The Cost of Cyber Security Misconfiguration
July 18, 2022
The numbers tossed around about the cost of a security breach are interesting. I have formed the opinion that the cost estimates are a result of what I have called spreadsheet fever. Plug in numbers, make them flow, and go, baby, go. I read “Razer Seeks $7m from Capgemini for 2020 Data Breach.” The write up explains:
The Singapore-born gaming firm is seeking compensation of nearly US$7 million in damages, which also includes a US$2,000 reward to the security researcher who discovered the breach under the company’s bug bounty program.
What outfit is the target of the litigation? The write up says:
In its lawsuit, Razer alleged that the security breach was the result of a misconfiguration of the “ELK Stack,” caused by one of Capgemini’s employees.
The ELK is not the majestic animal. The ELK in the cyber context represents open source software glued together to deliver a range of security features. The trick is the configuration. Get a setting wrong, and the ELK is less healthy than some observers suspect. An unhealthy ELK can be problematic. This is not a big dead animal in the climate changed world. This creature puts revenue and others at risk of catching a bad disease themselves; for example, standing in the unemployment line, working the phone to reclaim their identity, and apply for a job at one of the booming cyber security vendors. Well, maybe not that particular angle.
The outcome of the lawsuit may provide some more data about the cost of a cyber screw up and details about the how of the alleged misstep.
Stephen E Arnold, July 19, 2022
Cloud Economics: The Customer Pays Because Going-Back Costs Are Too High
July 11, 2022
Short- and mid-term decisions may not be the optimal ones. Who cares about that pawn? Maybe in the end game, that pawn was on steroids. The player willing to give it up was unwilling to think about what lurks in the future.
I read “FedEx to Close Data Centers, Retire All Mainframes by 2024, Saving $400m.” The main idea is that mainframes are not suited to the zippy world of today. Furthermore, programmers –despite high-tech’s enthusiastic reduction in force moves – are not into the oddities of big iron. Those who do get jazzed with total-code working environments are rarer than a certain prince’s attending a female 15 year-old’s birthday party at the country club pool in Oxfordshire.
The write up reports:
Speaking during the FedEx investor day, FedEx CIO Rob Carter said the company is aiming for a ‘zero data center, zero mainframe’ environment based in the cloud, which will result in $400 million in savings annually. “We’ve been working across this decade to streamline and simplify our technology and systems,” he said. “We’ve shifted to cloud…we’ve been eliminating monolithic applications one after the other after the other…we’re moving to a zero data center, zero mainframe environment that’s more flexible, secure, and cost-effective.”
One way to view IBM’s approach to computing in the pre-person computer days was a person in handcuffs. IBMers disagree with my view. No problem. I also see cloud computing as a variation of the IBM approach to computing: Lock in and change are business benefits. Leasing mainframes and buying services each year is the equivalent of high-tech’s discovery of subscription-centric revenue models.
FedEx does not see the cloud as a variation on the mainframe strategy and its pricing structure. I thought one of the FedEx wizards was a Harvard MBA wizard.
The write up notes:
FedEx has previously said it planned to work with Intel and Switch to build Edge data centers at FedEx locations across the US. Whether this has actually been rolled out is unclear.
Trendy I suppose. I want to point out that there are some interesting comments about this alleged decision in the Y Combinator Hacker News comments. You can find these at this link.
One comment resonated with me: “Change gives the illusion of progress.”
Stephen E Arnold, July xx, 2022
Differences between Amateur and Pro Analysts: A Sci-Fi Adventure
July 5, 2022
I read “One of the Most Prominent Crypto Hedge Funds Just Defaulted on a $670 Million Loan.” I also read some of the reports about the company. You can refresh your understanding of “real” analysts at work. Try this link even though the main Three Arrows’ site is throwing 404s.
I then read “10 Differences between Amateurs and Professional Analysts.” (You may have spit up an email or pay to read this estimable essay about differences in data wrangling pony riders.) I considered each of the points of differentiation. Here are three, but you will have to consult the original article yourself to be further enlightened.
- Handling lots of data. Yeah, let’s ask Dr. Timnit Gebru about that. My experience is that those better at analytics can make those data perform like trained ponies at the Barnum & Bailey Circus.
- Immunity to data science bias. Yeah, let us check out how the AI demos respond to requests for certain topics. Try Crungus on DALL-E. Working good, right?
- Refusing to be a data charlatan. And Three Arrows? Just an anomaly, perhaps?
Net net: No difference unless measured in ångströms and an happy ignorance of poisoned data when sucking down alternative information. What could go wrong? Answer: Three Arrows.
Stephen E Arnold, July 5, 2022
Singapore: How Disneyland with a Death Penalty Approaches Crypto
June 23, 2022
I read “Singapore Regulator Vows to Be Unrelentingly Hard on Crypto.” The approach seems to be a bit different from the control mechanisms used in the US. (You will have to pay to read the orange newspaper’s story.) The write up states:
Singapore will be “brutal and unrelentingly hard” on bad behavior in the crypto industry, according to its fintech policy chief, marking a stark shift in rhetoric after years of the city-state courting the sector.
The report suggests that Singapore sees value in a central bank digital currency and a “platform” for financial activities.
From my perspective, [a] Singapore understands the potential upsides and downsides of crypto currency and wants to be a player, [b] Singapore sees a void because certain leading nation states are dithering, and [c] there’s money to be made.
Money, control, and filling a void — Good reasons perhaps.
Stephen E Arnold, June xx, 2022
NSO Group: Is This a Baller Play to Regain Its PR Initiative or a Fumble?
June 15, 2022
Secrecy and confidentiality are often positive characteristics in certain specialized software endeavors. One might assume that firms engaged in providing technology, engineering support, and consulting services would operate with a low profile. I like to think of my first meeting with Admiral Craig Hosmer. We each arrived at the DC Army Navy Club at 2 30 pm Eastern time. The Admiral told me where to sit. He joined me about 15 minutes later. The Club was virtually empty; the room was small but comfortable; and the one staff member was behind the bar doing what bartenders do: Polishing glasses.
Looking back on that meeting in 1974, I am quite certain no one knew I was meeting the Admiral. I have no idea where the Admiral entered the building nor did I see who drove him to the 17th Street NW location. My thought is that this type of set up for a meeting was what I would call “low profile.”
“US Defence Contractor in Talks to Take Over NSO Group’s Hacking Technology” illustrates what happens when the type of every day precautions Admiral Hosmer took are ignored. A British newspaper reports:
The US defence contractor L3Harris is in talks to take over NSO Group’s surveillance technology, in a possible deal that would give an American company control over one of the world’s most sophisticated and controversial hacking tools. Multiple sources confirmed that discussions were centered on a sale of the Israeli company’s core technology – or code – as well as a possible transfer of NSO personnel to L3Harris.
Okay, so much for low profiling this type of deal.
I am not sure what “multiple sources” mean. If someone were writing about my meeting the Admiral, the only sources of information would have been me, the Admiral’s technical aide (a nuclear scientist from Argonne National Laboratory), and probably the bartender who did not approach the area in which the former chair of the Joint Committee on Atomic Energy were sitting.
But what have we got?
- A major newspaper’s story about a company which has made specialized services as familiar as TikTok
- Multiple sources of information. What? Who is talking? Why?
- A White House “official” making a comment. Who? Why? To whom?
- A reference to a specialized news service called “Intelligence Online”. What was the source of this outfit’s information? Is that source high value? Why is a news service plunging into frog killing hot water?
- Ramblings about the need to involve government officials in at least two countries. Who are the “officials”? Why are these people identified without specifics?
- References to human rights advocates. Which advocates? Why?
Gentle reader, I am a dinobaby who was once a consultant to the company which made this term popular. Perhaps a return to the good old days of low-profiling certain activities is appropriate?
One thing is certain: Not even Google’s 10-thumb approach to information about its allegedly smart software can top this NSO Group PR milestone.
Stephen E Arnold, June 15, 2022
Quantum Baloney Gives Money People Indigestion
June 9, 2022
I won’t mention quantum supremacy. Okay, I did mention quantum supremacy. No, I won’t explain why trivial issues like chaos make assertions about quantum computing less than a slam dunk. I will mention a report with the snappy title “The “World’s Most Powerful Quantum Computer” Is A Hoax With Staged Nikola-Style Photos – An Absurd VC Pump With A Recent Lock-Up Expiration Takes SPAC Abuses To New Extremes.” The document consumes more than 180 pages. The author or authors obviously wanted to explain that there’s a burr under the Wild Rest pony herders’ saddle.
The main idea is that a couple of academics used jargon, nice personalities, and the pixie dust of quantum computing to suck in some investment and deliver digital digital horse manure. Now is the criticism justified? I mean more than 180 pages to make clear that talking about quantum computing is really easy. Demonstrations are only a bit more difficult unless one is an expert in 18th century American buttons. (No, that’s a real thing.)
My reaction to the write up in particular and the quantum computing baloney in general is that some folks have engaged in disinformation.
From the point of view of the authors of the 180 page document, the information seems clear, reasonably well documented, and focused on making life difficult for those who cooked up the “hoax.”
From the point of view of quantum researchers, there may be a different view. What self respective quantum wizards wants to dump on a colleague unless there is a specific payoff in the criticism.
Now here’s the problem: Disinformation.
The quantum computing “discipline” is chock full of claims, reports of breakthroughs, and marketing opportunities. A good example is that one vendor has developed a quantum resistant cryptographic system using plain Jane computers using traditional methods which would be familiar to Grace Hopper.
I can envision a scenario in which the founders of the company drawn and quartered in the cited document can explain what has been accomplished. If a really tough question comes up, the Silicon Valley ploy of apologizing and sending more information may work. Competitors will be able to explain why their approach is a home run. Commercialization is just around the corner. Lawyers will be compensated to try and figure out who is on first and why is I don’t know such a popular reference.
What’s accurate? What’s not accurate?
Welcome to the remarkable world of disinformation with a touch of information weaponization.
Stephen E Arnold, June 9, 2022
Bitcoin Dip: Buy a Dubai Villa Today?
June 9, 2022
Now there is an easy way to buy property with Bitcoin—if one is looking to settle in Dubai, that is. The International Business Times reveals, “Coinsfera Makes It Easy to Buy Real Estate in Dubai with Bitcoin.” Reporter Anjali Kochhar writes:
“If a buyer is not a UAE national, then they need to have an original ID or passport to buy properties in Dubai through Bitcoin. Meanwhile, the payment through Bitcoin will be considered in US Dollars or Dirhams. The crypto exchange will help the buyers with selecting different properties at premium locations in Dubai by assigning real estate agents who will help in property dealing. After that, the company will arrange a meeting for further dealing where you can negotiate and finalize the deal. Once all things are decided, buyers can transfer the capital amount in Bitcoin through their wallet. The buyers can have possessions of the villa right after the transfer of Bitcoins. ‘Coinsfera offers luxurious apartments in the great buildings of Dubai. We will not just save your time but also your cost in the transaction process. You just have to select your apartment and we will take care of the rest,’ the statement read.”
Sounds convenient. But who are the customers? We are not sure, but some people in Russia, the Middle East, and Monaco may be interested. The service’s launch follows the passage of recent legislation designed to position the Dubai Emirate as a leader in crypto currencies, NFTs and any other virtual assets that might come along. Founded in 2015, Coinsfera is a Bitcoin exchange firm based in Dubai that also serves customers in Istanbul, London, and Kosovo.
Cynthia Murrell, June 9, 2022
NSO Group: Here We Go Again
June 1, 2022
That Israeli outfit NSO Group has nailed the art of publicity. Positive PR? Nope. Not so positive? Yep. But as a wit allegedly said, “Any publicity is good publicity?”
Maybe.
“NSO’s Cash Dilemma: Miss Debt Repayment or Sell to Risky Customers” tries to explain some of NSO Group’s alleged activities. [This Financial Times’ article resides behind a paywall.] The write up states:
Hulio [one of NSO Group’s senior managers] said there was one option to bring in some cash quickly enough to pay salaries and service debt: reassemble a defunct internal committee and approve sales to customers flagged as “elevated risk” during due diligence.
Why is this allegation of money pressures sparking consideration of sales to nation states which may present some challenges to NSO Group, its managers and staff, and its investors?
My thought is that money must be followed.
A pursuit of money sparked some actions at other search and content processing centric companies. I mentioned this idea in my recent essay “Autonomy Business Details: Are These Relevant to Search- and Content Processing Type Outfits Today?”
The decision to generate revenues seems to open the door for many ideas. Some of these are okay; for example, selling more licenses to governments of NATO countries. A few may have been less well received; for example, relaxing the criteria used to determine what countries could license Israeli surveillance innovations.
US sanctions and the PR cyclone have created a number of business challenges for NSO Group. The path forward according to the Financial Times’ article looks like this:
In recent months, Hulio has come up with a new plan dubbed the “phoenix plan” by company insiders. The idea is to split NSO’s greatest assets from its greatest liabilities — this meant separating the code behind Pegasus and company engineers who are highly paid graduates of Israel’s elite military intelligence units, from the clients that have drawn the ire of the US and human rights groups. Hulio and a group of creditors hope that by spinning out a new entity that houses the code and engineers, it can sidestep the commerce department’s blacklist, especially if a new owner were a top US defence contractor.
What’s the outlook for NSO Group? Three possibilities strike me:
- Other companies will fill the gap. Just as Cellebrite has to deal with an upstart iPhone penetration solution, NSO Group will find that its methods provide a springboard to other innovators.
- NSO Group gets folded into a government agency. One can be sure it will not be a part of a nation state with negative thoughts about Israel.
- NSO Group folds its tent, and certain senior managers and engineers set up another company and move on.
I want to mention that the reason there is a glass ceiling for revenues from intelware and policeware is that there are a finite number of customers for the number of products and services on offer. Once that glass ceiling bumps the head of senior managers and stakeholders, then what I see as “drastic” actions kick in. Are Palantir’s comments about nuclear war and example of this?
I am certain about one thing: NSO Group is one of the most recognized brands of intelware in the world.
Stephen E Arnold, June 1, 2022
Autonomy Business Details: Are These Relevant to Search- and Content Processing Type Outfits Today?
May 31, 2022
I read “Judge Details Lynch’s $700k Signoff via iPhone Text in Full Autonomy Judgement.” The main idea is that Autonomy — an early entrant in the smart software for search and content processing — engaged in some business practices which a British judge finds suggestive. How suggestive? I am not sure, but the idea of using resellers and transactions to amp up revenues is interesting.
Another search and content processing outfit called Fast Search & Transfer (which Microsoft acquired more than a decade ago) found itself subject to some scrutiny for financial fancy dancing. One of the firm’s founders was found guilty and may have spent some time in the custody of a government. Maybe the fellow was cross country skiing and shooting a rifle at snow bunnies.
The relevance of the cited story and the reference to skis and weapons reminds me that the financial reports of high-flying search and content processing companies have to be scrutinized. I mention this because some of the more interesting search and content processing centric companies are publicly traded. Palantir Technologies comes to mind because I have seen a couple of semi-optimistic write ups about the company.
If I were a more youthful 77 year old, I would muster the energy to:
- Investigate the US government and UK government contracts for term, sunset dates, and contracting officers (what’s the background of these individuals)
- Research the question, “What’s bundled into the basic commercial and the basic government deal?”
- Explore the question, “How is cost of sales reacting to the economic climate since Palantir went public?”
- Try to determine answers to these questions: “What’s the ratio of sales people to programmers? The ratio of full time equivalents to contractors? How has the ratio changed since the firm went public?”
- Interview some people at LE and intel conferences to get a sense of the chatter related to this question: “Is Palantir bundling Amazon cloud services or doe the licensee have a choice?” and “Has there been talk of Palantir providing a “system in a box” to licensees with this requirement?
Why think about these types of questions? Oh, I am just curious about search and content processing outfits.
Stephen E Arnold, May 31, 2022
The Business Intelligence Blind Spot: Everyone Needs These Systems
May 30, 2022
I recall that a booth called “Business Blind Spots” identified a number of behaviors which contribute to business missteps. Staff, preconceived notions, market receptivity, etc. were among the points I recall.
I want to toss one more blind spot into the raging fire of burned cash, torched reputations, and incinerated opportunities. I call this bling spot, “Everybody needs these systems.” Plug in your own “systems”; for example, software that manages several cloud accounts which are guaranteed to blow through budget assumptions with no easy way to control the rising expenses.
I read “Palantir Stock: Getting Desperate.” I think the write up has been riding the well-worn fire trail to a burning coal mine.
Palantir Technologies is when the charities, the razzle dazzle, and the jargon are stripped away, is a search and retrieval company. The idea is that a person looking for information about a bad actor, for instance, can plug in the name and see results.
Now this seems like a function which is readily available from many vendors. The twist for Palantir is that it positioned its search as one that would meet the needs of intelligence officers. The US government entity embracing Palantir’s software influenced the add-ons; for example, the ability to ingest certain types of content that only government agencies could acquire.
In order to make sales, the marketing engine of Palantir came up with the same type of “latest and greatest” verbiage that characterizes intelware (that’s software built around the specific needs of intelligence analysts). One example is importing proprietary file types. Another is keeping track of where a dataset came from, who fiddled with it, and what an authorized user did with the data when in search mode.
Over time, companies which serve government agencies have to choose one of three paths:
- Path 1 is to just do commercial work. Forget the intelligence market. A company which has moved in this direction is one you may not know anything about. It is LifeRaft. Look them up. Now the company does market and ad intelligence for commercial companies, ad agencies, and probably some non profit outfits.
- Path 2 is to just focus on government sales. An example of this type of outfit is BAE Systems which has software able to do Palantir type functions. I am not sure BAE Systems returns phone calls from a bank or real estate agency wanting some Detica goodness.
- Path 3 is to do both. The best example of this is Voyager Labs which does the LifeRaft type work and the intelligence and law enforcement work of outfits like Palantir.
Which is the right path?
From my point of view, a company selling intelware should stick to government clients, maintain a low profile, and keep systems and methods secret. LifeRaft told me, “Don’t even mention our firm at the 2022 National Cyber Crime Conference.” Why? Doing work for certain government agencies gives some commercial firms and their go-go decision makers the heebie jeebies. The fear comes from folks who are interacting with investigators, intelligence operatives, and analysts could say something that will create big time thunderstorms for the commercial company. Some businesses are not exactly paragons of behavior. This means that the purchase cycle is drawn out, excuses are made, concerns about confidentiality raised, and weirdness about the amount of training, customizing, and optimizing the intelware system requires. The result? Some pretty crazy attempts to sell the product and the resulting disconnect from promises of reality from the commercial sector and the inevitable gap. This type of “gap” created some interesting situations in the decade or so.
What about government sales? Unless a company is selling hardware, software, spare parts, training, and services governments a fickle. Sure, an intelware outfit like Palantir will get initial contracts. But the government agencies have roving eyes and will keep licensing, looking for the perfect solution to intel needs. What happens is that the software only vendor runs out of customers. Once a number of big agencies sign up, the US General Services Administration or the Defense Services Administration will start angling for a deal. Cut the fees or lose the contracts. This is bad news because expensive software takes time to sell to government customers who want a demo or a year of free or discounted use in order to figure out if the system actually works. The problem is that There are not that many government agencies in the free world to support the intelware companies hungry for allocated budget dollars. Stated another way, the intelware company has to get some contracts, make the software work, and forget about the hockey stick financial projections. The intelware vendors chase US allies, but there are vendors in those countries, and it may make more sense to license Trendalyze or Verint, not the Silicon Valley type outfit. Bad financial news? Yep.
Path three is to sell to anyone who wants the system. This is very, very difficult because the intelware system has to be fiddled with in order to meet the specific requirements of an organization. Chasing bad actors is one thing; figuring out what type of beverage a college student wants is another thing. Hanging over the commercial sales call is the concern about the government work, the government customers, and the government processes, which — once started — are tough to turn off.
This means that companies crafted for intelware users find that government sales slow down, commercial sales cycles take a long time and often end up at a dead end, and non government organizations don’t want or can’t pay big bucks for what is search software.
The market itself is changing. If you want to analyze tweets, hire a marketing agency and get rid of them once they have completed a project. Clean, tidy, easy. If a client has some Google grade programmers, download Maltego, license the $100 Hunchly, and spend some time looking at tools on GitHub. (Thank you, Microsoft, but do you know what’s on that service? I thought so.)
The cited article makes this point:
…the company must expand internationally. What better way to get new sales than to start fires and be the person to sell the smoke detectors? That is what Palantir’s software does, assess and analyze data for threats. It is a loose analogy but fitting. But why is Palantir in such desperate need of expansion to new governments and industries? It is because the only thing keeping the stock going is the revenue growth rate which has been so strong. The company has incurred losses every year of operation. It expects operating expenses to increase.
And what about international sales? Three points:
- There are vendors offering comparable or better systems so buying non-US may make economic and political sense
- The cost of closing deals internationally is — the last time I checked — two to three times the cost of selling from Chicago to US based customers
- The number of purchasers is not as large as one thinks? The US is the living embodiment of Parkinson’s Law and the Peter Principle. Other countries are not much better and they have less disposable cash.
Net net: The word desperate may be appropriate for Palantir Technologies. I don’t have a good set of options for the company: Too much hype, too much development cost, too much customizing and tuning and training, and too much nuke talk. Not helpful.
Stephen E Arnold, May 30, 2022