Tag: security

Security and Encryption

On Episode 9 of The Edge of Innovation, we explore what it means to be secure on the internet using encryption.

Show Notes

Quantum Computing and Encryption
Why You Shouldn’t Enable FIPS-compliant Encryption on Windows
Blue Coat Granted Powerful Encryption Certificate?

Transcript

Sections

Introduction to Security
A Rogue DNS Server
Encryption as Security
Security Enforcement and Certificates
A Matter of Law and “Let’s Encrypt”
Mandating Security?
For an Entrepreneur

Introduction

Paul: This is the Edge of Innovation, Hacking the Future of Business. I’m your host, Paul Parisi.

Jacob: And I’m Jacob Young.

Paul: On the Edge of Innovation, we talk about the intersection of between technology and business, what’s going on in technology and what’s possible for business.

Introduction to Security

Jacob: So, Paul, we’ve been talking about security and anonymity. How do you know things are secure? When I open up my browser, and I use the internet, how does the internet know that the websites that I’m using are secure?

Paul: Basically by asking somebody else. You know, how do I know that this person is a good guy or a good gal. I ask somebody, “What do you know about them?” And somebody vouches for them.

So, you go to a website by typing in a domain name. You know, google.com. Well, the internet doesn’t communicate on domain names. It works on addresses. They’re called IP addresses, or TCP IP addresses. And that’s sort of like your house address. So, if you look at, you live at 123 Main Street, New York, New York, and the zip code, that can help somebody find you. They can say, “Okay, I live in Chicago. I have to drive east. And then I have to get to New York, and I have to find this street, and it connects to that street and to that street and to that street.”

All of those direction points are handled by what are called routers on the internet. But that’s dealing with an address.

Jacob:Right.

Paul: But I didn’t say that. You know, I said, you know, so, I want to get to google.com. If I were to be able to get a hold or in control of what the answer was when you asked me how do I get to google.com, I would have a lot of capabilities to do things.

That’s where DNS comes in, or the Domain Name System. So, the Domain Name System has specifically the responsibility of translating domain names into IP addresses.

So, when you type into your browser, www.google.com and hit enter or actually, most, in most new browsers, as you’re typing it, it’s starting to do it, a query goes out to a DNS server that say, “Can you give me the IP address of google.com. And it’s the one provided by your ISP.

In a magical world, nobody had ever gone to google.com. What happens? That DNS server would say, “I don’t know. But hold on. I have a, another server I can talk to that’s up the food chain.” And it asks that one.

It says, “I don’t know. Well, let me ask another one.” And it does this for a few hops, if you will. But eventually, it’s going to time out, and it’s going to say, “I, I don’t know. Why don’t you go and ask the root servers?”

Jacob:Okay.

Paul: And the root servers are monster pieces of hardware that take requests all the time and respond. And when you buy a domain name, you go to GoDaddy, and you buy your domain name, you know, yada123.com. And what GoDaddy does is establishes a pointer in the root server that says the authoritative answer for this domain, the address book for this domain, is located on this server over here in Indianapolis.

Jacob:Okay.

A Rogue DNS Server

Paul: At this IP address. So, now let’s go through this again. So, we go and we look at, we look up yada123.com. You go to your Comcast DNS server, and it says, “I don’t know what that is.” It might go a couple of other hops, but eventually, it’s going to say, “I don’t know. Ask the root servers.”

So, I go to the root server, and you say, “Yada123.com.” And it actually asks the Y root server, because it starts with a ‘Y’ and they’ve broken them up. And there’s also, there’s a lot of scalability in there. And it says, “Gee. I don’t know. But I do know that yada123 is held by the registrar GoDaddy.

So, it then asks GoDaddy, “Who has the start of authority? Who’s responsible for yada123?”

And it says, “Oh, it’s this guy in Indianapolis with this IP address.” So, all of that, so that that IP address can come back to your machine. And it can then requery and say, “Okay, Mr. Guy-in-Indianapolis, what’s the IP address for the web server for yada123.com?” And it hands that back. Okay?

So, great. Now, if I can compromise that DNS server… And by default, you use your ISPs. I could also set your DNS server to use a rogue one, and it would ask the question instead of to your ISP to that rogue server. So, I can poison that rogue server through manipulating it, to say, when somebody comes in and looks up yada123, don’t give them the address of the guy in Indianapolis, the, the real sort of authority, give it to this other one.

Jacob:Right.

Paul: So now, instead of coming out with 123.123.123.5 as the IP address, it comes out with 165.40.20.1. And you go to that site, and it says, “Ha-ha. You’ve been tricked.”

Jacob: Right.

Paul: Alright. That’s, that’s… I can do that. And you’re like, “Huh. I don’t understand. That’s weird. It’s not my yada123 site. It doesn’t have my stuff on there.”

A more clever thing to do is I build a clone of yada123.

Jacob:Sure.

Paul: And now you think you’re at yada123. You log in, and I then redirect you to the real yada123, but I’ve captured your password and username.

Jacob: Sure. Or even more insidiously, your credit card information.

Encryption as Security

Paul: Yeah. Exactly. So, that’s, that’s what happens. Now we introduce this idea of encryption. And encryption is simply scrambling up information so it’s hard to decode.

Jacob:Right.

Paul: And there’s this thing called public and private key encryption, whereas if you have a public key, if you have my public key, you can send me information encrypted with that public key. In order to decrypt it, I need my private key. That’s how ssl or https works.

Jacob: I see.

Paul: Is it sets these up so that that encryption is happening on the fly, and it’s not impossible to decrypt that on the fly but it’s nearly impossible. It’s very difficult, and you have to be very committed to do it.

At the time where there was some proof of concepts, they were talking like 50 Xboxes working in parallel to be able to decrypt the key, you know. So, it’s not, as I like to say, it’s not trivial, you know.

So, what happens in an HTTPS? So, how do I get that certificate, that public certificate? Well, there’s a key exchange.

But the key exchange happens with a certificate authority. So, yada123, I sign on to yada123. It sends me some information that I then take—it sends me a key that I take and validate. Okay, because it says, “You can validate this by going to this certificate authority and saying that yes, it’s proven that they are there.” And when I ask that certificate authority, they are a trustworthy organization, and they have issued that key. And they say, “Yep. That’s a valid public key.”

Jacob: Yeah.

Paul: So, now, that information can be encrypted with that public key. Now, what if I were to be able to compromise that certificate authority? Okay, it’s called a CA for, for short. I could then say, “Okay. You’re giving me this certificate. You’re sending it to me for authentication, and I’m going to authenticate it. Yep. It’s real.” But it’s not. So, the problem becomes if I can get in there and put a certificate authority in there that answered on your machine, hack your machine, and say that, “Oh, this is going to be the certificate authority for all .coms.”

So now when you type in google.com, and all of this stuff happens, I’ve maybe poisoned your DNS–or I didn’t even poison your DNS. I just say… Or you’ve got to go to this place for Google. So, now the key comes back. I can substitute my own key in there, because your browser is then going to go and check that key with the certificate authority that I’ve installed into your system. It asks, it say, “Oh, that’s fine.”

So, now you’re encrypting it with the intruder’s public key, and they are getting that decrypting it, and then re-encrypting it to go to back to Google, after parsing the data.

Security Enforcement and Certificates

And there is a story that I read over the past month about a European country that has forced installation of certificate authorities on all of the machines that are running in their country. So, what that allows them to do is effectively subvert SSL whenever they want to, because they also have the wherewithal to have all the egress points to the country’s internet. So, they could actually filter data and decrypt it. And it is, it is a bad thing to do that. Now, you could also maybe write malware that would put certificate authorities on a machine and things like that.

But basically, so it’s, you know, who do you trust? And the certificate authority is a hierarchy of ways to trust that. And it does have a soft underbelly, you know, not in really it, but in the fact that I can present myself as a certificate authority.

Inside corporations, they create their own certificate authorities, because they don’t want to be dealing with a public certificate authority, pay them $100 or $1000 for each certificate. There are now free certificate authorities, but internally, you want to be able to control all that. You don’t want people to do that.

So, I can set up a certificate authority relatively easily, if I then make the next step of making that available on the internet and getting into your machine and saying, “Trust this certificate authority that Paul set up.” I can basically do anything I want with… And you would never know, because it would be completely encrypted.

There are tools now that are monitoring browsers and settings in them to say, “These certificate authorities aren’t good ones, or aren’t normally trusted.” And so, there’s a whole bunch of politics around that, and you need to be running some of those tools to do that.

A Matter of Law and Encryption

Jacob: So, talk me through the, the European case. Are there more dynamics there that are in play? Or are there ways in which we need to be alert for that for the sake of our business integrity?

Paul: I mean, they have said as a matter of law that you have to install the certificate authority on your PC if you live in that country. So, our government could do that. It doesn’t seem to be the way our government works. That’s sort of governmental overreach in an American’s opinion, uh, you know, but some, I’m sure they justify it in their own way. And it’s their government.

Jacob: I guess that means for any entrepreneur or any business, they have to be working with corporations or entities that are designing their website and doing their online interface, that are highly above board.

Paul: Well, up until recently, SSL was sort of an option, or HTTPS. SSL stands for Secure Sockets Layer, or HTTPS is HTTP, hypertext transport protocol secure. And what that does is it uses these keys. Over the years and it’s been relatively complex to implement an SSL certificate and it’s gotten a lot easier. Just recently, something came out which was really, it’s a revolutionary idea, is a project called “Let’s Encrypt”. And basically, they have produced a new certificate authority that is going to offer free, easy to implement SSL certificates. And so we did it on a site today, and it took like a minute to do that. Google has also said that you get extra points if your site defaults to SSL.

Now, Google is an actor in the world stage of the internet, and they’re usually a good actor. And that’s a statement they made back in early 2015, maybe even ’14 to say that we’re going to consider that a better thing and rank you better. What they’re doing is they’re trying to make the veracity, the faithfulness of the content that’s out there, continuous. So, security is a good thing. Encryption and security is a good thing.

So, the point is, is that you have to go to an extreme level of effort to compromise an SSL certificate. That may become easier over time. But it’s still a lot more work than to trick HTTP. Because there’s nothing in the browser, and there’s no mechanism to tell you that that is not an authoritative message from the right server. SSL helps you do that. And that’s what the green lock is and the secure site. It gives a human some assurance that you’re talking to the right site. That’s really all it is.

Mandating Security?

Now, humans make mistakes and certificates can expire. And what do you do? And I’ve been in that situation where you need to use a website, but they made a mistake and their certificate expired. Do you trust that? Because, could it be somebody else that’s certificate has expired and all these different things? So, Google is sort of mandating this SSL, and if you have a website and you’re out there, you should be running default SSL now. Certainly with Let’s Encrypt.

Jacob:Sure.

Paul: Now, just before we go on, there are different levels of encryption in that Let’s Encrypt is basically, it’s just encrypted.

Jacob: Yeah.

Paul:There is also ones that verify the identity of the company that you are connecting to. And that’s where you get the green bar or the green… That they have gone to an extent to say, “We’ve actually found the people or the corporation that are responsible, and they exist, and they can be tracked. They can be found. There’s someplace we can go and get them.”

Whereas a Let’s Encrypt just says, “It’s encrypted.” It’s not easy to snoop that data, but now when you get that green bar, that that authorization, it’s saying that these are actually who they say they are in the certificate. Because you can open up the certificate. I encourage people to click on that green bar. And you can see all the identity information of who the company is.

Jacob: In the green bar that you’re talking about, where is that located?

Paul: In the browser there’s usually a green next to the url. You’ll see a green signification, a little green area where you can click on the lock and it will show you who authorized them and what the information is that they authorized.

For an Entrepreneur

Jacob: I got you. So, I’m just envisioning an entrepreneur, and let’s say that she is trying to put together her company. A dynamic she wants to have on her research for a CTO for the company is going to be something along the lines of is the person she’s trying to hire in this situation familiar with these categories, familiar with SSL, familiar with these dynamics of encryption, levels of encryption as a point of just basic integrity for the company that she’s trying to launch, found.

Paul: Well, I think there’s a couple of different things. I’m not a huge sports fan, but let’s talk about what do you know. Do you know about football?

Jacob: I’ve heard of it.

Paul: Well, most people would say, “Yes, I do.” You know, and it’s it, but there is a huge spectrum of somebody knowing about football.

Jacob: Yeah.

Paul: They may know the teams. They may know the mascots. They may know all the rules. And so, when you ask somebody, and this is a tremendously difficult thing. DNS is three simple letters. SSL is three simple letters, but they’re very complicated. Actually DNS is very complicated, and it can be messed up really easily. And when you mess it up, it propagates all over the world. And then you have to un-mess it up, and it has to propagate again. And you could be in a situation where you’ve broken your DNS, and people can’t get to you.

Jacob: Yeah.

Paul: So that the implications of the depth of understanding that your technology hire or who you’re working with, can have tremendous implications. Really significant, your site can be down. And these has happened to big companies. So, it’s not like just because you’re a small company this might happen.

Jacob: Well, it’s happened. I remember building a website five or six years ago, and within the first 30 days, it got compromised. And we weren’t able to recover it, because of the propagation and all that stuff. We just had to drop it and move on.

Paul: Interesting. So, if you’re trying to hire somebody to deal with your technology issues, they need to be aware of these things. Or better, know somebody that’s aware of these things. Because nobody can be an expert in everything. It’s rare to find somebody that has a depth of knowledge across that. So, you want to partner with somebody that knows where to get the answer or how to find the answer. And also, not to take the first answer they get.

Jacob: Right.

Paul: Because it is very much like peeling an onion. There are lots of things. You know, I end up asking questions of people, like, “Why do you want to do that?” Because I’m trying to understand what their intent is. If they say, you know, “I just need you to change a DNS record for me.”

Why do you want that? And there’s implications to it. So, you need to engage people that are going to ask that why and understand the implications of it rather than just charging ahead.

Jacob: Yeah. Excellent. Thank you. I think that’s great.


Also published on Medium.

The Craigslist Killer

On Episode 8 of The Edge of Innovation, we talk about how digital footprints make finding a killer almost too easy.

Show Notes

Open-Source License Plate Tracking
Preventing DNS-Based Data Exfiltration
A DNS Root Server Attack on Target?

Transcript

Sections

The Craigslist Killer’s Boot-prints
What is Done with Boot-prints Today?
Hacking a Corporation and Who Receives Damage
Where are the Flying Cars? Entrepreneurial Possibilities Beyond Bitcoin
Ads as a Necessary Evil?
Jeff Jonas and Data Fuzzing

Introduction

Paul: This is the Edge of Innovation, Hacking the Future of Business. I’m your host, Paul Parisi.

Jacob: And I’m Jacob Young.

Paul: On the Edge of Innovation, we talk about the intersection of between technology and business, what’s going on in technology and what’s possible for business.

The Craigslist Killer’s Boot-prints

Jacob: So, Paul, we’ve been talking about anonymity in the last couple of podcasts, and what does it take to become anonymous in the digital age, and with our digital technology, and with the technology and how it tracks us and fingerprints. You were involved in one way or another with the Craigslist killer. So can you talk us through what that was, how technology caught up with him, and what exactly your part in that was?

Paul: Yeah, certainly. Well first of all, I wasn’t the Craigslist killer, and I never met him or know him.

Jacob: Thank you for clarifying that.

Paul: But at the time, I was CTO of a technology company that was basically allowing, produced tools to help people understand how things moved about the internet and what IP addresses were doing what and all these different things. At the time, you know, this stuff is growing exponentially every year, this technology that we’re talking about. But one of the things that this person did was use Craigslist. And they got IP addresses, and they got lists of who accessed IP addresses and looked at what ads and things like that, and got that information, and then used some of our tools to help pinpoint where these IP addresses were.

Now we didn’t invent technologies that like the geolocation stuff, but our tools made that easy to use. So you could go and type an IP address and then find out where that was.

Most IP addresses are fairly static. Now, you know, with a mobile IP address, it’s a little different, because you, you’ll have a cell tower attached to it, you know. And that doesn’t really help anybody. But your cell provider knows which IP address you had and when.

So, when you take all that and put it together, they could find out where this IP address was, and over a few weeks, they were able to determine where it was and what it was doing. And most computers that are doing something are controlled by a human and it happened to be that person. And that allowed them to identify that person. So, you know, it’s not terribly difficult to correlate these things. If you think about movies we watched as kids, where you would see the tracker in the forest tracking somebody, and they’d see the footprint, and it matched the boots the guy was wearing in the murder mystery. Well, that’s all we’re talking about now, is we have the IP address, you went to this, you read this ad, you were at this location where your phone checked in with the cell tower, and you were there at the time the person was allegedly killed.

Well, that’s really hard to argue with. And then we have this history of your web browsing based on Craigslist’s IP addresses and all the different things, and you looked at this ad, and you looked at this ad. 50 years ago, if you got in your car and drove downtown and did something, people would have seen you. Usually people lived in a small town. They’d observe you. “Oh, yeah. That’s Jacob’s car. Oh, yeah, yeah, yeah. I know him, and I saw him walk into the building, and, you know, somebody was killed in that building in the same hour that he walk into it.” Well, it would certainly make you a suspect.

What is Done with Boot-prints Today?

We just have a lot more footprints now. You know, and we might have seen your footprint, you know, walking through the wet cement. Okay, we have Jacob’s boot print there, you know, and the fact of the matter. But your boot print is one thing, an eye witness is better.

I have these boot prints with all this internet data that give me the ability to understand where you are and what you were doing.

You know, I hope that it’s not there’s some clandestine, you know, government agenda to wipe out all the people who don’t like basketball or whatever silly thing you want to say. But you know, there’s all these conspiracy theories and ideas and different things like that. And I would like to think that it’s all pure and milk and honey kind of stuff going on, that they basically just want to sell you things.

Jacob: Sure.

Paul: Get you to give us more of your money. And that, I think, is true. They definitely want to give us opportunities to spend our money. That’s why advertising works. That’s what the whole thing makes Google go round is advertising. And some can say, as I’ve said before, and I have a friend who’s interested in boats, and he loves to see boat ads and boat related material ads, as opposed to, you know, lawn mower ads. Well, what do I want to see a lawn mower ad for?

Jacob: Right, right, right.

Paul: I live in an apartment.

Jacob: I live in the city.

Paul: What’s the deal, you know? So, that is a benefit, but there is that underlying undercurrent of saying, “Well, nothing you do is anonymous nowadays,” and you know, when somebody commits a crime, can we get that data to help us prove that they did that crime? That’s a real interesting question.

Jacob: So, in the case of the Craigslist killer, you guys were able to do that, right?

Hacking a Corporation and Who Receives Damage

Paul: Yeah. Well, it wasn’t us doing it. They used our, some of our tools on our products. Some of the investigators used those tools, to get an understanding of where he was at what times. It’s sensational, but it illustrates the fact that the data is out there. And with a warrant, you can pretty much find out anything about somebody.

It’s fascinating what you can find out, or if you want to break the law. You know, if you’re willing to break the law, you can find out anything about somebody. There’s this shift over the past few years of the majority of hacking that’s done is criminal hacking, to get access to people’s personal information so that they can steal money from them or use that money, use that credit card and all. Fraud, basically.

And those aren’t attacks on a person. Those are attacks on a corporation’s database. So, you know, you’ve given Amazon your credit card numbers. Now, Amazon is like over-the-top on security, and they say that they’ve never been hacked. Some people say, “Well, they’ve never disclosed that they’ve been hacked,” but regardless, you’ve never heard, you know, like the Target breach or the Verizon breach or the Sony breach, or you know.

You’ve never heard anything like that about Amazon, but the fact of the matter is, is that there seems to be this “Oh, you know, don’t use the internet. You’re going to get hacked.”

Well, all of the credit cards I have, all the bank accounts I have, have insurance on them that is provided with them. I didn’t have to go buy it, that I am not liable for any fraudulent charges. So, what’s the problem? What’s the problem? Just last week, I tried to use my Discover Card out for dinner, and it came back declined. Well, that’s weird. You know, I pay my bills right on time. So, I paid with another card and called Discover, and they said, “Oh, there were 100 168 authorizations attempted for a dollar apiece over the past day.

Jacob: Huh. Yeah.

Paul: And it was through PayPal. So, somebody had gone to a PayPal form, not logged in, but since you can become… You know, you can join PayPal and pay with your credit card, typed in my accurate credit card number and tried to get it authorized. And I don’t know what happened, but it either failed or it went through or it didn’t. But I talked to Discover, and they looked into it, and they immediately canceled the card, and they said, “Oh, don’t worry. You’re not liable for any of the fraudulent charges.” So, somebody either got that credit card number or guessed it. I mean, it’s only 16 digits, you know, and the first eight are usually the same. You know, so it’s not that terrible to figure out that I could guess it.

Discover did their job and locked the card.

Jacob: Yeah, yeah.

Paul: You know, so, what am I out of? What’s the problem here? Yeah, I was inconvenienced, but in the you could say, “Gee, they stole that from Amazon.”

Well, they might have. Or they might have just guessed the number. Because they didn’t use my name. They used  Sandy Simpson. They typed that name in to try and activate. And they used that over and over and over again. I don’t know what they were thinking. So, it  was probably some sort of bot doing it.

Jacob: Sure. Yeah.

Paul: Now, if they had used my name, it would have been evidence that they stole it, because that correlated piece of information rather than just guessing the number.

So, I don’t, I don’t understand that. And you know, and make sure you go to a bank that you say, you know, if somebody gets my bank account number and withdrawals all my money, what happens? Understand that before it happens. And if, if that bank doesn’t have a good answer, there’s a bank next door that probably has a better answer.

Where are the Flying Cars? Entrepreneurial Possibilities Beyond Bitcoin

Jacob: For entrepreneurs, are there any avenues or frontiers for the anonymous category of user interfacing with the internet that are unexplored or possibilities to be explored?

Paul: Well, I think one of them, you know, BitCoin was sort of represented as a way to use anonymous spending and money. As it turns out, it’s really not anonymous because of the way the blockchain is, and you can just trace things back. In some ways, with BitCoin, you need to say so where’s the flying cars?  I mean, it didn’t happen. There are other proposed cryptocurrencies that may solve that problem of truly anonymous things.

Jacob: We talked about those in previous episodes.

Paul: Right. You know, remember. Cash is relatively anonymous. You know, they could scan the money and find out that you were the source of it by recording the serial numbers they give you, but you could give it to somebody. And they could give it to somebody, and they could give it to somebody, and they could give it… Immediately it becomes very difficult to trace.

So, entrepreneurial opportunities. There is a lot of opportunity in providing a semblance of anonymity, of what one might think is anonymous. But it’s largely all smoke and mirrors.

Jacob: So, it’s largely an elusive category.

Paul: It is. It is. There are people who want to do all these things. Like, you know, in the web browsers you have this private browsing.

Jacob: Sure.

Paul: All that does it doesn’t sustain cookies between sessions, practically, is really what it does. But it still presents your fingerprint. Now, an opportunity would be to have something that would skew the fingerprint. You know, just lie and say, “I’ve got all these fonts. I’m using this browser. I’m using all these different things.”

So, I think there’s some opportunities there. And there was a clever idea where these guys were really upset with ads showing up on websites. So, they built a browser that in the background, clicked on every single ad. That is brutal is because, up until now, clicking on an ad was either a mistake, you just randomly clicked, or it showed some interest that could correlate to your fingerprint, let’s say.

Jacob: Well, and I’ve heard that the reverse of that is if you, by having an ad block on your web browser, it’s presented as an ethical concern because ads are how the website is paying for itself to exist in front of your face.

Paul: Right.

Jacob: And so, you’re ethically violating the terms of the website. But I’ve never heard that before, that basically they reversed it. Rather than blocking the ad, they clicked on all the ads.

Paul: Right. Well, because then it becomes useless. Because now we don’t know what people are interested in or not interested in. And that’s nasty. I mean, you know, from a marketer, internet marketer, that’s a brutal thing to have happen to you.

Jacob: Yeah.

Paul: And the systems are not designed to deal with that. So, the problem would be is it does make the data useless, but it would indicate that you’re really interested in a lot of things, because the systems aren’t built to deal with that. So, so, that’s an opportunity. You know, the ad blockers are an opportunity, but like you say, the point of the ads is so that the people who are presenting the data can get some compensation for that data.

Jacob: Yeah.

Ads as a Necessary Evil?

Paul: You know, there’s apps on the iPhone and iOS that have a paid version that take the ads out. I have a solitaire game like that. I had the free one for a year, and then I got tired of the ads, and I spent the dollar. You know, I spent the whole dollar in one sitting, and now I don’t have the ads. So it’s an interesting… It’s sort of a quid pro quo. You know, the ads are what you give. Your eyes have to process through that, and unfortunately or fortunately, our society requires money so that people can live.

Jacob: Yeah.

Paul: And that is the ultimate arbiter of value is we attach it to money. What’s fascinating to me is that the ads are as effective as they could be. Because, if you look at the value proposition in most ads- and this has been proven in email marketing – the reason you get these harebrained emails is because they work.

And you’re like who in their right mind would click on this and do something with it?And they’re not scams, necessarily, but they’re like, you know, the flex hose. You know the hose that collapses, you know. And they were everywhere, you know, and it was an intriguing product, and it’s still out there and all that. And it has its pluses and minuses.

But boy, it was everywhere, and people were clicking on it and buying it and creating revenue.

I guess in some ways… I mean, you could sit there and say, you know, no more ads. And we’re going to government fund it all. And it just doesn’t seem to motivate people to be creative. You know, the reason Apple innovates in the iPhone area, is because they sell them and people pay for them. That’s why the iPhone 7 will come out and a bunch of people will go out the buy them, and they’ll be the people that will naturally attrite, basically, over time. Well, I’ve got an old iPhone 4. It’s time to get rid of it. I’ll get an iPhone 7. It’s going to be harder for people that bought iPhone 6s unless they’re geeks, and they love the new things. But they’re not going to see that.

But Apple will innovate. You know, Samsung has done some, you know… They’re advertising everywhere with their new Galaxy S7. It’s waterproof and it, you know. So, it’s like, “That’s cool.” You know, and, you know being in tech, we have these alliances with the technology, that I’m an iPhone guy, I’m an Android guy, I’m a this…

Jacob: Sure.

Paul: Most people look at it and say, “Oh that’s a new phone. It’s water proof. That’s a great idea. The next phone I get, I might do that.” They have no idea of this Apple versus Samsung environment or Google versus Apple, you know. It’s just not, not that. So…

Jacob: Yeah

Jeff Jonas and Data Fuzzing

Paul: I do think there’s an opportunity for an entrepreneur. They’re going to have to be a pretty heavy-duty one that can really win alliances. But what would be really cool is… There’s some work that a senior research scientist at IBM did. His name is Jeff Jonas, really cool data scientist. And it’s the way in which you can fuzz up data so that you can identify people who are the same people. So, rather than take Paul Parisi, and I might be listed in one database as Paul Parisi. I might be listed in one as P. Parisi. I might be listed as P.D. Parisi, or Paul D. Parisi. How do I fuzz that all up?

One might be 123 Main Street with street spelled out, and 123 Main St as my address.

And so, what they developed was a mechanism by which the database owner could fuzz that up and create a key that was basically a hash of these fields, once they were fuzzied. And we can apply that same algorithm to another people who own another database and fuzz that up. And then we can compare and say, “Do we have any that match?”

So, I could say to you, Mr. American Express, “I’d like to buy information on people I already have.”

Jacob: Yeah.

Paul: Okay?

Jacob: I see.

Paul: So, how do I do that? Well, I give them your name. No, because you’re looking it up in a phonebook. No, I fuzz up my data, and I say this is people I already have.

Jacob: Right. This is a digital set.

Paul: Yeah. Exactly. And they say, “Well, we have an overlap there of a thousand or a hundred thousand. And we have their spending habits for the past year.” Okay?

So, they have that data, and I think there could be, I mean, it would be very interesting. There’s some really huge problems to overcome. But to have almost a registry of the data that companies are doing.

Now, how would you, you know, arbitrate who gets access to that? It works in big aggregates. But I could probably… It would become a privacy issue, because I could say, okay, I know Jacob Young, alright. It could be J. Young. It could be Jake Young. It could be J.S., so I could do all the permutations of that, and fuzz it up in the same way. And then I could submit a query to this national database and get all your information on that.

But there’s some, there’s something in there that I think allows us to sort of see what do companies know about me. Google does this. They will let you see everything they have stored and delete it. Well, that’s pretty good. I would like to see that more and more, so that we could almost have a…

So, somebody could come up with a system that you sell to companies like Amazon or Google or whoever it is, that says, “Here’s how your customers can see what you’re storing about them.” That doesn’t exist.  Google has spun their own up. You know, Amazon doesn’t show you… You can’t go and delete your purchase history or the fact that you browsed for pink underwear, you know, for yourself. Not that there’s anything wrong with that…

To be able to interact in a standard fashion with a website’s data, I think, would be, is a huge economic opportunity, to be able to provide those services, that infrastructure.

Jacob: Yeah. Excellent.


Also published on Medium.

© 2025 Paul Parisi

Theme by Anders NorénUp ↑