Archive for the ‘Observations’ Category

Is PCI Dead?

Sunday, March 30th, 2014

Is PCI, the Payment Card Industry Data Security Standard, dead?

What PCI did well

PCI was meant to improve security controls for handling sensitive credit card data transferred between users, merchants and back-end systems where credit card data was transmitted, stored, or otherwise available. It’s had a storied history from its inception in 2004.

PCI has done a good job of instilling the need for more funding, time and attention to data security that heretofore – and today- often relegates security to backwater status in IT. If you are with a large enterprise, that backwater status no longer exists. For this we can thank PCI.

But outside of mid-size and large enterprises, data security is still a backwater, if it exists at all.

What’s the reality?

Unfortunately, all the well-known breaches involving credit cards – most recently the one impacting Target and its customers – have also involved IT systems that passed their PCI compliance audits. Why?

One of the reasons why PCI compliant systems repeatedly suffered breaches is that the “state” of systems and procedures that passed audits, change from day to day. The likelihood that what was audited a month ago, three months or even six months ago is different from the environment on the day of a hack, is pretty high.

Another reason is that hacks go around the seams, including PCI seams that are well published. Think about it. The PCI standards are widely published and well known, especially to hackers. While the public standards may not be specific building blueprints – so to speak – they offer enough evidence of what to expect, what to look for, and what to avoid, that defensive home-field advantages are almost lost.

The underlying change

The underlying reason why PCI is dead is that it relies on the old perimeter security paradigm. Cloud, mobility and Apps have obliterated the perimeter. In it’s wake an entire lineup of tired saw-horses of security blithering consultants, practitioners and vendors are still chipping away at an older generational concept of what stood for “good enough” security that is now dead, except for the fact that it’s not – because it’s the only thing we have, until the era of security intelligence is fully upon us.

As sure as the age of perimeter security is being deprecated, the use of PCI measures and controls will undergo its own aging process. But make no mistake about it, PCI compliance is not going to stem the tide, and will not provide the shield – it may slow the less capable a bit – that you might expect it should.

Once you’re beyond the expectation of compliance being security, you can move onto the intelligence that is needed to protect your data.

Did Google Out-Microsoft, Microsoft?

Friday, February 14th, 2014

Google Sells Motorola

In late January of 2014, Google announced it is selling the Motorola handset business to Lenovo for $2.9 billion. The company acquired the Motorola handset business and its numerous patents for $12.5 billion in 2011.

Most of the water cooler conversation, pundit and press coverage since the announcement has focused on dissecting the deal, including wondering who at Google is going to be axed as a result of the quick reversal of strategy and the ups and downs of the financials for Google.

Other common speculation has focused on the value Google will retain with its 6 percent investment in the deal and ownership of Motorola patents, and the impact on Lenovo and the Chinese high-tech industry from the combination of the Motorola handset and low-end IBM System x Series server businesses.

Google is Getting Out Now, while the Getting is Good

The obvious reason the deal is happening is to eliminate channel conflict. The dual ownership of a shared software platform and a first-to-market hardware platform by Google was a major source of conflict for Google’s Android business partners, all of whom complained about the Motorola acquisition since day one. If you were the head of Samsung, LG, or any of the other business partners, you’d be justly upset with Google for owning products that could one day put you out of business.

Google wisely concluded its ownership of both the preferred software platform and a competing hardware platform was too much for its value added business partners, all of whom are fielding Android-based products, including those made and sold by Acer, Alcatel, Amazon, Archos, Asus, Barnes and Noble, Cherry Mobile, Cube, Dell, Garmin, GeeksPhone, HTC, Huawei, I-Mobile, LG, Motorola, NEC, Pantech, Samsung, Sony Ericsson, Sanyo, Spice, Toshiba, Viewsonic and ZTEC among many others. Besides, Google has its Nexus lineup that teases what a pure Android experience is.

The less obvious reason for the sale is the more important one: acquiring Motorola was the wrong strategic move for Google. Beyond channel conflict, the biggest problem from the Motorola acquisition for Google was that it defocused the company away from its obvious core businesses including: market-segmented consumer data, context-based advertising, and its ability to innovate on its software platforms.

Instead of pouring resources into the Android software experience to bolster its core businesses, Google found itself being dragged into the hardware device business, a very different line of business with lower margins, quite at odds for a company whose roots and expertise is innovating in higher-margin software.

The market for handsets, tablets, and other consumer devices will inexorably march down the road toward device price — and cost — leadership which are not Google strengths, rather than value and software innovation leadership which are Google’s strengths. Google finally decided to refocus on its strengths: defining and innovating on the software platform experience. Google is telling its business partners with the sale of Motorola: you own the hardware device business!

Google Gets its Mojo Back from the Sale of Motorola

By selling the hardware business, Google puts itself back in the enviable position of potentially controlling one of the computing fulcrums for the next 30 years. Google may or may not be leaving money on the table with this deal, but a near-term loss on its investment is not as important as making the correct strategic moves. This deal solves the company’s channel conflict problems and brings it back to where it should have been all along, focusing on innovating the Android software experience.

By focusing on the platform software, Google is executing the same strategy Microsoft did in 1980 when it negotiated a contract with IBM to supply the operating system for the IBM PC. IBM would own the hardware business which is something it had done for years for mainframe and midrange systems, while Microsoft would own the operating system. History has shown which strategy was the better part of the deal.

Selling Motorola enables Google to deliver some missing capabilities that could result in a market-hegemony similar to what Windows and the PC did for Microsoft in the past, but for Android software platforms into the future. The missing capabilities Google must focus on include delivering a uniform user experience across Android devices, and delivering uniform-access to the most recent releases of Android.

The sale of Motorola also enables Google to focus on expanding its share of the Independent Software Vendor (ISV) community to build out the kind of portfolio that only Apple can claim today. Once its platform consistency problems are solved, its software partners around the world will feed on a much larger market opportunity, which in turn will lead to larger demand for Android devices and software services.

The sale of Motorola enables Google to reenergize its future and focus on its core competencies.

What about Microsoft?

The sale of Motorola presents some interesting questions for the new management team and board at Microsoft. The obvious question is, Should Microsoft stick to the handset business the company acquired from Nokia, or divest itself of the handset business altogether?

Microsoft will have to rethink its “devices and services” strategy, recently pushed by former CEO, Steve Ballmer. Deemphasizing the devices part of the strategy will allow the company to refocus on its roots of innovating in software, and exploit the opportunity for services that are independent of devices.

It also provides the new-guard at Microsoft with an opportunity for a major strategy reset, one that if taken advantage of may leave the Android juggernaut untouched in the near-term. But like a Trojan horse, a strategy-reset could enable Microsoft’s to take advantage of its software innovation roots while providing it with the opportunity to embrace and overtake the City of Android by defining the other fulcrum of computing for the next 30 years.

What Changes for Corporate IT Buyers and Managers?

At this time, not much. Android and iOS remain preferred mobile platforms of choice that employees will continue to use on- and off-the-job. Windows 7 remains the currently entrenched platform of choice for desktops and laptops. Will these platforms change in five years? Possibly, but you have plenty of time to not worry about it, and react when and if change occurs.

But on the back-end, where the other fulcrum of computing for the 21st century resides, the battles are just heating up. Expect Microsoft to put its muscle behind services delivered through the Cloud as well as new application software services delivered through on-premises applications.

What Changes for Suppliers?

The sale of Motorola by Google energizes the firm and its ability to refocus resources on the Android platform and services and address both ends of the fulcrum of computing in the 21st century. After all, Google was born in the Cloud.

The sale of Motorola and a refocus by Google changes the supply-landscape for all big and small firms generating revenue from the sale of systems, software and services, including: Amazon, Accenture, Atos, AT&T, Booz Allen, Capgemeni, CA, Cisco, Citrix Systems, Core Logic, CSC, Dell, Deloitte,E&Y, HP, IBM,KPMG, iGate, Fiserv, Genpact, Getronics, HCL, Infosys, Intuit, Joyent, Microsoft, Oracle, SAP,, Splunk, Tableau Software, PwC, Rackspace, Red Hat, AIC, SoftLayer, Symantec, Tata Consulting, Tech Mahindra, Unisys, and VMware, and Wipro among many others.

The innovation taking place in software on the device end is being matched by innovation on the back-end by all of these suppliers, and more.

Did Google out-Microsoft, Microsoft?

Only time will tell, and the new players at Microsoft may have something to say about this, going forward, if they can keep the financiers at bay.

Microsoft may have to reinvent itself within the next five years if it is to remain credible for thirty years beyond that.


Google’s Blind Spot

Tuesday, December 17th, 2013

Google’s blind spot is privacy.
Google wants it both ways: it wants the government to stop collecting everyone’s private email and phone data, while at the same time Google is collecting – and enabling others to collect – the exact same information.  So which is it Google? Privacy or no privacy?

Change your practices dear government

Google wants the US government – and NSA specifically – to change its practices.

See US Internet Giants Demand Sweeping Changes to Spy Laws in Open Letter to Obama.

The open Letter to Obama
In an open letter to the US government, several of the Internet giants including Google, state the following:
“The undersigned companies believe that it is time for the world’s governments to address the practices and laws regulating government surveillance of individuals and access to their information.While the undersigned companies understand that governments need to take action to protect their citizens’ safety and security, we strongly believe that current laws and practices need to be reformed.Consistent with established global norms of free expression and privacy and with the goals of ensuring that government law enforcement and intelligence efforts are rule-bound, narrowly tailored, transparent, and subject to oversight, we hereby call on governments to endorse the following principles and enact reforms that would put these principles into action.”
The recommended course of action outlined in the open letter include:

  • Limiting governments’ authority to collect users’ information
  • Oversight and accountability
  • Transparency about government demands
  • Respect for the free flow of information
  • Avoid conflicts among governments

Google was not alone in penning this letter to the government: it was signed-onto by AOL, Apple, Facebook, Linkedin, Microsoft, Twitter and Yahoo in addition to Google.

There’s a lot to like about the noble objectives outlined by the open letter: in fact the objectives are so upright they could become part of a compact between Google and its customers.

Google’s worry

There’s a reason why Google and the other Internet giants are taking the position that the government – and NSA specifically – should change its practices. If the NSA doesn’t, it will materially impact the ability of these companies to make money based on a presumption of trust that customer data remains sacrosanct and protected.

After all, if you live, conduct business or lead a government outside the US, why would you trust any of these Internet giants if the NSA is simply going to pilfer your data with its Internet dumpster-diving behavior?

Well you wouldn’t, would you!

And this is what has the Internet giants as nervous as a bug in a room full of fly-paper. After all, the inability to protect customer data will directly impact any service provider – small or large – and it’s already having an impact on orders and revenues among these companies.

Back to Google’s Blind Spot

However, while nobly championing the rights of citizens and corporations to be assured that their data is not being vacuumed up by the NSA, Google recently prevented its customers from being able to limit what App vendors – and Google itself – can do to vacuum up your location, your contacts, your photo’s, your profile, your social contacts, your email and your calendar entries among other personally identifiable data.

Google did this by eliminating access to App Opps, an interface to an application on Android that allows users to control how much of their personal information is accessible, or not.

Google’s recent removal of access to App Opps with the release of its 4.4.2 version of Android – which now powers almost 80 percent of all smartphone shipments – removes the ability for its consumers and corporate customers to control how much of their private data they were willing to cede to the for-profit commercial crowd – including the signers of the open letter – from making money from the trade of personal information.

What’s different about NSA and the commercial for-profit crowd of snoopers is that one is doing it to protect its citizens, while the others are doing it to make money from personal information obtained through smartphones, tablets and almost anything else connecting to the Internet today.

What’s to prevent any commercial credit agency, insurance behemoth or government from obtaining under contract – in exchange for money – the treasure trove of PID being collected by the likes of Google and its Internet giant cousins?

This behavior almost seems to be: “do what I say, not what I do.”

Can Google take the high ground?

If Google were smart about perception and its future prospects, they’d make darn sure that access to App Opps gets shipped in Android forthwith, and make hay about the company’s commitment to privacy.

Now, it’s been argued that App Opps is not ready for prime-time, that including it without having it been fully tested has resulted in some Apps being broken. But, if Google were genuine about being interested in providing its customers with more control over their own data (and locations, etc), the company would let its customers make their own decision about whether they wanted to use the App or not, given the risks perceived by each customer.

Beyond App Opps, Google might take the high ground by penning an Open Letter to its own customers and consumers. Perhaps something similar along the lines of espousing:

  • Limiting commercial Internet giants’ authority to collect users’ information
  • Oversight and accountability
  • Transparency about application-provider demands
  • Respect for the free flow of information
  • Avoiding conflicts among parties

Hopefully the removal of App Opps is just temporary. Perhaps Google is simply broadcasting to its application development eco-system that changes in personally identifiable data (PID) are coming, and that software developers – and third party traders in PID should prepare their applications and their business models for the shift to a world where the user and the customer is in charge of their own data.

By gosh, Google might even become interested in a new business model whereby the value of privacy and PID make for a transparently huge market, unfettered by intermediaries such as Internet giants or App vendors.

Whatever it does, the dichotomous “do as I say, not as I do” is not going to work, short or long-term for Google. Pretending to ignore its own data collection practices while also goading the government about its, is disingenuous at best.

Let’s see if anyone at the -plex is listening, and understands the import of this.

If Google is interested in how to turn this into a new multi-billion business, they can simply give me a call.

Research and the Lamp Post

Wednesday, November 20th, 2013

David Ogilvy once said, “I notice increasing reluctance on the part of marketing executives to use judgement; they are coming to rely too much on research, and they use it as a drunkard uses a lamp post for support rather than for illumination.”

Of course a lot has changed since David said this. He practiced at Gallup between 1938 and 1948, and then at Ogilvy and Mather between ’49 and ’73. Although David came out of retirement in the late Nineties, the world changed by then, and it has changed enormously since.

Long gone are the days when there’s an internal staff versed in the ways of conducting and analyzing research; when it’s absolutely essential to “do it right” and when it’s okay to just ignore it. These have been replaced by research buyers who don’t know the difference between good and bad research. And it may not matter if the purpose of the “buy” is to confirm preexisting biases.

If we are to get beyond this, it will take an informed set of buyers to know what is good or bad research, what is secondary or primary research, and what is opinion versus pure conjecture and spin.

If there’s any hope, some industries “get it right” more often than others. And there may be some hope in using analysis of “big data” streams, especially where the sampling lends itself to these new sources of information.

Even so, it will serve us well to continually ask whether we’re holding up the lamp post or using it to illuminate the path.

Solving the Government Shutdown Blues

Monday, October 21st, 2013

The US Federal government shut down from October 1st through the 16th, 2013, for no obvious reason other than political grandstanding by elected representatives seeking to use the shutdown to solidify their “cred” for extreme-positions.

The impact of the shutdown is forecast to reduce fourth quarter GDP between 0.2 and 0.6 percent, or about $2 billion to $6 billion.

lower fourth quarter real GDP growth by 0.2-0.6 percentage points or more, or $2-$6 billion in lost output – See more at:

Time was when the value of Washington politicos was measured by how much they accomplished. It has devolved into how much they did not accomplish and how much they gummed up the workings of the country.

The solution to the problem is to ignore the extremists on all sides of the issues.

  • Stop covering the shenanigans.
  • Stop writing about them.
  • Stop all news coverage.
  • Stop all media coverage.
  • Stop all audio-video interview.
  • Just say no!

Instead say yes to good behavior, the kind we all learned on the playground about playing nice with one another.

And then cover the heck out of the cooperation and collaboration!

The pre-schoolers currently in Washington just might change their behavior.

The NSA Cloud Backup Service

Wednesday, August 7th, 2013

Worried about whether you have a backup image of your critical data?

No need to worry anymore, it may already be backed up. If news reports are to be believed, the NSA has copies of meta-data for just about everything trolling over the Internet. Beyond meta-data, there’s also a good chance your data has also found its way into the NSA vacuum cleaner.

You just may not know it – and NSA is not going to tell you.

The current problem you’re going to have is finding someone at NSA who’ll admit they have your data. This is before the brick-wall you’ll encounter if you try to retrieve your data.

Maybe it’s time the agency should consider establishing several competing Cloud backup services, each of which could focus on different markets, say by industry, or by size of organization. And of course there’s always the consumer market where the volumes are so much larger.

Think of the what the annual subscription fees could generate. At 10 percent of the US population, the 31 million people subscribing to such a service might pay upwards of $39 annually. The gross would be more than $120 million. And this is before you consider the business markets in the US, and of course all of the revenue opportunity outside the US.

By gosh, the annual subscription prices for an NSA annual Cloud data backup service could generate a large revenue stream for the US taxpayers. And who could compete with them. They’re a government monopoly and already appear to be the most efficient at collecting data. They may have to work on that “restore” thing.

And oh yeah, it may make more sense to outsource the commercial “customer service” aspects of this to 3rd party firms with a bit more experience and acumen for these things.

Think about it: the deficit could be eliminated and your tax dollars would be put to another public service heretofore not possible to achieve.

The only problem with this plan is that this could put the emerging market of Cloud backup firms out of business.

But then that’s probably not as much a roadblock as the fourth amendment to the US Constitution.

Come to think of it, that hasn’t been a problem either. Full steam ahead!

The Internet 2.0 – Post Snowden

Monday, July 29th, 2013

The end of the Internet – as we know it today – may have started when Edward Snowden revealed the usurped nature it had stealthily become.

The global Internet has been accessed by the US government through its contractors, who have accessed the data, systems and technologies deployed by the tech-titans that helped build-out and manage the Internet.

The tech-titans were forced to cooperate by the US Patriot Act and other laws in the US – and likely from pressure that has not been made public – to make data available to the US government.

Although  “All’s fair in love and war” as they say, the use of the Internet for espionage, spying, and warfare was not the intent of its creators nor of how it’s used by citizens and businesses around the World.

While the US has long pointed to spying and espionage from cadre’s from China, there is now public evidence to point to its own home-grown forms of espionage.

What we have here is a government saying one thing by espousing an Internet freedom agenda, while hi-jacking the Internet for its own purposes.

But the US is not alone in this behavior. All of the governments around the world are playing this same game.

The US got caught throwing the sand around like it owned the sandbox.

The problem now will be how the other players react to having sand thrown in their eyes. Will the others (governments, foreign national businesses, state owned enterprises, etc) continue to trust that their data is safe?

Hardly, now that the “cat is out of the bag.”

I’m not suggesting we will see the “end of the Internet”, but its innocent-age is definitely over with, and has been for some time now.

The impact could be a balkanization of the Internet and a slowdown in the uses of the Cloud.

As a worse outcome, the Internet could turn into a means to implement an ultimate Panopticon, with the citizens of each country treated as the jailbirds.

It could also be we’ll see structural changes to the “Global” economy.

Whatever happens in Internet 2.0, it will look very different from the last five to ten years.


Surveillance Society: License Plates

Saturday, July 20th, 2013

As if being tracked on your cell phone and your email was not enough, news from the American Civil Liberties Union (ACLU) indicates there may be an even more clandestine effort going on to track the whereabouts of people by the use of license plate imaging.

In its article “Police Documents on License Plate Scanners Reveal Mass Tracking, available here, the ACLU analysis of more than 26,000 pages of documents from Police Departments across the country points to routine capturing, storage, sharing and analysis of license plate images has been going on for years already.

You can view the documents the ACLU received and conduct your own investigation and analysis if you’d like. These documents can be found at Automatic License Plate Reader Documents at the ACLU site.

I understand the need and desire to have information that will help catch the bad guys, but are we going too far when as a society we capture every movement, action, thought, written post, picture, and action about all of our citizens?

This was certainly not the America envisioned by our forefathers nor the patriots who fought the tyranny of King George.

We are not becoming a surveillance society – we have become one already.

Happy Birthday America

Thursday, July 4th, 2013

On this day in 2013 – the traditional date of the declaration of independence in 1776 – it’s also time to review the codified principals that were later formulated in the Constitution of the United States. The Constitution was ratified in 1787 and went into effect in 1789.

Much of the original document focused on the structure of – and relationships between – the Federal government, the States, and the structures of the Federal government. It is the later adaptations – as amendments – focusing on the relationship between citizens and their government that are the spirit of the law that is celebrated today.

Here are some excerpts:


We the people of the United States, in order to form a more perfect union, establish Justice, insure domestic tranquility, provide for the common defence, promote the general welfare, and secure the blessings of liberty to ourselves and our posterity, do ordain and establish this Constitution for the United States of America.

Amendment 1

Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances.

Amendment 2

A well regulated Militia, being necessary to the security of a free State, the right of the people to keep and bear Arms, shall not be infringed.

Amendment 3

No Soldier shall, in time of peace be quartered in any house, without the consent of the Owner, nor in time of war, but in a manner to be prescribed by law.

Amendment 4

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

Amendment 5

No person shall be held to answer for a capital, or otherwise infamous crime, unless on a presentment or indictment of a Grand Jury, except in cases arising in the land or naval forces, or in the Militia, when in actual service in time of War or public danger; nor shall any person be subject for the same offense to be twice put in jeopardy of life or limb; nor shall be compelled in any criminal case to be a witness against himself, nor be deprived of life, liberty, or property, without due process of law; nor shall private property be taken for public use, without just compensation.

Amendment 6

In all criminal prosecutions, the accused shall enjoy the right to a speedy and public trial, by an impartial jury of the State and district wherein the crime shall have been committed, which district shall have been previously ascertained by law, and to be informed of the nature and cause of the accusation; to be confronted with the witnesses against him; to have compulsory process for obtaining witnesses in his favor, and to have the Assistance of Counsel for his defence.

Amendment 7

In Suits at common law, where the value in controversy shall exceed twenty dollars, the right of trial by jury shall be preserved, and no fact tried by a jury, shall be otherwise re-examined in any Court of the United States, than according to the rules of the common law.

Amendment 8

Excessive bail shall not be required, nor excessive fines imposed, nor cruel and unusual punishments inflicted.

Amendment 9

The enumeration in the Constitution, of certain rights, shall not be construed to deny or disparage others retained by the people.

Amendment 10

The powers not delegated to the United States by the Constitution, nor prohibited by it to the States, are reserved to the States respectively, or to the people.

Amendment 11

The Judicial power of the United States shall not be construed to extend to any suit in law or equity, commenced or prosecuted against one of the United States by Citizens of another State, or by Citizens or Subjects of any Foreign State.

Amendment 13

Neither slavery nor involuntary servitude, except as a punishment for crime whereof the party shall have been duly convicted, shall exist within the United States, or any place subject to their jurisdiction.

Amendment 14

All persons born or naturalized in the United States, and subject to the jurisdiction thereof, are citizens of the United States and of the State wherein they reside. No State shall make or enforce any law which shall abridge the privileges or immunities of citizens of the United States; nor shall any State deprive any person of life, liberty, or property, without due process of law; nor deny to any person within its jurisdiction the equal protection of the laws.

Amendment 15

The right of citizens of the United States to vote shall not be denied or abridged by the United States or by any State on account of race, color, or previous condition of servitude.

Amendment 19

The right of citizens of the United States to vote shall not be denied or abridged by the United States or by any State on account of sex.

Amendment 26

The right of citizens of the United States, who are eighteen years of age or older, to vote shall not be denied or abridged by the United States or by any State on account of age.

If you’d like to see more, visit:

NSA Updates

Saturday, June 22nd, 2013

Some of the interesting coverage of the controversial vacuuming of communications in the US can be seen in the following stories:

Former NSA Analysts: we told you so …

Former NSA head defends agency

NSA debate: we’ve been here before …

PRISM explained in three slides

Hiding behind judicial robes



  • Is it only traffic meta-data that’s being vacuumed up by the NSA?
  • Is it all data and traffic?

I think the jury is out on the answers to these questions.

And I don’t think we’ve heard the end of this yet.

Instead I keep having deja vu moments of Dick Nixon with his arms raised in the air protesting loudly, “I am not a crook.” We all know how this turned out and I hope I’m wrong this time around.

No matter what happens in the coming weeks, it appears there are two intractable sides involved in this debate, one espousing freedom and the other touting security, as though they were polar opposites.

The debate is worth having and should be heard and joined in by every American. Join the debate: it is about what we value as a people and how we go about living our values.