If no one is on a social site, is it social?
I have been experimenting with the G+ social network and trying to decide if it's useful, and if so how am I going to use it... the biggest limiting factor on G+ right now seems to be audience size. Everyone and their mother has a Facebook account. The best argument G+ defenders can make sounds suspiciously like what Mac defenders used to say back when people would criticize the availability of apps for the Mac (remember those days?), which is essentially "All the ones I want are available, and I don't really need all of the drek that isn't available." I think we can do better. Right now G+ may turn into a more viable version of this blog for me.
The iPhone tracking kerfluffle
http://www.engadget.com/2011/04/21/the-iphone-tracking-fiasco-and-what-you-can-do-about-it/
This is such a non-issue. At worst, it means that Facebook will show me a McDonalds ad when I am near McDonalds. Perhaps advertisers may use my location data to determine that I never visit McDonalds but instead have a daily Starbucks habit, and show me an offer for a free lemon pound cake. This is the worst case scenario.
"But what about bad guys?"
In every situation, there are easier, more effective ways to do harm to you than to try to steal your phone or your phone backups surreptitiously. Non-state actors will mug you. State actors will make you disappear in broad daylight. Jealous spouses will just wait for you at home and kill you there.
If you have a cell phone that is turned on, your location can be derived without your direct knowledge. Cell tower triangulation isn't easy, but it's no more difficult than getting my phone's backups. If you are a target (and you know you are a target) then you are already using prepaid cell phones like Kleenex. If you are an unknowing target, you are pretty much screwed regardless- your adversary has the element of surprise.
There are very real privacy problems in today's world, this is not one of them. This is tech press Birther story that is only serving to get people to click through so they can get another banner impression and another tracking cookie on their hard drive.
Huh that's funny, my iPhone is now showing me an ad for a free cookie at Starbucks.
Getting things done
In part due to some inspiration from thesalesengineer.com, I picked up a copy of David Allen's Getting Things Done on Audible. What I like about it is that it is a fairly technical system with some very specific recommendations. After about a month, I feel I now have a better handle on the status of my activities so when I do my weekly review with my manager not only am I easily able to determine the status of everything he needed to talk about, but I also have a handle on what I needed from him, as well. More as I spend more time with the system.
iPad to take over the Enterprise?
Information Week's Global CIO column by Bob Evans has a story on how the iPad is seeing a rapid adoption in the enterprise, particularly in healthcare, thanks to virtualization technologies like Citrix. I am happy to say that I came down on the right side of the "useless toy"/"serious tool" argument. 
What's most remarkable is the convergence of factors that have led to the iPad being a viable technology.
If the iPad had been introduced before the iPod in 2004, it would have flopped. Gmail wasn't introduced until April 2004, and Google more than any other company has done the most to push the idea of Cloud Computing. There had to be an App store. There had to be a proliferation of server farms to drive down the cost of hosting your life online. Arguably, there had to be Facebook, which brought millions of non-technical people on board. Could we be looking at a world where there are only server farms and tablets, and the workstation/laptop is all but eliminated? Maybe in another 10 years.
Heading to RSA
Stop by the Dataguise booth at RSA in lovely San Franscisco next week and say "Hi!" Should be a great show this year, I'm looking forward to it!
Data Masking vs. Data Encryption
During my day to day work I get to talk to a lot of really sharp technical and non-technical people across the Federal Government. Mostly, my partner and I are evangelizing the virtues of data masking on demand. I have spoken with CIOs, CSOs, CISOs ... plus the occasional DBA thrown in for good measure. It's been a lot of fun so far, although what surprises me a little is that not a lot of people have really thought about what data masking means and how it's different than encryption. Here's what I tell them, so if you're Googling those key words I hope you stumble on this page, it should save you some time. In case it's not obvious, I work for a company that sells data masking software, so if you detect a (slight) bias in my opinions, that's why. 
What is Masking?
Masking and encryption are really two sides of the same coin: both are transformations designed to obscure the real meaning of a message. Encryption is a two-way process: both sender and recipient use some sort of shared secret so that they can understand the message. The reversible nature of encryption is both an asset and a liability. The more people who have access to your shared secret key, the higher the probability exists that key will be compromised. Everyone understands this risk, and so, depending on the value of the information being protected, additional controls are put into place, such as regular password changes, employee background checks, data access monitoring, etc. Unfortunately, as wikileaks illustrated, there's not a lot you can do about someone who has legitimate access decrypting and saving information.
For the purposes of this discussion, here are my terms:
- Encryption: A reversible process of using a mathematical transformation on a given set of data to render that data unintelligible to anyone without the correct credentials (shared secret key, public/private key combo).
- Masking: A one-way, irreversible transformation of a data set that (when done correctly) protects key pieces of information through total de-identification.
I have to admit, my bias is showing a little bit here. Our masking product is a very sophisticated and does a lot of things that no one else is doing right now.
Why Mask Data?
With masking, your entire goal is to not care about who gets access to your data set, because what they are going to see is not very useful. The key elements have been randomized, shuffled, or otherwise obfuscated such that any resemblance to the original data set is destroyed. This is really more than just putting a bunch of ###'s over someone's Social Security Number. Depending on the sophistication of your toolset, you might be able to find other uses in the enterprise for masked data, but this one is easy to understand.
In other words, masking is like encryption that is so powerful no one can decrypt it Or perhaps encryption is a weak form of masking... you tell me.
Limitations of Masking
The biggest problem with masking is that it is really not suited to a live data, transactional production environment. It makes absolutely no sense to mask the database that (for example) your call center reps are using, because they have to have the real information to work with. To make matters worse, even deciding what to mask is non-trivial-- have you actually looked at your database lately? Hundreds (or thousands) of tables, each of those with hundreds of columns... it's enough to make your DBA break out into a cold sweat if you were to say "go find me all of the sensitive information in our application." Home grown scripts are out of the question for all but the most trivial masking applications. Then there's the problem of what do you do once you've located all of your sensitive information? This is the reason why no one is really doing anything meaningful with masking right now... it's just too hard with not enough reward at the end it. Organizations look at the cost of doing a comprehensive assessment of their environment, determining masking policies, developing masking routines, and automating the work-flow and decide it's cheaper to just accept the risk of being hacked. The unfortunate reality of masking today is that it is was just too expensive to implement masking to mitigate the risk of some sub-contractor leaving a laptop full of PII at a restaurant in Georgetown.
Masking done right
This blurs the line a bit between information and persuasion, but it's my blog and I love this stuff so I'm going to do it anyway.
It doesn't have to be this way. When you are looking at masking products, here are some key questions to ask:
- How easily does this product tell me where my sensitive information is?
- How can I automate masking with this product so I can create a work flow?
- How quickly am I going to see results?
- Is the cost of buying the product cheaper than the fines and/or lawsuits that might come if my customer/employee data is compromised?
- If I mask the data, is it going to break my application?
Ask your vendor these questions... make them earrrrrn it... my customers expect me to be able to answer these, and you should, too.
Closing thoughts
Ultimately, masking and encryption are complementary, not competing products. Encryption is still the best way to protect live data in your data warehouse. What people start to realize as they learn more about masking is that they can dramatically cut the number of people who need access to the pure, unvarnished data if there is a way to quickly and automatically provide masked data sets that preserve application integrity. This has the benefit of lowering the risk to your production environment and reducing your costs by reducing the need for production-level controls on non-production environments.
Thanks for reading, I hope this was helpful and not too sales-y. Leave a comment if you have other questions or want me to go into specifics on something.
I just read it for the comments. No seriously.
Perusing TechCrunch this morning, usual stuff- Google is now Evil, Apple is still awesome, etc... in the middle of a normal Microsoft fanboi/hater exchange in the comments of an article I came across this gem:
Note the comment by hervelegers in the middle. Relish the disjointed phrasing and bizarre word selection. It's like your Uncle Saul standing up in the middle of your Wedding Reception and announcing that he really likes "the Black Ladies" because of their large posteriors: the music rips to a stop, everyone silently /facepalms, and the conversation resumes. What's really brilliant is that I don't think I could fake this comment- I would need to run some ad copy through a web translator a couple of times to get the degradation just right.
God I love comment spam 
The first step is a doozy
Getting started on new things is always challenging. Take this blog post, for example. I've been kicking it around in my head for a few weeks now. I recently left Booz Allen Hamilton, where I spent 4 great years, and I felt that I wanted to say something about it, but I wasn't really sure what I wanted to say. Should I air the dirty laundry? Should I plug my new company? What about the tone... snarky? Wistful? In Trainspotting they choose Life (and a f***ing big television): I chose inaction.
If you find yourself inactive, do the first thing.
Write that first blog post after a long break, even if it's not perfect.
Give yourself permission to fail, because that's how you learn.
Click "publish".
Secret question time
Have an anonymous question you want to ask but are afraid of having it associated with your name? Leave it here. You can be as direct as you want, just don't post anything proprietary.