- About the risks that abound, in the world of technology when everything is connected and snooped upon, one way or another. Are you safe?

Follow by Email

Tuesday, August 18, 2015

5 Types of Technology Salesmen

This post is a little light hearted, but I hope it helps you too.

I have met many technology salesmen in my time, and can group their techniques into five categories, namely:

1. Selling by Sex
These are the good lookers who would try to seduce you with sex, or at least let you think that you are going to 'get it'. Sex sells and this works for many people, both men and women.

2. Selling by Bossing Around
These are the motherly/fatherly types, who curiously close sales by bossing their client around. It works for clients who are short of confidence or  paternal/maternal love.

3. Selling by Fighting for the Customer
These ones are fiercely loyal to their customer. They will fight for the customer rights, until they win, even if it means that they lose their job.  Consequently, they have a loyal following and customers follow them when they change jobs.

4. Selling by Fear (and Dropping Names)
These are the ones that give a strong show of dutch courage, threatening the client that their project will fail without buying his product. He will further strengthen his claim by dropping some of his (purported) big name clients. It works for buyers who need big names to cover their ass.

5. Selling by Technical Know-how
Of the five, these ones are the most honest. They know their technology inside out and so hide behind their strengths to go into monumental details of the product, unaware that the buyer may be looking for something else. This works for clients who already know what they want and are delighted to hear direct from the seller's mouth.

You may have met other types of salesmen. Tell us about them. :)

Tuesday, July 14, 2015

Data Analytics and How We Think.

I found this interesting syndicated article "Algorithms may echo human bias, study finds", on Today 14-July-2015, page 36. 

Basically it says that eventually, algorithms are created by humans, together with the human influences and biases. In other words, data analytics algorithms are merely human attempts to model a scenario mathematically with the help of very large amounts of data.

For instance, by applying graph theory on a social network platform, we can assign weightings on links to friends that have common interests with us and find who our closest friends are, who our best friends are or even who our spouse is. In plain language, we are looking for 'birds of a feather that flock together'.

There is also an algorithm that detects expense claim fraud, that analyses the first digit of each expense claim item. So if only a few  digit values are used and very repeatedy so, the expense claimant is flagged for further investigation. This probably based on the tendency that human beings will not think of  broad ranges of numbers when cheating. 

I trust that algorithms for data analytics have a symbiotic relationship with human psychology. So, it pays to observe patterns of human thinking through the data they manifest. May be some old proverbs may offer inspiration.

Algorithms may echo human bias, study finds 

NEW YORK — There is a widespread belief that software and algorithms that rely on data are objective. But software is not free of human influence. Algorithms are written and maintained by people, and machinelearning algorithms adjust what they do based on people’s behaviour. As a result, algorithms can reinforce human prejudices, researchers say. 

A new study by Carnegie Mellon University researchers revealed that Google’s online advertising system showed an ad for high-income jobs to men much more often than women. Research from the University of Washington also found that a Google Images search for “CEO” produced 11 per cent women, even though 27 per cent of chief executives in the United States are women. 

Algorithms, which are instructions written by programmers, are often described as a black box; it is hard to know why websites produce certain results. Often, algorithms and online results reflect people’s attitudes and behaviour. The autocomplete feature on Google is an example — a recent search for “Are transgender” suggested, “Are transgenders going to hell”. 

“Even if they are not designed with the intent of discriminating against those groups, if they reproduce social preferences even in a completely rational way, they also reproduce those forms of discrimination,” said Mr David Oppenheimer, who teaches discrimination law at the University of California, Berkeley. 

The Carnegie Mellon researchers built a tool to simulate Google users who started with no search history, and then visited employment websites. Later, on a third-party news site, Google showed an ad for a career-coaching service advertising “US$200k+” executive positions 1,852 times to men and 318 times to women. The reason for the difference is unclear. It could have been that the advertiser requested that the ads be targeted towards men, or that the algorithm determined that men were more likely to click on the ads. 

Google declined to say how the ad showed up, but said: “Advertisers can choose to target the audience they want to reach, and we have policies that guide the type of interest-based ads that are allowed.” The New York Times

Monday, June 15, 2015

Information Security Across New Frontiers

New technology and business motivations
Consumer devices are getting smaller, faster and cheaper. With that, they have become mobile and convenient to execute online purchases, payments, administration and a host of other chores swiftly, many of which were not possible just a few years ago. Such consumer conveniences also generate massive amounts of data. Not just transaction data, but also other personal data, like location, user behaviour, and user relationships with other entities. These information are valuable for businesses to profile, target their potential customers and cross-sell products.

What is Valuable?
Data means different things to different people. One man's information is another man's bland data. For instance, company staff directories are treasure coves to executive headhunters, but are merely data to the layperson. In other words, data is 'King', but data in context is information - a 'bigger King'. Further, in the online world of rapidly flashing ether, data in context in immaculate timing is 'King of Kings'. For example, time-sensitive market data exploited for high frequency trading in the financial markets, is a 'King of Kings'. They make millions of dollars literally within seconds. Here, we are referring to immaculately precise and timely operations happening in orders of nano-seconds.

Who are the CyberThieves?
And there are those who lurks in the dark side of Cyberspace, waiting to deceive, steal and disrupt. While the bulk of hackers are 'script kiddies', the ones that we should be worried about are the determined, clever and focused, who vies for  monetary, non-monetary, business, political or social objectives.  It may also be worthy to note that the bulk of security breaches still comes from within organisations. Inside, it is easier to hack. Being in the system, it is easier to know the loopholes and how to clean the tracks once the intrusion is complete. A survey of 100 banks across 30 countries by Kaspersky estimated that internal hackers may have stolen up to a $1 billion in the year 2013.

Future devices now
New consumer devices easily available in the retail market are getting smaller and harder to detect. Wearable computers are gradually creeping into our daily life, in the form of spectacles (eg. Google Glass), wrist watches or wrist bands (eg. Apple Watch), spy pens,...etc. It will not be practical to restrict employees and workers from using such wearable computers.

New control doctrines
As such, information security controls will no longer be perimeter defence, but checks and controls pervasive throughout the system. No entity is completely trusted. There will be numerous cross-verification among users, processes, servers and technologies. Cloud-based intelligence sharing and collaboration will be paramount to keep the system secure.

And so we must implement: more adaptable supervisor-and-executor dual controls for transactions; persistent checks against user account takeovers; centralised loggings capable of reconstructing transactions; and leverages on Cloud-based Cyber-intelligence services.

Eventually, you will notice that for every business function, say a "Make Payment" request,  the application system will invoke six or seven security processes of identification, authentication, verification, logging,...etc. So be prepared for added computing power or suffer a deterioration in application response time.

New Controls
In moving across new electronic frontiers, merely implementing the conventional firewalls, intrusion detection system, malware detection system, encryption and identity access management is no longer sufficient.

Increasingly, new controls will be based on different root technologies, as it is difficult to arrest an intrusion with the same technology. For instance, it is difficult to use web technology to detect the Man-In-The-Browser attack. Such attacks are so elusive that they can happen right under the user's nose, without the realisation that his transaction is compromised. The user would be under the impression that he is safe, having observed all the secure procedures like, entering his id, password and even one-time code generated from a secure physical token, but oblivious that he has been attacked.

To detect such attacks, other technologies such as, cognitive biometrics and trend analysers, among others,  have to be deployed.

Cognitive biometrics recognises the usual pattern a user touches and moves his devices, and differentiates if it is from a Cyberbot or a human intruder. Trend analysers detect usage anomalies, like sharp jumps in frequency of usage, or the sums of money being transacted.

Extending beyond Security
Trend analyses require broader aspects of data collection and mining, leading to what is called 'Big Data' processing. And with the ubiquitous use of the Internet and the growing ambitions of businesses, Big Data gets bigger everyday.

Back in the early 1990s when I was in oil and gas exploration, we thought the seismic trace interpretation data we were processing were massive. These were data of induced and echoed sound captured from vast oil exploration sites stretching thousands of square kilometres in surface area and kilometres deep into the subterranean. Think of it as a gigantic 3-dimensional volume of sound amplitudes at one-hundred metre grid intervals. Upon collection of the data, we cleaned up the noise, modeled an algorithm and mined them for useful information with the goal of discovering oil and gas deposits. Much the same as in modern day generic Big Data operations. However, while those Petabytes of data were notoriously large to handle with the technology those days, they are no longer considered big by today's standards.

Besides the intimidating size of the data, diversity, data properties and data locations, are some of the other challenges. Data can come from varied sources, in structured and unstructured, formal and informal formats. In my opinion, using data just from the organisation's daily transaction gravitates towards 'Business Intelligence'. It is not just a matter of definition, it does have semantic differences in scope. In Big Data operations, data comes from many sources, and sometimes we may not even know what the real question is when we stumble upon unexpected and interesting patterns. When that happens, basic assumptions are challenged and re-established. We will then have to go back to the basics to clarify our objectives, before  moving forward.

The extent of Big Data is powerful. It can be used not only to detect fraud, but also to (for the case of banking) verify that clients are clean enough to bring onboard and and yet comply to central bank regulations against anti-money laundering (AML).

Before proceeding to implement, make the aforesaid benefits clear to your stakeholders. Start your security controls small within the less ambitious goals, but make it known to your sponsors and stakeholders that these technologies can be extended to offer a lot more in the future.

Now, go down to basics  and define the Proof of Concepts (POCs) of the technologies that can solve your problems.  The challenge here is to define what constitutes a successful POC. For instance, if we are testing a cognitive biometric system to weed out fake users, is the product coming up with a lot of suspected users a better one than the one that comes up with lesser suspects? How do we know which one has more or less False Positives and False Negatives? It is all well and good if we are testing them on simulated data, but how would simulated data be of any real help? Ultimately, the real proof is in the pudding - that is, with real-time transactions, and for that, the results may be difficult to ascertain.

Then, we will have to dwell into the fundamental science the product is based on. If the vendor's description of what their product is based on are fuzzy and ill-defined (granted that they have to keep their trade secret), then chances are that they are not to be trusted.

Ultimately, a quantitative and qualitative POC definition success indicators is essential, before each technology is tested.

Once the POCs are proven, it is now time to take stock of your existing system to make sure that it is fundamentally sound. For instance, to ensure that the user authorisation, centralised log server and the fraud management rules engine are operating smoothly and securely administered, before the new technologies are added.

As usual, implement the new controls in stages starting with the quick and easier wins to convince your stakeholders, to secure the approval of the next phases of development.

New devices are attractive because they bring in new businesses and opportunities. Data cleverly harnessed are valuable and can literally make you millions of dollars in seconds. As with all treasures, there will be thieves lurking. Given all these new technological frontiers opening, we need better and more sophisticated controls. These controls, unlike in the past, comes from varied technologies and must no longer be perimeter defences, but pervasive throughout the information system. New pervasive controls are powerful and can serve beyond the objectives of data protection. These new controls can be leveraged to analyse business trends and manage fraud. Implementation must be approached step-by-step and iteratively, while keeping the management informed of their massive potentials for the future.

This article is a very brief summary. It dwells on the salient points of the new frontiers of information security and how we can proceed to implement the technical controls. There are a myriad of other business and managerial considerations in a real life situation. Given the limitation of space here, we shall leave those other discussions in another article, another time.

Note: We are now an official media partner with BIGIT INSIGHT. This article will be published in their magazine.

Sunday, April 19, 2015

5 Survival Tips when dropped into the ‘Deep End’

Instead of the usual technical blog posts, this one is a pragmatic survival guide. If you have been around for a while, chances are that you have been thrown into the 'deep end' of a project before.

With rapidly changing markets and business requirements, this is becoming more common, with budgets approved late, but with the expectations for a quick  delivery. This usually means a mad scramble to fill the project team, with the eventual result of the unfortunate new hires dropped into the ‘deep end’  a few months after the project had started. These latecomers, however, are still expected to hit the ground running.

So, here are some survival tips:

1. Update your knowledge of industry acronyms and products.

No matter how experienced you are in the industry, new acronyms and products are created every day. Google them and make a list, ready for you to refer to when required. But not to worry, a lot of them are just  new marketing slangs for old technologies, like “Cloud Computing”. So don’t panic. You just need to know the right slangs quick and appear cool.

2. Learn the business and project acronyms

Businesses and projects love acronyms and the people involved use them liberally, as if they are also second nature to you. Make a comprehensive list of such acronyms quickly early in the project, grab an old hand in the organization and sit down with him uninterrupted for one hour to establish the glossary.

3. Learn the organizational structure, the relevant departments and their spokesperson.

In the old days, the development team did everything from conception, programming, testing to acceptance stages. These days, organizations are structured to have specialized departments deliver various components in your project, for the benefits of economies of scale and efficiency. For instance, there may be a permanent generic testing team that tests all projects before they are released into production in the organization. Or may be some tasks are outsourced to a third party company situated in another country and another time zone, from a different culture and speaking virtually a different language.

When you have mastered points 1 to 3, you are now able to follow what is spoken in project meetings and appear intelligent. However, you have not moved much yet, but merely holding your head above the water.

4. Build a rapport with the key persons in the project

Develop relationships. It is relationships that make things happen quickly and fairly trouble free. But develop appropriate relationships. Doing otherwise, will have repercussions later on. Karma is such a bitch.

5. Stick to officially sanctioned activities

In the old days, it is fine to help your team members with their work and sometimes with some informal tasks. Such tasks are usually safe short cuts necessary to make things happen quickly, but overlooked by the managers. However, it is more risky to do so these days, because all activities are owned, given milestones and deadlines. If you really want to help out, do so in the quiet. Don’t pen them down anywhere. The moment any activity is penned down, someone will come and ask you where this activity falls under. That to me, is a bother you and I do not need. If you are not careful, it can also make you look bad.

There are of course much more that needs to be  done in a project, but knowing the aforesaid five points is a good start.

You will then not feel lost in meetings and discussions, stop looking stupid and start to produce useful work.

Happy working!