Jared Dudley, you inspire me!  You really do.

For my second sports blog of the day, I share with you three tweets that reveal why Jared Dudley succeeds.  Jared is a go-to bench player for the Phoenix Suns.  He has not been blessed with superlative talent.  In the high-flying, above-the-rim style of NBA basketball, he can barely dunk the basketball.  But the kid works, and works, and works … and his persistence pays off in games.  Time after time, his coming off the bench inspires the team to new levels of effort and performance.

A bit of his secret?

At 11pm on Tuesday night earlier this week, in the middle of the summer, Jared was watching film, trying to figure out how to improve his game.  He shares his thoughts with us:

Every night I been watching film on the top players I have to guard. Tonight is Kobe and the Lakers. It’s cuz of him I’m goin on this diet lol

I’m watching this WCF vs lakers, and Kobe can wear u down..Right when i thought I had some of his moves down he shows me something new

My thinking is I’m not getting any taller or a longer wing span.. So I better get in the best BBALL shape possible.. Back to the LAB

The best BBALL shape possible.  Yes, we can learn from that.  No matter where we are, or what we are doing in life, we can improve our performance, regardless of physical constraints that would hold us down.  We need to study, and work, and study and work some more.  Then, we can rise above our limitations and achieve greatness.

The Arizona Diamondbacks have given us little to cheer about this season.  They are mired at the bottom of the National League West with a dismal .400 record.  But yesterday, as reported by KTAR.com, “The Arizona Diamondbacks tied a major league record by hitting four consecutive home runs, with Adam LaRoche, Miguel Montero, Mark Reynolds and Stephen Drew connecting in the fourth inning Wednesday night to beat Milwaukee 8-2.”

You can view a video of all four solo shots here.

Only seven major league teams have accomplished this amazing feat in the history of the game.

The lesson? No matter how dark and impossible our world seems to be, we all have the potential to break out in a spectacular way.  In the face of immense opposition, we must, as urged by the Curtis Mayfield song, "Keep on Keeping On.”

Busticate: to break into pieces

Behemoth: any creature or thing of monstrous size or power

While I was in heads-down study mode for the CISSP exam last month, on two successive days, the Dictionary.com Word of the Day service sent out the words “Busticate” and “Behemoth” to my mobile phone.

I chuckled a  bit and tried to apply that advice to the exam: Break the broad spectrum of Information Security subject matter into manageable chunks and focus on each chunk in turn.  It seemed to help.  When I receive the results from my test (yes, I am anxious), I’ll have to attribute partial credit to Dictionary.com!

When confronted by seemingly insurmountable obstacles in our lives, we can benefit from this approach: Let’s break out our figurative big hammers and Busticate the Behemoths into manageable chunks that we can successfully manage.

At least for awhile, I think I’ll let this new addage replace the advice of “How do you eat an elephant? One bite at a time, chew well.”

Thanks to my colleague Simon Thorpe for pointing out Cloutage.org, a website which provides up to date information about outages and security incidents in public cloud computing:

”Cloutage exists to empower organizations by providing cloud security knowledge and resources so that they may properly assess information security risks. The project aims to document known and reported incidents with cloud services while also providing a one-stop shop for cloud security news and resources.”

The Cloutage home page shows this a list of “Latest Cloud Incidents”:  Here are the most recent three:

I was particularly interested in the Evernote data loss, because I am a heavy Evernote user.  I don’t think I lost anything, but it makes me rather nervous – and thankful for the local repository of everything stored in the Evernote cloud.

I suppose the message this brings most strongly home to me is this: Cloud Computing is not invulnerable.  Our trust in cloud computing must be based on solid evidences of sufficient information security.  We must demand (and, as security professionals help enable) auditable security technology and processes in cloud computing.  

Father to young son, “If you eat any more ice cream, you are going to explode!”

Son to Father, “Pass the ice cream, and stand back!”

That is about what I feel like right now, although I am ingesting Information Security information rather than ice cream.  If I try to stuff one more arcane detail about encryption algorithms, security models  or communications protocols into my brain, I think it will explode.

So … pass the information and stand back!

It is was fitting today that as I studied the subject of encryption in preparation for my CISSP exam, I stumbled upon information about the newly-formed United States Cyber Command, a US armed forces sub-command subordinate to United States Strategic Command. The command was officially activated May 21, 2010 and is slated to reach fully operational readiness by October 2010.

The Cyber Command:

“ … plans, coordinates, integrates, synchronizes and conducts activities to direct the operations and defense of specified Department of Defense information networks and; prepare to, and when directed, conduct full spectrum military cyberspace operations in order to enable actions in all domains, ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries."

Defense Secretary Robert Gates, stated in the official June 23rd announcement:

“Cyberspace and its associated technologies offer unprecedented opportunities to the United States and are vital to our nation’s security and, by extension, to all aspects of military operations. Yet our increasing dependency on cyberspace, alongside a growing array of cyber threats and vulnerabilities, adds a new element of risk to our national security. To address this risk effectively and to secure freedom of action in cyberspace, the Department of Defense requires a command that possesses the required technical capability and remains focused on the integration of cyberspace operations.”

OK.  This sounds like a good thing to do.  But what was really intriguing and fitting for me today was to learn that the command’s handsome new emblem contains an encrypted message its inner gold ring: 9ec4c12949a4f31474f299058ce2b22a.

Can you figure out what it means?  The Wikipedia article for the command states:

“The text "9ec4c12949a4f31474f299058ce2b22a", which is located in the command’s emblem, is the MD5 hash of their mission statement.”

This is consistent with a statement from a command spokesman quoted in an article by John Cook of Yahoo! News.  However, something is not quite right.  John explained:

“We tried encrypting that entire statement using an MD5 hash generator, and we didn’t get a match to the logo code. So it looks like just a portion of the statement has been encoded.”

Wired Magazine has launched a contest to see who can crack to code.  Can you do it?  You can win a t-shirt from Wired or a ticket to the International Spy Museum.

Even better, rumor has it that the Cyber Command wants to hire 1,000 new cyber specialists over the next few years.  Maybe this game is part of the recruitment process.

Or … maybe this will remain another obscure mystery destined to someday being mentioned in a novel by Dan Brown.

I think that Kerberos (or Cerberus), the three-headed dog from Greek mythology that guards the gates of Hades, ought to be proclaimed the mascot of the CISSP exam.  I think studying for the exam (including Kerberos, the computer network authentication protocol) is going to eat me alive.

On June 25, 2010, the US Federal Government released a draft document entitled, “National Strategy for Trusted Identities in Cyberspace.” This document proposes a strategy that:

… defines and promotes an Identity Ecosystem that supports trusted online environments.  The Identity Ecosystem is an online environment where individuals, organizations, services, and devices can trust each other because authoritative sources establish and authenticate their digital identities. 

The Identity Ecosystem enables: 

1. Security, by making it more difficult for adversaries to compromise online transactions;   
2. Efficiency based on convenience for individuals who may choose to manage fewer passwords or accounts than they do today, and for the private sector, which stands to benefit from a reduction in paper-based and account management processes; 
3. Ease-of-use by automating identity solutions whenever possible and basing them on technology that is easy to operate with minimal training;
4. Confidence that digital identities are adequately protected, thereby increasing the use of the Internet for various types of online transactions; 
5. Increased privacy for individuals, who rely on their data being handled responsibly and who are routinely informed about those who are collecting their data and the purposes for which it is being used;
6. Greater choice, as identity credentials and devices are offered by providers using interoperable platforms; and  Opportunities for innovation, as service providers develop or expand the services offered online, particularly those services that are inherently higher in risk;

The strategy proposes four primary goals and nine actions to implement and promote the Identity Ecosystem:

Goals

1. Develop a comprehensive Identity Ecosystem Framework
2. Build and implement an interoperable identity infrastructure aligned with the Identity Ecosystem Framework
3. Enhance confidence and willingness to participate in the Identity Ecosystem
4. Ensure the long-term success of the Identity Ecosystem

Actions

1. Designate a Federal Agency to Lead the Public/Private Sector Efforts Associated
   with Achieving the Goals of the Strategy
2. Develop a Shared, Comprehensive Public/Private Sector Implementation Plan
3. Accelerate the Expansion of Federal Services, Pilots, and Policies that Align with
   the Identity Ecosystem
4. Work Among the Public/Private Sectors to Implement Enhanced Privacy
   Protections
5. Coordinate the Development and Refinement of Risk Models and Interoperability Standards
6. Address the Liability Concerns of Service Providers and Individuals
7. Perform Outreach and Awareness Across all Stakeholders 
8. Continue Collaborating in International Efforts 
9. Identify Other Means to Drive Adoption of the Identity Ecosystem across the
   Nation

The Strategy Document doesn’t discuss any specific technologies, but rather, addresses the needs and general concepts required for a national Identity Ecosystem.

If you would like to make public comments on the strategy, a good place to visit is this IdeaScale page hosted by the Department of Homeland Security. Reading comments from other parties on that page is quite interesting.

In other areas of Cyberspace, the reactions to this strategy are mixed.  For example, an active proponent is my friend Dazza Greenwood, who encourages everyone to become familiar with the strategy and actively give feedback:

At the other end of the spectrum is a blogger, Arnold Vintner, whom I do not know, who shares a much more pessimistic view. In his post, “Obama Administration Moves to Reduce Online Privacy,” Mr. Vintner opines:

The Obama administration is proposing a new identity management system for the Internet which is calls “Identity Ecosystem.” This new system will replace individually managed usernames and passwords with a taxpayer-funded federally-managed system.

The scheme is outlined in the National Strategy for Trusted Identities in Cyberspace. The planned system will tie together all of your accounts into one national online identity.  This will enable the federal government to easily track all online activity of every American.

The system will start with the federal government requiring the ID’s for use in accessing federal web sites — such as for filing your taxes online.  The federal government will then force businesses to adopt the system, starting with banks and credit card companies and slowly spreading to encompass the entire online environment. Once fully implemented, Internet users will no longer be able to comment anonymously on blogs or web forums, because all online identities will be verified with the U.S. government.

Where do you stand?  I personally like the idea of public dialog on this issue and the call for public and private entities to participate in a solution.  I look forward to giving feedback and tracking progress.

Thanks to my friends from the Arizona Telecommunications & Information Council (ATIC) for pointing out a valuable broadband performance testing service provided by the Federal Communications Commission.

A bit of introduction to the testing system:

“The purpose of the Consumer Broadband Test (Beta) is to give consumers additional information about the quality of their broadband connections and to create awareness about the importance of broadband quality in accessing content and services over the internet. Additionally, the FCC may use data collected from the Consumer Broadband Test (Beta), along with submitted street address, to analyze broadband quality and availability on a geographic basis across the United States.”

My Desktop results:

My iPhone results, using the FCC  Mobile Broadband Test iPhone application:

Further information about this service provided by the FCC:

The Consumer Broadband Test, currently in beta, is the FCC’s first attempt at providing consumers real-time information about the quality of their broadband connections. Because measuring broadband speeds with software tools is not an exact science, we are providing two popular consumer broadband testing tools in this Beta version: Ookla and M-Lab. Both will enable consumers to test the quality of their broadband connection by transferring a small temporary file back and forth and measuring the results. Users will be randomly assigned to one of the two chosen testing tools: Ookla or Network Diagnostic Tool (NDT) running on the Measurement Lab (M-Lab) platform, or they can choose their preferred tool by using links on this page. Each test is likely to provide a different result, and the differences may be significant in some cases. While the tests will give consumers some information on relative speeds, the FCC does not endorse either one as being a definitive testing method. In the future, the FCC anticipates making additional broadband testing applications available for consumer use. The FCC does not endorse any specific testing application.

Try it out!  Does your broadband performance match what you think you should get?

Thanks to Malisa Vincenti, leader of the LinkedIn Group Security & Technology – Critical Infrastructure Network & Forum, for highlighting the CNN article entitled “Why face recognition isn’t scary – yet.”

Much of the article was dedicated to describing the benefits and deficiencies of facial recognition software used by online services like Facebook, Picasa and iPhoto to make it easier for users to keep track of photographs.  Speaking of such functionality,  Michael Sipe, vice president of product development at Pittsburgh Pattern Recognition, a Carnegie Mellon University split-off company that makes face-recognizing software said these types of photo programs are a response to the hassles of keeping track of growing digital photo collections.

"In general, there’s this tsunami of visual information — images and video — and the tools that people have to make sense of all that information haven’t kept pace with the growth of the production of that information," he said. "What we have is a tool to help extract meaning from that information by using the most important part of that media, which is people."

It is interesting that one of the most distinguishing attribute of a person’s identity – his or her face – is so difficult for computers to recognize.  We humans often say, “I can remember faces much better than names,” yet computers are just the opposite.  It turns out that a person’s smile, which may be one of the most easily-remembered feature of the human face (for us humans, at least), is the most difficult for computers to comprehend:

Anil Jain, a distinguished professor of computer science at Michigan State University, said it’s still not easy, however, for computers to identify faces from photos — mostly because the photos people post to the internet are so diverse.

Computers get confused when a photo is too dark, if it’s taken from a weird angle, if the person is wearing a scarf, beard or glasses or if the person in the photo has aged significantly, he said.

Smiling can even be a problem.

"The face is like a deformable surface," he said. "When you smile, different parts of the face get affected differently. It’s not just like moving some object from one position to another," which would be easier for a computer to read.

So … what will happen when this technology matures and makes the leap from family-friendly Facebook to applications in real live security or survellance applications?

Marc Rotenberg, executive director of the Electronic Privacy Information Center, said the motives behind the technology are what worry him.

Governments and corporations intend to use facial recognition software to track the public and to eliminate privacy, he said, noting that automatically identifying people in public in the U.S., when they are not suspected of a crime, could be a violation of constitutional rights.

When facial recognition comes to surveillance cameras, which are already in place, "you’re no longer racing through iPhoto to figure out how many pictures of Barbara you have," Rotenberg said. "You’re walking around in public and facing cameras that know who you are. And I think that’s a little creepy."

I suppose this is like many other technologies – there are an abundance of positive applications, and the potential for terribly nefarious uses.

For example, if facial recognition can be used to identify  terrorists so they could be detained prior to boarding airplanes, we would generally think that was a good application. 

Similarly, if I could be granted entrance to my corporate office building or be logged onto necessary computer systems just by smiling (or frowning) into a camera, the building and computer systems might be more secure and the present-day use of passwords or ID cards might go the way of the buggy whip.

However, if an abusive husband used facial recognition software to stalk his estranged wife, or if the government successfully tracked every movement its citizens made in the normal course of events, we would generally think of those applications as negative.

I have a crazy habit of smiling and waving at security cameras I see in airports or banks or convenience stores. Who knows what is happening on the other side?  At the present level of today’s technology, I’m probably being recorded and not much more.  In a few years, however, the sophisticated software behind the camera will probably recognize Mark Dixon and report my antics to the NSA.  That will surely make me frown, not smile, when I wave to the ubiquitous cameras.