Pitch and Play !

Pitch and Pitch. Last week I have been part if a gemalto team organizing a hackathon, on security topic, with some great dev, tech architects, product managers and marketing folks. We spent 3 days playing the game of being a start up. And, obviously, we had to play the game of the pitch. This kind of standard exercice, where a jury expects from you, all the energy, all the positive power, to decide to bet on your project. That formal presentation mandates that you cover important stuff such as purpose of your project, ultimate value proposition, amazing business model, and potentially unveiling your heart, to convince everyone that investors can trust you, in rolling out the stuff you promised, to make them rich. Well, that is a short sumup of a pitch, but here is the spirit. And that is usually a lot of pressure.

Play and Pitch. This is where I believe the PitchCards project could help. I had a chance to handle a beta version. That PitchCards project is a game. It is about helping pitchers to pitch, with no fear. The purpose of the game, is to pitch on a pure exotic project. A project that you have to invent in 10 minutes by collecting, eyes closed, 3 cards. One for indicating which type of project you will work on (a connected device, a car, …) and two others that will express a domain, or a target (babies, dinosaur, …). Once your pitch is ready, you will have to pitch, present it in front of the other players. Purpose, business model, and all the nice story your imagination built. Your audience will listen carefully, and will have to feedback how was your pitch. this is trigerred by choosing random questions from a card deck. Where did you look at ? Did you breath correctly ? What is your motivation ? …

Pitch and Learn. I believe that this game is sooooo relevant in this special timing of a hackathon. This is a way to train your attitude, to educate your voice and your mindset to present something fun, removing the fear and the giant-attachement every startupers has with its own project. It is much more easy to receive a question related to your talk efficiency, while dealing with a fantaisist project, then speaking about the super-idea you have been working on during 3 days or 3 months, isnt’it ?

Buy the project. The PitchCards project will go live in January and you will have a chance to sponsor it, as it will land on Kickstarter. In the meantime, the team made of Will and Camille will improve, train, pitch and redesign the cards and concept. But definitely, as a beta tester I enjoyed, the concept and the spirit ! You might also, if you have any interest in pitch fun.

Is Hardware Based Secure Web Services a lost quest ? No. Well…

typewritting

As co-chair of the W3C community group aiming to offer to web developers the possibility to access to services provided by hardware token, I am receiving some questions on a regular basis about where does this work go …

Well. Executive summary. The good reasons for allowing a web app to access to secure services stored in a harware token, and the possible ways to implement that in browsers are ready. But this is still not in the W3C planet. This is in a form of a report, edited by Sébastien Bahloul, a Morpho guy, and discussed with W3C Community Group members.

In details. The good reasons for allowing a web developers to access to keys stored in a hardware toke, or to trigger a signature which can not be repudiated are detailed in the report. There are some specific industry examples, such as government e-services, or e-banking services, or commercial transaction, which requires legal binding, such as online signature. The potential users of this feature are legions. Basically, the european regulation, named eIDAS “regulates electronic signatures, electronic transactions, involved bodies and their embedding processes to provide a safe way for users to conduct business online like electronic funds transfer or transactions with public services”. To deploy such services on the web, the web developer needs to have some mean to access hardware token (or the web will miss that digital european trust promise). Other countries such as Bolivia,¬†Uruguay, Argentina and Peru are also requiring similar technology.

The technical aspects. The technical proposal embedded in this report is made of two technical features. First. A way to implement the W3C Web Crypto API in hardware token. this is to allow the generation and the usage of a cryptographic key inside a token belonging to the user. Second. A way to digitally sign a transaction with a a key, again stored in a hardware token, and performing the signature confirmation via an interface the user can trust. Those two services are some of the building blocks to have a trusted web, where the user is in control of the credentials used to cipher or sign some data.

So what is wrong ? Well. This set of usages and technical feature were presented to a large group of W3C members during last W3C TPAC. And, nothing amazing happened. The browser makers were kindly requested to have a look at it. But they demonstrated low interest, while this topic has been discussed since september 2014. There might have a cultural problem here behing the slow progress of this topic in W3C. The online access to european government services is not a priority for the major browser makers. In addition most of the actors of the security have managed some hacks to be able to use smart cards or hardware token, like plugins. But this era is over, as plugins maintenance and attacks are getting more sensitive.

And what is next ? Next is about gathering the companies and countries interested in that feature, and start to demonstrate W3C that there is an important question here : do we want the web to get in the secure services, as requested by online signature and government services ? So if you are part of the actors believing this web feature is key, join the Hardware Based Secure Services CG, so that we can collectively work on creating a Working Group in W3C…

What’s happening with the W3C Web Crypto API ?

 

Well. The specification is finished !

[here a cheering to Ryan Sleevi, Mark Watson, Harry Halpin, who actually led the editorial stuff during this 4 years work].

Where is it ? You can read the most recent version here. It is this version that will be submitted to the W3C Director (Tim Berners Lee), in order to make it a real W3C recommendation. Crossing fingers.

Is it real ? Yes. During the lifetime of the spec we got major browser makers contributing and monitoring, aka, Google, Microsoft, Mozilla. Thus it is implemented. See http://caniuse.com/#feat=cryptography

Where is the interoperability proof ? The test coverage can be found here.

So. What is the future ? Consider things are moving on, and the group will soon enter its maintenance mode. the next action, once the specification is a Recommendation will be to listen to the market and add any new algorithm that will be widely used.

Thanks ! That was a long and passionated work in W3C. Thanks to all members and individuals who contributed…

 

 

Middle Life Crisis Toolbox : anger screwdriver

doisneau_les-pieds-au-mur

“Anger is how we seek to create an illusion of control where we feel none.” Martha Nussbaum

I have been looking after anger and anger this week. Here is what I found and liked.

On what is happening in our body when we get angry. This is where we should know the basics of the race happening between cortex and amygdala. The interesting part of this article relates also to the time requested during the anger pic and our return to a calm state. This is where we are still vulnerable to anger again. Well, read that  and understand your body : https://www.mentalhelp.net/articles/physiology-of-anger/

On how to get angry a lot. That video is a list of common tricks to put ourselves into great anger. Garanteed result. Funny and so true…

On the reasons why we get angry.Anger begins with the many imperfections of existence“. In this section of the “Book of Life”, one can understand where anger starts and why it should get all our attention, and support. As you may get, expressing anger is expressing suffering. And the best thing to do, may be to try to understand (and relax a bit, too).¬† http://www.thebookoflife.org/why-you-get-so-angry-even-though-you-are-nice/

On the bridge between anger and creativity. This is a set of wise views on anger. One I like is ‚ÄúThe internal living flame of anger always illuminates what we belong to, what we wish to protect and what we are willing to hazard ourselves for.‚Ä̬†David Whyte. Some other interesting philosophical thoughts can be read here https://www.brainpickings.org/2016/11/04/may-sarton-anger/

On anger, forgiveness, and lovers. I can not refrein myself to reference another post from Brain Picking, about Martha Nussbaum views, which deals with anger in the specific context of lovers, where trust and links give a special sense and violence to anger. One can also find in this post, that anger and self respect, which have been linked for a lot of philosopher is challenged. Please have a read here :   https://www.brainpickings.org/2016/05/03/martha-nussbaum-anger-and-forgiveness/

Hope it helps !

Note : Picture “les pieds au mur” (foot on the wall) by Robert Doisneau

Note : other more general Middle Life Crisis ressources are available here

Non-violent security talk for small and medium business @ BlendWebMix

This week I was in a web conference, named #BlendWebMix, which gathers all kind of actors of the web economy, from investors to tech, including designers, influencers, politics, startupers, … Very diverse type of talks were given, 80, and 1800 people attended the event. I was selected to give a very short presentation on privacy and security. My challenge was : convincing a broad audience that the privacy was something each of us, as workers, should take action for, in 13 minutes. Here is the core of my message.

I am fed up with the usual talk in security which says ‚Äėprovide privacy by implementing some security or you will burn in the hell of bad reputation companies, together with Madison, Target, Yahoo, and potentially bankrupts‚ÄĚ. You know, that Fear Uncertainty and Doubt (FUD). I tried another angle. I tried the non-violent path. And I believe there are two good reasons why people should give a chance (and budget and effort) to the privacy.

 

winogrand_banc

The first reason can be found on the optimistic side of the life. The good reputation. I have the feeling that in this digital storm of hacks, global attacks, social media bashing, the companies taking action to preserve the privacy of the users are playing a good game. And the user may know. And the user may appreciate it. And it may be a competitive advantage to invest and get rewarded for it.

garry_winogrand_mayor_john_lindsay_with_new_york_city_police_1969__printed_1970s_gwf_13_1000x232_q80

The second reason is the data protection, as defined by the european comission. There is a new directive that mandates every company to allow its user to keep an eye on their data. It is the result of long discussions related to the value of the citizen privacy in our digital world. That regulation will be applicable in May 2018, to all European companies or all non-european companies handling some European citizen data. Well, yes, 2018 is after tomorrow. Which gives you only tomorrow to ramp up in good practices and get ready. The threat if you are not compliant with the regulation will directly touch your wallet, as fees could go up to 4% of your benefits, as a company. Universities and public services are also submitted to this regulation.

What does this regulation say ? It says that users will have to explicitly opt-in for registering their data, they will be able to control what you are doing with the data, they will have the right to modify and delete their data. In addition the data portability will have to be provided. Finally, users will have to be informed about any breach related to their data. Data in this context, means any piece of information which characterized the user, name, address, but also geo-localisation, social media activity, any digital evidence left by the user that you are collecting.

Who is submitted to this regulation ? Any company which collects, process, transmit, store the data. This means, you, but also anyone touching the data closely of by far. For example, the monetization partners (ads), or your cloud providers.  Now you see what could be the impact !

This is where I started a new technic for getting the audience sensitive to the message. I asked them to pause a second, to close their eyes, to breathe, and think about one of their user. Lea, 30 years old, digital, agile, conscious citizen, caring about her privacy. I asked the audience to answer in the secret of their mind and heart, eyes still closed, the following questions : do you know what are the data from Lea that you are taking in your super-super application or service ? Do you know where are Lea’s data stored ? When was the last time you had a conversation about privacy and security at work ? I mean, not on Twitter, being scandalized by the global surveillance of the states, but wondering, in your own framework. Some of the people in the audience smiled, and I felt some of the questions touched of them. What about you ?.

 

Always targeting to convince the audience in a smooth way to take action for the privacy of their user. I reminded that it was important for them to identify the data, understand their life cycle in their own service life cycle, define some weak points (aka, any entry point, transfert, storage…) and protect those points. The thing is that of you are a small company, you may not know where to start. My key message was. Well. Start with pragmatic stuff.

First. Talk about security, create conversation around it. For example. Make a 2 hours meeting with the project manager or whoever in the company coded the solution, with a global view. And together make a status of the different security measure done up to know. Make an accurate status.

Second. Look for security champion(s) in your team. Basically the one(s) who had a security training at school or who had the chance to work on a security sensitive project in the past and may share with others.

Third. Write a process. It could be a paper sheet on the cafeteria reminding, i) before you ship a new feature, ask John (the security champion) to have a code review, ii) before you sign a deal with a company, check its track record in security, …. Or it could be a professional methodology for bigger companies. Well, the objective is just to make sure that the question of the security is handled in the product life cycle, at company scale, and taken into account in the delays and deals. This relates to create a security company culture.

Fourth. Engage conversation with your partners, providers, ask them the basic question on their security investment. They might be able to prove that they actually take care of it. With certification, or being able to tell you a nice story about their effort in that matter. Just like any company should be prepared to.

Fifth. Crash test your product. Some bug bounties platform are now existing. You can submit your product, it will be attacked by some hackers, and if some security vulnerabilities are found, you will be informed. The next level or complementary action could be to perform an audit of your code, or have actual security certification (but I guess that if you are on a market where security certification scheme exists, you might already be a security aware company).

Sixth. Have a monitoring of the security news. Read some newspapers specialize din sec, or some forum alerting on vulnerabilities. It would be a pity that all you service bim-bam-boum is based on a framework which has been seriously hacked, and that you are not aware of.

In the end. Six possible concrete actions. To be rolled out by any non-expert security. I asked again the audience to close their eyes. And to pick in that list one action, just one action. And promise, in the secret of their mind to do it, Monday morning, when coming back in the office.Hoping next Monday some SMB will enter the way of improving privacy of their services….

Note : all picture copyrighted Garry Winogrand

 

Middle Life Crisis Toolbox

leiter_redumbrella_1958

Some of you may have been following my new style of writing posts about the why, the what, and the nothing of life. I am spending some reasonnable time reading and looking after some material to discover who I am (and who you are, too). I thought that sharing with you some of those amazing text or video, may help some of you, in their existential crisis…

Here are some good pieces. All of them brought a new look, a new way to read my life.

For the ones believing that they are worth nothing. I love the self-kindness of this text. It is about ‘I am enough’. Maybe it is too much, too naive, too positive, but it shows a path. This is to convince you that you are someone, that you are doing a good job at managing your life (aka, as you can), and that you should stop blaming you. Seriously. Self Love: I am Enough. And also, You are Enough.

For the ones being tired and that still believe they can judge a situation. This one is demonstrating that while we are in some difficult moment of life, our analysis is getting wrong, driven by some distorsion filters. Knowing it, allows us to take the¬† best (or less worst) moment to think or answer. “Why you should not trust your feeling”

For the ones who are looking for little pieces of joy everyday. Here is a good toolbox to take care of yourself, and actualy fight against the dream of the happiness coming one day, in a spatialship, independantly from you. This is about having a routine that extracts you from the run we all do everyday and allows you to enjoy simple moment. Google’s former happiness guru developed a three-second brain exercise for finding joy

For the ones who struggle everyday with the paradoxes. That text is explaining that looking for harmony and balance is a lost quest. Our world is made of thing and their opposite, and one can not always enjoy the one side of the world. That is part of the big learning pieces, to me. The Power of perception, and Critical Imagination.

For the ones who feel they are rejected and are suffering. This text explains how being rejected hurts like being physically hurted. It exposes why and how to try to prevent this suffering. Why rejection hurt so much

I hope you liked it, and even better, that those links helped you, in a way or in another. 

Note : Picture Saul Leiter, Red Umbrella, ca. 1958 © Saul Leiter

Caf√© in MUCEM – Marseille

Le MUCEM (Mus√©e des civilisations de l’Europe et de la M√©diterran√©e) est un de mes plus beaux endroits du monde. L’architecture est forte, la vue sur la mer affolante, et le lieu toujours bond√© de marseillais curieux et rieurs. Le MUCEM propose ces jours-ci une exposition sur le caf√©.

mucem_cafe_in

La proposition est h√©t√©roclite. Peinture, dessin, document g√©opolitique, carte, planche scientifique, po√®me, texte litt√©raire, discour d’expert-e. On apprend des tas de choses.On prend le sujet du caf√©, on le tourne dans tous les sens, on l’agite, si bien que l’on meurt d’envie d√®s le milieu de l’expo de s’asseoir et d√©guster un caf√© cors√©, seule, ou en tribu, ou avec un amoureux. On choisirait une √©choppe v√©nitienne, parisienne ou marocaine.

Mais il faudra attendre. Attendre d’avoir appris que le Y√©men a tenu pendant 10 si√®cles le monopole de la production de caf√©. Attendre d’avoir r√©alis√© que le caf√© a boulevers√© les religions, apparaissant comme une innovation, dont il fallait statuer la vertu ou le vice. Attendre de regarder pousser le caf√©. #Le-saviez-tu ? Le caf√© est un fruit, qui ressemble √† une cerise. On lui retire sa pellicule, et on trouve une graine, verte, il est ensuite torr√©fi√© (et non br√Ľl√©) pour d√©velopper sa saveur. Le caf√© est une petite chose fragile qui doit √™tre trait√©e correctement. Pour en savoir plus, vous pourrez toujours discuter avec un v√©ritable barrista. Car tout barrista que se respecte conna√ģt sur le bout des doigts les diff√©rentes sortes de caf√© du monde, et sait pr√©parer son caf√© pour en extraire exactement 21% de la mati√®re initiale.

_20161030_221830

On apprend aussi √† Caf√© In MUCEM que la caf√© a d√©barqu√© √† Marseille en 1644. Et¬† que le premier d√©bit ouvre en 1671, pr√®s du palais de la bourse, et puis les √©tablissements se multiplient. Souvent il y a de la r√©sistance. Mais voil√†, aujourd’hui nous avons tous notre troquet pr√©f√©r√©, qui nous est cher, pour l’ar√īme de son caf√©, pour sa client√®le ou son patron…

_20161030_221745

On croise dans cette expo du beau monde. Brassa√Į, Picasso, Cartier Bresson, Sartre, Doisneau, √©videmment, les intellos, tous au caf√© parisien. Yves Simon nous parle aussi avec grande sinc√©rit√© de ce qu’il a trouv√© et ne cherche plus dans les bistrots, avec nuances. On tombe sur Coffee and Cigarettes de Jim Jarmush, √ßa donne envie de reprendre la clope.

 

Bref. La café, la plante. Le café, enjeu commercial. Le café, lieu politique et social. Le café, art de vivre. Vite, vite, on court retrouver une tasse fumante et serrée.

It’s okay, to be not okay …

bad-feelings_2

Here is the story. I was in a networking event, meeting some old friends and discovering new ones. A good friend of mine was running toward an important thing (a cocktail,¬† a prospect, a cherry tomato, we don’t care…) and while walking in front of me, he smiled and launched a warm “hey Virginie, how are you today ?” without stopping his walk. I was in a kind-of-worried-anxious-tired-mood and I answered “Well…”. Immediate effect. That friend, lost his smile in a second, stopped his walk, u-turned, and staired at me with wondering eyes. I saw how my beginning of vague answer did affect him. I felt I had to reassure him “I’m okay, it’s okay, I’m okay, no worry”. Pretenting everything was okay, more then ever.

Not okay, really ?¬† I realized at that specific moment, the reason why I was most of the time reluctant to admit my bad feeling : it takes some energy and bravery to assume it. The possibility that something could go wrong is a bad signal that makes some people uncomfortable. But well, look at our crazy world : what can cause some bad feelings ? Potientally a lot : stress, multiple and constant social interactions, quick decision making, always on and ready, juggling different human facets and context. That, each day. And it may be hard to protect ourselves, in this multitude. Each of us has a kernel, that under attack will create ususally negative reactions, pain, sadness, violence, anger,… Well, I did not invent anything, I am not the first one telling that we all have a dark sidet (some french friends wrote about it [1] [2]). But the reason why I am talking about it is because I recently spent some times trying to understand my dark side and spent some time on my bad emotions. And I found few things to deal with those negative feelings.

Admit it. I do not question anymore, I am not hiding myself, I stopped denying. Admitting my dark mood and accepting the associated feeling has been a great victory (but the battle is still going on…).

Share with some. Not being okay can be dealt alone, but balancing this loneliness  with time spent with my friends and familly helps. So if I wanna share that bad feeling or state, with others. I choose them carefully. I take someone I believe will not be yelling or crying after my announcement, or who will not start denying, judging my feeling. This part is difficult, as our affective relations do not always allow to have the appropriate distance (which for me is empathy with no compassion). By the way, congratulation to the lucky winners, and thank you, friends, I love you !

Feel the feeling. My body and I are co-existing with that darkness (bad mood, bad thoughts, bad intentions, deep sadness, well, you see). That’s a fact, you have to cohabit with it. And I found that mindfulness can help : it suggests to recognize the physiologic signs in your body associated with the sadness, anger, all bad feelings. Once being able to detect from your own sensations where you are on your emotional scale, you can decide what to do with this :share it, keep it, monitor it, control it, or run away. Well, usually minfulness suggests to breath, but it’s up to you. There is no judgement here, neither a good way to manage that feeling. The objective is just to be in a position to choose how this internal feeling will affect your relation with the others and with the world.

Silence the feeling. Meditation is also an intersting exercice to create a DMZ. A white zone, empty, where nothing happens ! I just concentrate on breathing or noise around, filling my thoughts. Looking for that neutral state during ten minutes (or more, depending on how brave I am) helps also to relax the storm created by my internal fight between being kind and being that miserable thing able to yell at anyone.

Express the feeling. I have a wander-wonder mind. My thoughts are always climbing somewhere, making links, balancing, reminding something. I guess like all of you, there is always something happening. I have decided ot use that energy to write, draw, take picture, and share my thoughts on this blog. While doing those things, I have no shame (anymore) to integrate my dark filters. And I believe this is what makes me a human.

Learn. I am also trying to learn about the bad feeling source. Where does it come from, is there any explanation ? Any psycho or cognitive reasons. Explaning is not about judging or skipping, but about understanding, and thus helping better admiting (go back to point one of this post). Some side effect could be that bad feeling vanishes but this is not a quest for me, my own quest is understanding. At least this is my own mecanic that will allow me to survive the idea that I am not a perfect person. I recently had a great time looking at Brené Brown on how vulnerability is cool. I also got the difference between being aggressive and being violent. All those little pieces of information makes me understanding my own humanity and internal amazing life.

That’s a lot, right ? You can try some of those tools, or not. But experiencing that path is sooo interesting and rich, that I am just about to wish you veeeery bad days to give you a chance to play with it ! Mouhhaahhhaaaa…

[1] french blog of a french psy I like http://cabinet-hacor.com/2016/09/28/le-gentil-mufasa-et-le-mechant-scar-ou-lillusion-du-bien-et-du-mal/

[2] La bienveillance, c’√©tait mieux avant https://medium.com/@valvert/la-bienveillance-c%C3%A9tait-mieux-avant-80f9a64d889c#.iojgi830x

Some news on the Trusted Execution Environment side…

 

lock-bridge-2

Few time ago I wrote about the Trusted Execution Environment (TEE), and how promising it was. Few months ago, I mentionned the arrival of Trusty TEE in Android, an API allowing mobile application to interact with TEE based services. One can still wonder in 2016, where is that technology positioned.

A reminder about what is TEE. Well, it is always an isolated environment, shipped into smart phones, offering a way to deploy some code that will be securely stored and executed. It could support any mobile application that may require some sensitive operations and a trusted user interface, to insure what you see is what you sign.

But the major question when we come to nice technology is : “yeap, your stuff sounds cool, but, who on earth is using it ?”.

Well. Let’s see the facts. On the GlobalPlatform website, you can find 8 products that did success in the functional official certification. You can check this yourself here. Among the certified vendors, one can note Samsung.

And what does the silicon valley say about it ? A recent event allowed to have an overview of the market. It was the TEE Seminar that happened in October in Santa Clara. This is a regular seminar which is gathering the usual suspects of the TEE eco-system. Speakers include ARM, Visa, Trustonic (one of the well known TEE provider, a gemalto owned company), FIDO Alliance, Linaro (which offers an open source version of a TEE, named OP TEE), Ericsson, Verimatrix (guys in the game of the content distribution and IP TV), plus gemalto (my company) and G&D (one of my company competitors). The key topics of the TEE this year was Internet of Things. While the TEE technology seems to be distilled in the smartphone market via official products (see Samsung statement, Android Trusty TEE API and Secure Enclave [PDF] in iOS), the next wave ready to take benefit of it is about Internet of Things.

Any diverging creative geeks interested ? In the same October month, there was an interesting event which happened also in the silicon valley. A TEE hackathon #BuildWithTEE, dedicated to get benefit of the technology. It was organized by BeMyApp and GlobalPlatform. It happened that 100 people joined the hackathon over the week end. The pitch exciting moment was made of 22 smart ideas, 12 went until the end of the sunday and 3 winners shared 10 000 US dollars. The material provided to participants was a Linaro Open TEE loaded in a Raspberry Pi 3, and all they had to do was to play with Linux and impelment thier idea, with the objective to use key asset of the TEE, aka the security, on a client or a server side. Ideas that won were about monitoring door lockers when renting your house, deploying a privacy respectful tracking system, a centralized password management server. The IoT use cases were the major ones that the creative geeks wanted to explore.

So, to conclude, the TEE is a technology alive and kicking and will definitely support nice innovation in the field of all-and-everything-connected !

Note : Picture from https://www.pinterest.com/cdnmomma/for-the-of-europe/