Category Archives: Threat modeling

Exploiting a wireless mesh network for utilities

Greentech

I think it’s only a matter of time before someone exploits a wireless mesh network that controls and reads home utility meters to get free water and electricity.

Until then, there is a problem of range and coverage.

Greentech media reports that Trilliant ( a smart meter neighborhood networking startup) has bought SkyPilot for it’s long range, WiFi-based communications. Skypilot (with over 500 customers in 50 countries – utilities, wireless Internet service providers (WISPs), and municipal agencies – deployments exceeding 50,000 devices) will help Trilliant get to the next stage. Continue reading

Tell your friends and colleagues about us. Thanks!
Share this

Less regulation, increased data security

Data security compliance regulation such as PCI DSS 1.2 is a double-edged sword – as a security checklist it’s an important step for the payment card industry but too much regulation, especially for small to mid-sized businesses is too much of a good thing.

As my maternal grandmother, who spoke fluent Yiddish would yell at us – you have ” grosse augen” when we would pile too much food on our plates. ” Grosse augen”  is literally “big eyes” – having eyes that are bigger than your capacity.

Continue reading

Tell your friends and colleagues about us. Thanks!
Share this

Social networking business models

A colleague who has a startup in the US for social networking for doctors was whining to me the other day that advertising business models are dead for everyone except the top 5-10 Internet properties like Yahoo and Google. He said that Google does a great job of aggregating ads from small Web site but that doesn’t mean that a small-mid size Web property can monetize traffic enough in order to be profitable. It’s a corollary of the long tail of the Internet, that the small guys a the end of the tail will never have enough traffic to monetize.

Continue reading

Tell your friends and colleagues about us. Thanks!
Share this

Imperfect knowledge security

Keeping the organization robust in a highly dynamic threat environment

Our capacity to predict will be confined to . . . general characteristics of the events to be expected and not include the capacity for predicting particular individual events. . .Yet the danger of which I want to warn is precisely the belief that in order to be accepted as scientific it is necessary to achive more. This way lies charlatanism and more. I confess that I prefer true but imperfect knowledge. . .to a pretence of exact knowledge that is likely to be false.

FRIEDRICH A. HAYEK

“The Pretence of Knoweldge,” Nobel Lecture

Modern information security models usually assume a pre-defined defensive structure of  networks, systems, procedures, defenders and attackers – the properties of which usually specified by vendors (i.e. defining the problem by the solution).

The problem with such models is that, in reducing the organization to passive executives of defense rules in their firewalls, they ignore the extreme ways in which attack patterns change over time. Any security policy that is presumed optimal today is likely to be obsolete tomorrow. So – learning about changes is at the heart of day-to-day security management. Continue reading

Tell your friends and colleagues about us. Thanks!
Share this

Pharmas, Web 2.0 and regulation

For a change – ethics based regulation that differentiates between the medium and the message.

Dr. Jean Ah Kang, works at DDMAC and is in charge of Web 2.0 policy development. She speaks very well at her interview with  Mark Senak, a regulatory affairs lawyer ( eyeonfda.com ).  Here is the podcast:  FDA’s views and ideas about social media and its use in the life sciences industry.

Tell your friends and colleagues about us. Thanks!
Share this

Off-label marketing

I recently read an article by Adriane Fugh-Berman and Douglas Melnick about Off-Label Promotion, On-Target Sales

In the pharmaceutical industry, there are two ways to market an approved drug for a new use: the “indication” route—performing studies necessary for regulatory approval—or the “publication” strategy, which stimulates off-label prescribing by using research “to disseminate the information as widely as possible through the world’s medical literature” (Steinman MA, Bero LA, Chren MM, Landefeld CS (2006) Narrative review: The promotion of gabapentin: An analysis of internal industry documents. Ann Intern Med 145: 284–293.)

Pharmas want to be ethical but there are threats to ethical behavior:  the need to approve a drug quickly and grow sales by applying drugs to off-label indications. One approach for a pharma to mitigate the risk off-label marketing is to control communications to doctors using social networking tools:

Step 1 – Provide well known medical authorities with a controlled and moderated channel for blogging in a professional network for medical reps and docs The blogs would feature independent opinions, and be moderated; ensuring that the industry experts are able to provide objective information on efficacy of drugs and evidence-based prescription and help pharmas comply with FDA regulation prohibiting off-label promotion.

Step 2 – Provide practical dosage guidelines according to drug indications on a professional network for medical reps and docs A rep, product manager and pharma have a private, professional channel to communicate recommendations in a practical and ethical manner.

Tell your friends and colleagues about us. Thanks!
Share this

Designing a data security system

User-Driven Design versus User-Centered design

Alan Cooper, in his book The Inmates are Running the Asylum, draws a distinction between user-centered design and user-driven design. User-driven design is about collecting, prioritizing and implementing a system to the user requirements – we’ve all been seen software development projects where the requirements spiraled out of control and the project was a painful flop. On a project like that – it’s best to detect the warning signs early on and bail out in order to save your sanity and reputation.

User-centered design, on the other hand, is about listening carefully to the user and implementing friendly, reliable, fast and secure software that meets the user business requirements.

There is a lesson to be learned here for data security and data loss prevention –

Continue reading

Tell your friends and colleagues about us. Thanks!
Share this

BizSpark

I just got an invite to Bizspark from thefunded.com

“Microsoft® BizSpark™ is a global program designed to help accelerate the success of early stage startups by providing key resources “; basically free development software and a hook into a community of potential investors.  A lot of the comments on techcrunch were of a religious nature, calling it a scam and wondering why you have to be sponsored by a VC (you don’t…) or have $1M in funding (you have to have < $1M…)

Excellence is driven by by open competition and sharing and from where I’m sitting – BizSpark is a good idea for entrepreneurs – as a serial entrepreneur (I’m on my 4th startup) and Open Source advocate – let’s try and stay objective and consider the following points:

Continue reading

Tell your friends and colleagues about us. Thanks!
Share this

Are you a leader or a friend?

Although I served in the Israeli Army – I was what they called a “simple soldier”, a communications tech in a van. Our officer was glad that we kept things working – and that was fair enough we thought. After grad school, serving in the armies of high-tech samurai, I learned that commanders fight with the troops but leaders lead from the front – and being a friend of the troops disables your effectiveness as an effective leader/manager.

My friend Isaac Botbol has a leadership training business – he conveyed this message perfectly in his last news letter – “Are you a leader or a friend?”

Continue reading

Tell your friends and colleagues about us. Thanks!
Share this

Why do people commit crimes?

The president of a prospect was recently discussing with us whether Oracle IRM (information rights management)  was a good way of preventing data loss, and a viable alternative to a DLP (data loss prevention) system. Rights management would appear at first blush to be orthogonal to data loss prevention but it’s an interesting question that got me thinking.

The answer lies in understanding the fundamentals of crime.

Like any other crime, a trusted insider needs a  combination of means, opportunity, and intent.
Continue reading

Tell your friends and colleagues about us. Thanks!
Share this