an Apple Music Subscription before signing-up….

Apple’s development of the iTunes & iPod was brilliantly conceived and executed. It remains a classic example of exploiting technology to effect discontinuities in a consumer market that had remained unchanged for decades.

It has been a precipitous fall from that position to the current state of offerings called Apple Music.

I have been a user of iTunes Match since its launch. It has been unusable for the past twelve months (on a MacBook running OSX). When invoking iTunes, the ‘spinning wheel’ appeared. When it stopped (minutes) any cursor motion would ‘restart’ the spinning wheel. When I opened ‘Force Quit’, iTunes status was ‘not responding’.

After several calls to Apple Care over 12 months, they were unable to offer a solution. The diagnostics went from “did I close and restart iTunes” to reinstalling the OS (oh, did you know that installing Music requires re-installation of OSX?). Finally on a recent call, I was told to ‘turn-off iTunes Match’; that worked,

So the solution that Apple provide was to stop using it…….

How about Music on the iPhone? I updated to iOS 9 this weekend, although usually not a good idea to install the ‘x.0’ release. However, 11 iOS 8 releases in the past 12 months (presumably to foist Apple Music on me) degraded the functionality of my iPhone 6 to a point where I could not receive email; I had hoped iOS 9 would restore eroded functionality. Today, my phone is essentially a ‘brick’; I can make phone calls and send texts, period.  I DID  have access to my Music on the iPhone, but I received an error message today, indicating that my access to MY music had expired.

My experience (with an iTunes Match library of ~ 8,000 titles; some purchased, some uploaded), and the ‘new’ Music, on both my MacBook and iPhone offers little confidence that Apple cares or can maintain quality.

I have begun using a Samsung Android tablet, using Amazon Music Player, where I can actually access my music.

Posted in Uncategorized | Leave a comment

Steps toward machine intelligence…….

Futurists paint a view of an integrated man /machine ‘hybrid’, achieved by instantiating elements of human cognition into computational devices. This essay outlines several important technologies in development and /or early product launch, that form the foundation of this future.

Recent developments in new computer architectures exhibit ‘bio-mimicry’ of the function & structure of the brain. In general these new architectures are configurable, optimizing around the nature of the computational problem that is to be solved. Formerly, solution strategies were constrained by the general constructs of Von Neumann architectures that have dominated computer architecture for fifty years. Specifically, instructions to move x to location y, and perform operation z, rather they are processed in a more natural flow, whose function is analogous to those of synapses in the brain.

IBM has achieved important milestones with neurosynaptic chipsets, which step toward human cognition. The major challenges of these architectures are the absence of mature compilers, operating systems, and other development tools that can bring to bear the awesome potential of the hardware architecture. Additionally, in an industry where economies-of-scale are critical, reaching volume production determines profitability.

HP with The Machine, has introduced ‘special purpose’ processor cores, architecturally tuned toward solving problems using ‘big data’. Other examples in The Machine include memristor memory technology. Not unlike persistent memory in a human brain, memristors can preserve their state (1’s or 0’s) when power is removed. Another significant memristor benefit is to ease challenges associated with ‘queuing’ data from disks to high speed memory; a highly complex process that anticipates what data will be needed when, and to move that data from disk memory. This optimization yields significant performance benefit. Further advances involve implementing optical interconnects offer high-speed data transfer without increasing heat and signal noise that accompany smaller, faster, metal interconnect.

Beyond computational architecture, data schema changes are also evolving to accommodate a wide breadth of data types. There are multiple sources of commercial and open source ‘database management’ applications optimized for ‘unstructured’ data, as might exist for customer analytics of ‘big data’. Hadoop is a popular open sourced application, with commercial products from IBM, Marklogic, and others. Further-out on the horizon, from a commercialization perspective, are more radical approaches to computation.

Although not applicable to all computational problems, quantum computing (defined by Cheuk Chi Lo & John J.L. Morton in an article in an August 2014 article in IEEE Spectrum as “a system that can store and process information according to the laws of quantum mechanics”) holds great promise in selected applications, such as molecular engineering and cryptography.

D-Wave Systems of Burnaby, British Columbia, is offering a ‘quantum computer‘ which is implemented in exotic materials operating as superconductors that require near-absolute zero temperatures. The referenced article discusses technical developments that would implement quantum computers in silicon-based circuits operating at room temperatures; a significant advance in this field.

The black magic from the author’s point-of-view, is the advent of machine learning, as demonstrated by IBM’s Watson, of Jeopardy fame. Early commercial offerings of artificial intelligence where named expert systems. These involved attempts to catalog a specific body-of-knowledge in its entirety (e.g., every possible chess move, and their counter move(s)); an exceedingly difficult task to undertake. (for non-deterministic problems) The set of problems to which this approach would apply are limited, and deal with identifiable and discrete options.

The machine learning approach involves the ‘computer’ learning from its responses, whether correct or incorrect, as indicators on answering future questions. The initial use model of these capabilities (referred to as ‘cognitive computing’ by IBM) are collaboration-based; e.g., medical and financial professionals who use these tools to augment their professional activity), as opposed to stand-alone ‘decision machines’.

Continued collaboration between developers and domain experts (e.g., physicians) promise workable machine-assisted decision-making. The primary goal of ‘big data’, ultimately, is the quality of decision-support analytics, a step on the path to machine intelligence, the ultimate goal; one achievable through the discipline of incremental improvement as opposed to revolutionary discovery.

Posted in Machine Intelligence | Leave a comment

Defending against trade secret theft

An excerpt from the Administration Strategy on Mitigating the Theft of U.S. Trade Secrets (Executive Office of the President of the United States, February 2013) states: “foreign competitors of U.S. corporations, some with ties to foreign governments, have increased their efforts to steal trade secret information through the recruitment of current or former employees”. This is undoubtedly an issue of importance impacting the competitiveness of American technology in the marketplace.

However, as is the case with many complex issues there exists significant gray area, and well-intended legislation could cause more damage than the actual problem it is intended to resolve.

There is a section in the report titled Promote Voluntary Best Practices by Private Industry to Protect Trade Secrets. I call this out as there should be no doubt about the technology industry’s motivation to protect ‘trade secrets’, which I will refer to herein as Intellectual Property (IP)

In my professional career in the ‘high technology’ industry spanning 30 years, and my involvement in IP licensing (and litigation), I have strong opinions concerning the substantive facts of this issue. I have learned how intellectual property is a crucial strategic element in countless technology firms; the best of whom shrewdly exploit their IP portfolios to gain competitive advantage.

My comments are not intended to create a sense of overconfidence, but the situation may not be as abysmal as it appears. There are several reasons I hold these opinions as follows:

  1. Production & manufacturing: this may not be true of all IP, but in sophisticated consumer / industrial ‘technology products’, even intimate knowledge of a design (e.g., functional specifications, schematics, prototype hardware) is no guarantee that one can actually produce it. Semiconductor-based product designs in particular are notoriously difficult to replicate; even by the owners of the IP who are tasked with scaling production. The manufacturing parameters and tolerances are mind-numbingly complex. This is magnified by the multi-discipline / multi-physics aspects of modern electronic devices. This includes embedded software, hardware, and more frequently MEMs (micro-electro mechanical); all of which must inter-operate perfectly. In point of fact, the verification of these designs is often more time-consuming, and intellectually challenging, that the functional designs
  2. Innovation Competency: there is ample historical precedent for ‘fast-followers’ who can ‘pick-off’ certain products, and offer variants that have alternative performance or cost benefits, but I do not believe that leads to sustainable success. Anyone who has worked on project-based product development knows the very culture is focused on faster, better, cheaper. It resembles an athletic contest, and is extraordinarily difficult to sustain. The very DNA of an organization must reflect this. I submit that an entity based on being a fast follower that relies on IP theft, can never develop, never mind sustain, the culture needed to succeed on the bleeding edge of technology.
  3. You know the IP thief’s product roadmap: a substantial amount of PD is based on ‘platforms’ where derivative products often represent the true competitive advantage in both margin and time-to-market, I questioned the CEO of a very successful technology firm why he was so forthcoming about details of his company strategy; I received a pearl-of-wisdom in the response, as follows: “our competitive advantage comes does not involve the details of our strategy; rather, it comes from our ability to execute our strategy.
  4. The Importance of ecosystem: increasingly, APIs and partnerships are differentiators in a product’s success. There exists unique value, in same; value that may be not possible to replicate. This also applies to ‘evolutionary’ products, where forward compatibility of versions is a key customer requirement.

An opportunity that colleagues and I are contemplating is the role of subterfuge as a weapon to defend against IP theft. What-if (and this is a big what-if) the IP embodied in an electronic system, for example, included logic that could render it inoperable, or produce inaccurate result (in the case of a computational device). And what-if, that ‘function’ could be triggered at a date in the future; sort-of like a Trojan horse, but wearing a white hat.

There is much to be done to protect American firms trade secrets from foreign competitors, and their state sponsors. The ‘problem, however has an element of opportunity, which requires more thought, and judicious governmental involvement.

Posted in Uncategorized | Leave a comment
%d bloggers like this: