Technology — that which surrounds our lives, enhances it, and improves it

How much are we really aware as to how it IMPACTS and IMPROVES our lives, and how do we manage it in a way to deliver results? Well, that is something I have been chasing for the past 11 years, through experimentation, start-ups, advising start-ups, inventing, and writing books.

Yes, writing books. The most recent project I wrapped up moments ago was on parenting. First off, parenting is a deep and passionate topic of mine and others — both family caregivers and parents alike. Tackling this required me to truly leverage a few core talents that I have excelled at for years (you possess many of these traits and the others are dormant, I promise).

Specifically, talents around developing practical and elegant insights to highly complex situations (Einstein would be proud). These skills of pattern matching, observation, study, broad research domains, and experimentation brought a distinct set of skills to form concrete examples and ideas around parenting. I also was able to tap into and develop my artistic capabilities, and craft a beautiful book with rich visual examples to connect with the reader.

The exploration and experimentation for making a book though is found in the actual creation — the execution. Here are the vast areas where technology and diverse teaming were required to produce the book:

  • Drafting of the book using online only editors (Google Apps)
  • Setting up a rich universe and feedback system across 1,ooo+ individuals
  • Launching surveys across social media and direct to individual experts
  • Hiring international team members (Germany, Philippines, and Canada) to provide artistic, interior design, and exterior design services
  • Printing and field testing the book using on-demand printing systems
  • Creating a wholesale company account to pre-order
  • Developing a storyboard marketing plan using vast online management and execution tools

and much more!

It is striking to me the integration of social media, online instant-delivery tools (imagine using this technology to create an individually designed in-person experience), conventional online tools, and international coordination through support platforms that allows for scale and efficiency.

These past few months I have been blessed to be able to explore my curiosity in this space of parenting and create a manuscript that I hope will benefit many families. It also allowed me to sharpen my consumer engagement knowledge that I look forward to utilizing more in the future. A great lesson for me, and perhaps one you can draw upon, too.


Discovery how you can publish too: Book Publishing and Book Printing Solutions for Nonfiction and Fiction


Police seek Amazon Echo data in murder case (updated)

Always on technology, Amazon’s Echo device is only a single example of numerous devices in our lives that accomplish this marvel, is in the spotlight in a murder court case – “Police in Arkansas want to know if one of the gadgets overheard something that can help with a murder case. According to The Information, authorities in Bentonville issued a warrant for Amazon to hand over any audio or records from an Echo belonging to James Andrew Bates. Bates is set to go to trial for first-degree murder for the death of Victor Collins next year.”

Echo only captures audio and streams it to the cloud when the device hears the wake word “Alexa.” A ring on the top of the device turns blue to give a visual indication that audio is being recorded. Those clips, or “utterances” as the company calls them, are stored in the cloud until a customer deletes them either individually or all at once. When that’s done, the “utterances” are permanently deleted. What’s more, the microphones on an Echo device can be manually turned off at any time.

Source: Police seek Amazon Echo data in murder case (updated)

Of course, you must delete the utterances from them to be gone …

I love the application and possibility of these technologies. While this is a good query into privacy protections and safeguards, there is much advantage to these technologies. It’ll be good to have the privacy concerns settled as it will further open the door for greater uses – medical, education, early childhood support, hospitality (already being done at the Wynn in Vegas), and more.



Topics for deeper study from the Commission on Enhancing National Security released on 12/1/2016

A few sections that I feel strongly about and look forward to studying more, and hopefully helping teams work on generally.


This feels very aligned with themes and success patterns within the development advanced technology space. There is an art though to these metrics and I am interested on the philosophy, raw inputs, and weight placed upon the 1,000s of possibly collected metrics:

Action Item 5.3.3 OMB should integrate cybersecurity metrics with agency performance metrics, review these metrics biannually, and integrate metrics and associated performance with the annual budget process. (SHORT TERM)

The idea of creating consistency and similarity seems to have a possibility of weakening the resiliency of the currently structured components. In that variety of administration, build, procedure, and custom threat augmentation all weaken with consistency. This will be interesting to see based on historic events. Cost wise I see an advantage, resiliency I am hesitant:

Recommendation 5.1 The federal government should take advantage of its ability to share components of the information technology (IT) infrastructure by consolidating basic network operations.

Well this sounds absolutely identical to the initiative that Mudge and his wife have setup in Washington and they presented at DefCon, well done:

Action Item 3.1.1 To improve consumers’ purchasing decisions, an independent organization should develop the equivalent of a cybersecurity “nutritional label” for technology products and services— ideally linked to a rating system of understandable, impartial, third-party assessment that consumers will intuitively trust and understand. (SHORT AND MEDIUM TERM)


Maybe if we stopped stating roles and responsibilities to regular consumers of our technology and spoke to them in English, as I learned the hard way in my own Consumer ‘roles and responsibilities’ a part of How Not To Be Hacked:

Action Item 3.1.3 The FTC should convene consumer organizations and industry stakeholders in an initiative to develop a standard template for documents that inform consumers of their cybersecurity roles and responsibilities as citizens in the digital economy

More to follow … hoping there is more transparency around these results and the process to enhance our Nation’s future success and safety.


Commission recommends an oversight agency, COMMISSION ON ENHANCING NATIONAL CYBERSECURITY

As many know, the 100 page report (really only about 50 if you exclude the appendices) highlights a lot of findings to shore up the government’s cybersecurity posture. As I study the findings and actions, I will share highlights.

Action Item 5.5.2 Congress should consolidate cybersecurity and infrastructure protection functions under the oversight of a single federal agency, and ensure this agency has the appropriate capabilities and responsibilities to execute its mission. (SHORT TERM)

This is something that I and others have warned against. Not that it shouldn’t happen, but if private industry doesn’t shore up the cybersecurity issue this will become a legislated and enforced area of business and technology. There is a path for this to avoid legislation and oversight, but that may not be viable if we continue to have major citizen impacting issues.

Full report:



Active Defense for Products, Example: Facebook | TechCrunch

I have highlighted that product teams need to move beyond security (preventing classic buffer overflows) to introducing cybersecurity within the logic of their application for real world scenarios. This active defense (called many things) is essential to having our products operate in hostile environments.

Facebook shared an example how they structure their product (authentication) to bolster the safety for it’s users – even when they are using products / platforms (Android older versions) that are proven to have backdoors and malicious code exploits. This is a great demonstration and opportunity for self reflection:

  1. How have you enhanced your product?
  2. Are you just ‘scanning’ and closing tickets or is your cybersecurity intelligence being applied to functional requirements?
  3. Is your ratio of Development engineers to Cybersecurity engineers appropriate?

Facebook can’t force you to use two-factor identification, even though it knows you would be safer if you did. That forces the social media giant to find other ways to build in safety for you. Alex Stamos CSO says, the company actually monitors black market password databases, looking for password matches against its user base, and warning people when they find compromised ones.

Source: Facebook wants to make you secure no matter how hard you make it | TechCrunch

Attacking the attacking IoT Botnet: Invincea Labs’ Killing Mirai: Active defense

While the ISPs, DDoS mitigation services, and others scramble to figure out how to augment traditional defenses to handle this new threat, we decided to investigate a less conventional approach. Attackers often rely on exploiting vulnerabilities in software we own to install their tools on our systems…So why not use their own strategy against them?

Source: Invincea Labs

A nice write-up about another contrarian approach to defeating botnet coordinated attacks against online systems. The concept of exploiting an operating botnet is interesting, and in this demonstration successful. What I found most interesting was the introduction of specific active defense methods that businesses, service providers, ISP, OSP, and DDoS mitigation companies can / should / may begin to leverage.

How is your company leveraging active defense? Not specifically counter-attacking, but other methods? In my work around product security, I see the concept of predefining attack scenarios and setting up safeguards in the code (i.e., if X becomes available do Y… not simply stop buffer overflow, but acceptance of an event and establishing the next two steps to continue operations).

Within autonomous infrastructure, cars, online cloud / container environments this now must be instituted. The complexity and fun is in the scenario analysis and multi-variable conclusion requirements.

Glad to see others thinking outside the box.




IoT Botnets .. White label risks .. Bad customer experience .. and what it means from our post IoT Attack Analysis, Threatpost


Iot devices are the new emerging world .. roughly 10 billion such devices are in our daily lives at this moment, and this number is expected to multiply quickly. What are these devices – look at your wrist, your home thermostat, your TV, your lighting, the HVAC at your office, the traffic (ground and air) systems, and billions of more internet connected sensors around the world.

IoT hacked, weaponized

Most recently, and publicly, an online journalist website was taken down with the use of commandeered consumer IoT devices (about 500,000). This was not hard, and can easily be replicated by anyone with about an extra 10 hours on their hands (and a bit of legal protection). The analysis linked below is rich and worth diving in, but I wanted to highlight a different view point:

  • First, White Label risks, if you are branding a chip, gadget, component, software package, and such from another business – YOU must ensure the technology is up to your standard. Secure, high quality, safety to the user and an enjoyable experience. Liability risks would be interesting to explore, but beyond those costs …
  • Second, customer experience ruined with your device / service. If you had a vulnerable piece of technology (because you didn’t vet it), and then every device you sold was suddenly rebooting, not working, ruining that vital NetFlix binge, etc …. how do you think consumers will react? Not a pleasant scene given how hard we each work to build beautiful customer experiences with our products.
  • Finally, this problem won’t go away. Everyone of those vulnerable (500k!!!) devices will ALWAYS be vulnerable given that the weaknesses were hard coded (permanently written into the product), and cannot be changed. Not a fun recall process and with so low margin, how many will actually mandate it / be required to do so / who is looking over this fast and loose area of products?
  • I firmly believe we can do better, must do better, and will either be be given the chance or mandated to do just that. How are others vetting these processes? How could all of these white label sourcing / procurement teams have caught this sooner? How complex would it have been to detect and validate? Given the amount of successful attacks on this single product, it seems quite easy to have accomplished. Tongue and cheek, I’d recommend my book that I wrote for my family, How Not To Be Hacked, as it highlights specifically NEVER to leave default passwords – but in this case, the vendor made them permanent.

Let’s do better together and make richer experiences. The only true solution to stopping these zombie IoT Devices will be for carriers to block them wholly on the wire, Internet-Bricking / Banishing them to an offline world.

The culprit behind the and OVH attacks is traced back to one white-box DVR manufacturer, China-based XiongMai Technologies. The company sells white-labeled DVRs, network video recorders and IP camera circuit boards and companion software to a large number of vendors who in turn use the technology in their own products, according to Flashpoint blog post on the DDoS attacks posted Friday.In the case of XiongMai Technologies, it made the fatal error of using a default username “root” and password “xc3511” combination on each of the 500,000 devices used in the DDoS attacks.

Source: When DVRs Attack: Post IoT Attack Analysis | Threatpost | The first stop for security news