Insights For Success

Strategy, Innovation, Leadership and Security

Continuous authentication is the future

GeneralEdward Kiledjian

User authentication is one of the most important and fundamental building blocks of security. Authentication is built on username, password, token, biometrics or any combination of these. Regardless of the model, authentication is performed when the user starts his/her interaction with the target system.

What do you do if you require a higher level of authentication? What if you need to make sure the user interacting with your system is always whom they say they are. This is where the concept of continuous authentication comes in. We started to see this concept implemented for the mass-market with the Apple Watch and Apple Pay. You authenticate Apple Pay once and as long as the watch stays on your wrist (validated with a pulse), you do not need to re-authenticate. Apple pay can be sure that the person wanting to make a payment is the user that authenticated originally.

Continuous Authentication is a paradigm shift moving authentication from an event to a continuous risk management process.

Dynamic risk-based authentication means the system is continuously monitoring changes to environmental parameters and can decide the trustworthiness of users continually.

The shift to continuous authentication is inevitable. Not only will it make authentication more natural for the user but it will allow security administrators to implement much tighter security models.

As an example, if the user walks away from the computer, the system could notice and freeze the interactive session. Another example is a user working on a PC is tricked and launches malware. The system could be intelligent enough to know that a rogue process is attempting to masquerade as the user and block access.

Continuous authentication is to use the full array of modern technologies and others that have yet to be released. Parameters such as keyboard typing speed and style, how the user swipes on a touchscreen device, how the user moves the mouse, the camera input (from modern day cameras), gait analysis using the accelerometer in a smartphone or smartwatch, etc.

Although continuous authentication will be easy for users, expect it to be very complicated for developers. Expect this to be a burgeoning market in the coming years, something most security professionals have to start thinking about. We expect to start seeing serious mass market products around 2020-2021.

Dramatic drop in the number of US Public Companies

GeneralEdward Kiledjian

Going public was considered the ultimate sign of success for any company in a capitalist market. It meant the company had succeeded and the founders and original investors could reap some of the benefits. Public stock also allows companies to raise money, use stocks as a means to acquire and much more.

Would it surprise you to learn that the number of publicly listed American (USA) companies has declined dramatically?

We are currently sitting at about half the number of public companies, compared to the 80s and 90s. More are taken off the market through mergers and acquisitions. In 1996, 9080 companies were listed in the USA. In 2017, that number fell to 4336 (an almost 50% drop).

We are seeing more and more companies stay private longer. Why is this? Many, like the US Chamber of Commerce, believe overly burdensome regulations like Sarbanes Oxley are encouraging companies to stay private. Going public means spending millions on compliance and executives running the risk of jail time.

The numbers show that the decline started around 1997-1998, Sarbanes Oxley was enacted iJuly 30 2002. So SOX could be partly to blame for an acceleration in the rate of decline but it cannot be the sole culprit. The other half of the decline could be attributed to the end of an era of irrational exuberance (where hundreds of unprofitable companies couldn’t find continued funding and folded).

While the number of publicly listed companies fell sharply, the value of those that remained listed grew dramatically.

In 1996, the market capitalization of listed US domestic companies totaled 8.48 trillion dollars. In 2017, it hit 32.121 trillion dollars (all the while the number of companies listed dropped ~50%).

Many market purists now complain that this illustrates an unhealthy concentration of market power in the hands of fewer and fewer companies. Perhaps there is some truth to these concerns but on the other hand, many of the winning companies did so through technological innovation and global expansion.

Does this concentration mean newcomers are starving for funding? The answer is a resounding no. Look at the company everyone loves to hate, Uber. According to Crunchbase, Uber has raised 24.2B$ through 21 rounds of funding. The same can be said for dozens of other companies.

Innovative startups are still able to secure critical funding to build, grow and expand.

Aren’t public companies more transparent? The belief is that private companies are more opaque because there are less disclosure requirements and in most cases the company is managed by a small number of investors. Although government regulations like SOX impose a higher burden on public companies to be transparent, the truth is that a select group of large investors hold the majority of the shares for most companies (think hedge funds, pension funds, etc). So if we agree that public and private companies can be controlled by a select group of large investors, then the only difference is forced transparency through government regulation.

In addition to being VP Information Security for a large tech company, I am also responsible for many of the company’s compliance activities. Would I love the compliance burden to lighten? Of course, but the truth is that these compliance requirements instill a certain level of trust in the market. It is this forced transparency that makes the Western Markets so attractive to investors. Additionally we saw that the US attempt to lighten the regulatory burden on early-stage companies, through the 2012 jobs act. The JOBS act was designed to encourage smaller companies to go public. The argument was that these organizations were delaying going public because of overly-burdensome government regulations. The JOBS act dramatically reduced this burden hoping to spur a mad dash to IPO-heaven for companies under 1B$ in annual revenue. 12 months after go live, the number of companies that IPOed were just 63 which was down 20% from the previous year. It didn’t really help companies improve their performance and it didn’t spur a mad dash to the public markets as anticipated.

None of the available data shows that a reduction in government regulation or control would lead to a statistically significant increase in the number of IPOs

Conclusion

The moral of the story is that the USA is still a world leader in free markets and has the most valuable public companies of any country. Part of this success is due to the perceived transparency USA government regulation creates and hurting this in any way could undermine US public market leadership.

US pubic companies are raising more money than ever before, US public companies are larger than ever before. Foreign companies looking for cross-border listings are overwhelmingly choosing US markets.

The US remains the most attractive public equity market in the world.

Although there are fewer IPO companies today (compared to 20 years ago), modern companies are more stable, are raising more money and are considerably more sustainable.

What is a Progressive Web App

GeneralEdward Kiledjian

Over the last 18 months, I have seen more and more sites prompting me to "Add to Home Screen" from websites I have been browsing. Then you add this site, it installs itself in the background and is now accessible like a native app from your smartphone.

What I have just described is the wondrous workings of a fairly new technology called Progressive Web Apps. This technology (called PWA) works even when you are offline and behaves like a "normal" smartphone app.

What are progressive web apps?

PWAs were created by Alex Russell and Frances Berriman. The technology driving Progressive Web Apps isn’t new. What was required was a new recipe to make Progressive Web Apps behave like native apps. This means that a progressive web app will work (as long as the platform supports it) on an iphone or Androis smartphone, a chromebook or ipad, on Windows or Mac.

True cross platform applications without needed to join an app store with super restrictive controls (I’m looking at you Apple).

Why Progressive Web apps

Like many of you, I live in a world with abundantly fast internet. This simply isn’t the reality everywhere. Even in my own backyard of Ontario (Canada), there are communities where internet is delivered via very slow ADSL,

PWAs, once installed, cache the content locally which means they will respond quickly even for those on slow internet connections.

Statistics show that users still prefer native apps to web pages. There are a tone of reasons for this from convenience (single click from your home screen), ability to get push notifications, etc. The web simply doesn’t offer the same bells and whistles.

PWAs offer most (if not all) native functions. They startup with a single click from the home screen and can hook into most native features. PWAs can even offer notifications (like a native app) and therefore remind the user to open and engage with the app.

What is required to build a progressive web app?

This is not a technical instructional article but you need 4 elements to build a Progressive Web App:

Google Firebase Web App Manifest Generator

  1. Web App Manifest - It is a JSON file with meta data about the web app, It contains information such as the icon, background color, app name, etc.

  2. Service Workers - Even driven agents that work in the background. They perform tasks like updating the web app or its content.

  3. Icon - You need an icon to represent the Progressive Web App on the home screen

  4. HTTPS - The app and its content must be securely delivered over a TLS session.

Progressive Web app examples

You will find new PWAs every day but here are a couple of cool ones to get you started:

Tochka DarkNet Marketplace

GeneralEdward Kiledjian

It's been a while since I posted a Darknet website. I would like to introduce you to the Tochka Marketplace ( http://pointgg3pgee4gic.onion/ )

Tochka was launched in 2015 by Russian speaking devs. It offers the ability to conduct transaction without the buyers and sellers having to talk. Dead-drop transactions are available for more sensitive transactions. They also offer a "Buy It Now" option called "Instant Trade".

This is a smaller marketplace and is less known that it's more popular (aka news-worthy) counterparts. It has poorer design and a questionable choice of colors.

Enter the marketplace

If you click on the vendor tab, you can choose your seller of choice.

You can buy anything from Marijuana to Marijuana oil, Research chemicals , with prescription medications, credit cards and everything in between.

Shipping Expertise

What you will find most interesting is how they have developed expertise to ship items carefully wrapped in an attempt to bypass customs inspection. Hopefully writing about it here may create interest by some police departments and shut down some of these more questionable and dangerous sellers.

Ridge minimalist wallet review

GeneralEdward Kiledjian

This is not an ad or sponsored post. This is an honest review.

I have been a fan of minimalist wallets for many years, and my wallet of choice has been the HuMn Aluminium wallet.

Ridge Wallet Specs

  • Holds 1-12 cards without stretching out

  • Blocks RFID (wireless theft)

  • Replaceable elastic

  • Backed by our lifetime warranty

  • 6061-T6 aluminum | anodized black

  • Weight: 2 oz | 86 x 54 x 6 mm

Ridge Wallet Use

You add a card by sliding it from the top groove

To access a card, you press the ridged opening and pull the required card out from the top

To Insert a Card: Gently slide the card into the top groove.

To access a card in the middle, you push out all the cards from the ridge, separate the metal plates and then find your card.

This strategy is similar to the HuMn wallet and most other plate based wallets. This may seem a little off for someone coming from a traditional leather style wallet but you will get use to it quickly. You will start moving your most used cards to the top or bottom of the stack.

Design

The stated purpose of the Ridge was to design a sleek minimalist wallet that would be durable and easy to use. I believe they successfully achieved this stated goal. The height and width of the Ridge Wallet is designed to be very slightly larger than (North American) style credit cards.

First thing first, the wallet is a thing of beauty. Much better looking than the HuMn Wallet.

The aluminium wallet will feel slightly heavier than a “normal” wallet. After 3 weeks of use, the wallet feels normal and not heavy at all. For those that are looking for a lighter option, the poly-carbonate or carbon fiver models are lighter. Unless you want Carbon Fiber for the look and prestige, the aluminium version is likely the best cost/benefit deal.

The wallet comes with either a money clip or elastic band. I chose the clip version which makes it slightly thicker and less useful. I recommend you acquire the elastic band version.

For those that carry their (normal) wallets in their back pocket, you will notice that your cards are slightly bend. The Ridge Wallet’s aluminium “walls” are strong enough to keep the cards straight even if you sit on them.

The company claims that their wallet provides RFID protection. I used an RFID scanner to test this feature and can confirm that it does offer RFID protection (most leather wallets do not offer such protections).

Some companies provide non-standard sized cards (loyalty and membership). Those non-standard cards do not work well with the Ridge. In my case, I do not have any of those.

Behavioral change

For those coming from a normal leather wallet, moving to any minimalist wallet will force you to reconsider what cards you carry with you on a daily basis. In my case, I scanned all my loyalty cards into Google Pay (and Apple Pay) and leave those at home. Additionally I stopped carrying cards I barely use.

Conclusion

Coming from the HuMn Wallet, I wasn’t sure how I would feel about the Ridge Wallet. The truth is that I liked it much more than I expected and it has now become my main daily-use wallet.

They have made a great product that balances form, function and cost.

It is strong, light and dependable. For those looking for a great EDC wallet, this is currently the best choice available (I have tested over a dozen such wallets).

Link: Ridge wallet