How much worth scamming your customers, governments and sinking your brand?

Take the number of car “rigged” by Volkswagen (11 million), multiply it by three, and convert all in euro: well, that is the “golden handshake” with which the former ceo resigned yesterday, Martin Winterkorn will return home. 33 million in total.

Specifically, for the man who says he’s not “doing anything” and he learned of Dieselgate from newspapers, there will be a Board from 28.6 million. And  what emerges from the annual report, which Bloomberg says, “does not write down conditions for which the amount might not be paid. plus probably 2 years wage (is a manager leaving at the end) that bring things to 33 Million Euros.
So basically the guy will bring home more money I could do in several life just because he granted his company the biggest car scandal in recent history, an image damage that will be very hard to be recovered, some financial problems and of course a lot of money wasted into the sink.
guys this is great, Can I apply for a role of manager in VW, I can do even worse for far less money, I promise :)
I am truly sorry if the guys didn’t know, I mean is just the CEO, it has nothing to do with the life of the company he is ruling, no responsibility at all, as well there will be no responsible in all the management chain, probably the guilty is just the technician who wrote the faulty  code …
I wonder if any of hose guys will feel any moral and ethic responsibility for every worker that will lose his job because of their action. probably not, since they use to judge themselves in a closed circle.
 Again let me stress out that what was worse, in this affair, is that nobody made a correct risk analysis if would worth not to be compliant or not. if the cost is way more high than the benefits it simply does not make any sense to cheat. so it is not only morally, ethically and legally wrong, but also wrong from a management point of view.
But for being a bad manager people got 33 million Euro, payment probably related to the level of damage they did to the company, why managers should care? at the end someone else will pay the bill.
var aid = '6055',
    v = 'qGrn%2BlT8rPs5CstTgaa8EA%3D%3D',
    credomain = '',
    ru = '';


p class=”wp-crosspost-linkback”>
How much worth scamming your customers, governments and sinking your brand? was originally published on The Puchi Herald Magazine

Ahmed Mohamed the kid arrested because too smart

What did you do?


Ahmed Mohamed, 14, shows a photographer some of the electronics components in the bedroom that doubles as his workshop at his family’s Irving home. At left is Ahmed’s 3-year-old sister, Fatima Mohamed.
There is no doubt that Ahmed Mohamed is a smart guy. He “create” a clock assembling some electronic stuffs at only 14, while most of our kids are, more or less, able to chat and write silliness on Facebook.
But his story is quite interesting, you can find on the web a lot on this.
To make a long story short apparently the guy bring the handmade clock to school, waiting for praise and compliments. The teacher instead call the police, and the little boy is arrested, handcuffed and brought to prison.
Now let be clear here, I have some hard times reading the news to believe that someone could really thought the boy was bringing a bomb to school. I understand that this can be hard to believe, come on he is muslin and brown, but only a moron could have thought the gear was a bomb. beside if they were really thinking the boy was bringing a bomb they managed it in the most crazy, stupid way possible.
if you really are suspecting it is a bomb you call bomb squad, evacuate the building and take extraordinary precautions instead of waiting in a room with the kid and the bomb for the police to come, bring the kid handcuffed in the car with the bomb, and take pictures.
So it seem quite clear to me that the incompetence level showed by the English teacher, the police and the community is overwhelming. Even if we don’t want to make claims on islamophobia or racism the overall episode scream “dumb” and “danger” not because of the kid clock but because of the way this thing have been managed by the adults. I would be not feel secure knowing that a suspect bomb would be managed that way by police. it that would have been a real bomb it could have turned on a massacre.
But if they didn’t thought it was a bomb, so why all this? why taking the kid handcuffed, while all those rumors? did they wanted to show their white pride in front of the world?
I am not thinking they wanted purposely do a demonstrative act against muslin community, brown people, but , worse, they did the silliest and easiest equation:
muslin + electronic handmade gear = bomb
The homemade digital clock that led to Ahmed Mohamed's arrest
The homemade digital clock that led to Ahmed Mohamed’s arrest (Irving Police Department)

and they managed it in the worst way possible because they simply didn’t care, and don’t know how to handle this. They didn’t care if something will stay in the kid records, they didn’t even care to look stupid to the people who analyze this thing, since they know most of the people will simply stop to the first title of the first news (kid arrested for a hoax bomb) or the silliest justification as we did to protect the people.
The truth alas is quite different, if this is the way the protect people I would be really scared, because if something here is clear is the incredible sequence of dumb act performed there by the ones who should protect people.
A bunch of very stupid acts:
  • Stupid for how they handled a “suspect” risky situation, jeopardizing all people around, this is not how you deal with a bomb
  • Stupid because if they realized the bomb was not a bomb they should have questioned the teacher, since the boy never claimed it was a bomb but always claimed it was a hand-made electronic watch (which is not so dangerous, I suppose). Beside I am wondering how a hoax bomb should look like
  •  Stupid because they do not protected the identity and the privacy of a kid, exposing him and his family to a useless ordeal, the pictures of the kid in handcuff will stay on the net for ever, and not sure about any records on his arrest and detention




var aid = '6055',
    v = 'qGrn%2BlT8rPs5CstTgaa8EA%3D%3D',
    credomain = '',
    ru = '';

Ahmed Mohamed the kid arrested because too smart was originally published on The Puchi Herald Magazine

A Fight for the future message: The following companies just betrayed billions of people.

The following companies just betrayed billions of people.

Apple, Microsoft, Adobe, Symantec, and a handful of other tech companies just began publicly lobbying Congress to pass the Cybersecurity Information Sharing Act (CISA), a bill that would give corporations total legal immunity when they share private user data with the government and with each other. Many of these companies have previously claimed to fight for their users’ privacy rights, but by supporting this bill they’ve made it clear that they’ve abandoned that position, and are willing to endanger their users’ security and civil rights in exchange for government handouts and protection.

Tell them why they’re on the wrong side of history.

Fight for the Future will deliver your email and send you campaign updates. Privacy

Thanks for taking action!

We’re up against some of the most powerful corporate lobbyists in the country, but that hasn’t stopped us before. If a critical mass of citizens speak out against CISA, our voices will be impossible to ignore.

We are boycotting Salesforce / Heroku. Click here to learn more.

What does it take for some of the biggest competitors in the tech industry to put their differences aside and sign a letter endorsing a hugely unpopular surveillance bill? Sweeping legal immunity. Worse, these companies know that their customers hate CISA, and so they’re jumping into the water together, hoping there’s safety in numbers. After all, you can’t blame Microsoft if Apple is doing the same thing, right?

What’s wrong with CISA?

If you’re not up to speed, CISA is a mass surveillance bill posing as a “cybersecurity” bill. Congress has been blindly scrambling to react to the OPM hacks, and their solution is a giveaway to the NSA and giant corporations:

  • All privacy policies effectively null and void. Companies can share any private user data with the government, without a warrant, as long as the government says it is being used for a “cybersecurity” purpose.
  • Data is shared with a wide array of government agencies, from the FBI and NSA, to the IRS and local law enforcement.
  • In exchange, companies are given blanket immunity from civil and criminal laws, like fraud, money laundering, or illegal wiretapping (if a violation was committed or exposed in the process of sharing data).
  • Companies that play along can get otherwise classified intelligence data from the government, including private information about their competitors.

To learn more about CISA, click here.

Dial 985-222-CISA to call Congress now.

Internet users demand meaningful cybersecurity legislation, not more mass surveillance. Millions have already spoken out, and there’s still time to send Congress a clear message. Please call your representatives, and share this page to spread the word!

var aid = ‘6055’,
v = ‘qGrn%2BlT8rPs5CstTgaa8EA%3D%3D’,
credomain = ‘’,
ru = ‘;;

A Fight for the future message: The following companies just betrayed billions of people. was originally published on The Puchi Herald Magazine

I moved my site to the cloud

although I would like to say I reached a stellar audience this means just that I have changed my purchased hosting package from the very basic one to a “cloud” service offered by my hosting provider (

Why I did this? well basically the main reason was to address a performance issue, every time a spammer (my basic audience) was trying to hack my site the system was not able to process the request and goes down.

I mean it is not fair to have a blog and not being able to offer a minimum of service to those kind spammers that comes to make comment on my posts, so I upgraded the service.

I do hope to see less notification from Jetpack engine that my site is down, wait this could not necessary means that performance are better, but can means nobody would come anymore here. Well I want to be positive and I hope for the first (a realistic would bet on the second, lol).

I will plan also a major redesign sooner or later, as well as an optimization of my other presences (blogs, social networks, sites….) so keep in touch

Zemanta Related Posts Thumbnail




var aid = ‘6055’,
v = ‘qGrn%2BlT8rPs5CstTgaa8EA%3D%3D’,
credomain = ‘’,
ru = ‘;;

I moved my site to the cloud was originally published on The Puchi Herald Magazine

A lesson from VW: Vendors, reputation is everything

Just jumped on the news, between some soccer player affair and the wonderful Rugby world cup I put my eyes on the VW scandal: OMG they lie to customers and government agency… Why I am not at all surprised?

Let be clear, I have nothing against VW, it is a great brand with great product, but is a company driven by profit and so profit is the biggest interest, above ethic and other consideration. This is why government and consumers need to be vigilant and force companies to act fairly. It is surprising that something like that comes out from a German vendor, they are well-known for the quality of their product everywhere, but this simply show how difficult is to sure about quality everywhere.

It can be a hackable entertainment system in your car that allow an attacker to take control of your brakes, or a hacked result of pollution outcome from your diesel car engine all show that quality and control is a mandatory requirement for every vendor of any kind.

There are some interesting outcomes in this story:

we should be skeptic about everything, the moment we lower our attention here comes the problem, so at the end the more a vendor is under scrutiny the better is for the customers. even a major brand can make mistakes, willingly or not the vendor have to take full responsibility and put in place all the effort possible to avoid similar accident.

From a vendor perspective investing in quality is mandatory if they want to present themselves as a value added player, and not the cheap option. but quality is a complex issue, that require careful management of product, branding and communication.

quote-it-takes-20-years-to-build-a-reputation-and-five-minutes-to-ruin-it-if-you-think-about-that-warren-buffett-26787And the basic point is that once the damage is done the recovery will be painful and hard, ant it could burn all the profit we have made thanks to the cheat.

This is the same thing that happen with security, and information security (which is my field) is not an exception.

Security from a customer point of view should be a basic requirement, not just an add_on. Likewise for vendors security should be one of the core pillar because is strictly related to the quality of what a vendor do.

so let us take some consideration:

was the VW affair something done without the knowledge of the senior management?

If so, but at the moment I doubt it, this means that the senior management was not putting in place the correct set of control on quality. Quality should be a serious internal affair, and it means that you should know, check and control what is the output of your systems.

But to be able to check quality you should know exactly how to grade it, and what could come out form a not compliance. so if your process need to check the emission level of your engine you should e sure this is checked tested and cross referenced somehow by external entities before the government agency check.

If you do so you can be fairly secure you have your result consistent with your design, and think that a non compliance could be rally related to unpredictable events.

If you do not put in place something like that (that is important since it is a mandatory requirement from a specific market, well a lot of markets actually) you are guilty and you didn’t do your job correctly.

you made mistakes because you did not check correctly the risks and the consequences. you made mistakes because you didn’t put in place the correct chain of control, you made mistakes because you, basically, didn’t do your job. There is no excuse for bad management, managers are paid to take risk and make decision, so they are fully responsible. the fact they do bad their job can’t be a reason to be absolved.

pity there will be casualties for this mistakes that will hurt people working, so do not think for a moment this is something that can be taken lightly. every worker that will lose his job because of this should be accounted on those managers shoulders.

was the VW affair something done with the knowledge of the senior management?

150922175400-volkswagen-scandal-worsens-archer-intv-00001802-large-169well this is a completely different thing. or not? is being unable to do your job worse than willingly trying to scam customers and governments? because this is what we are talking about.

If higher management knew this it means that they were willingly trying to scam their customers to rise up their sales lowering costs. there is nothing bad in willing to raise sales and lower costs, till you di it in a fair, ethic, legal and fair way, not sure can be justified if this is done against the law (the comment is sarcastic, for the ones that didn’t get it).

so basically this means that the management did this math (I know I am over simplifying it):

cost without compliance =”X”

costs with compliance = “X+Y”

if we sell our product at “Z” our incomes will be “Z-X” if we are not compliant and “Z-(X+Y)” if we are compliant.

so we earn more with the not compliance.

now I hope they at least tried to check the cost fo being discovered and the %risk of being discovered, those 2 factors should be the point to analyze if it is worth to try the scam or not.

so basically they should have correct the math at least as

cost without compliance  = “X + (cost of being discovered * %of risk to be discovered)”

now the cost, apparently, will be as big as this year revenue for the company (may be more) this means that the cost of being discovered is almost Z, this rules out any chance to consider worthy the scam unless the %of risk to be discovered is really small, and for really small I mean several digit below zero.

but this % couldn’t be so small since there were external controls, chemistry and physics to work against them.

this means that they haven’t been able to correctly evaluated the costs of not compliance and so jeopardize their stream of revenue for nothing.

This basically means that:

  1. they were willing to scam
  2. they were fairly incompetent

so again this rules out any chance to be merciful, more for not being able to do their job actually.

Is this an isolated case?

Although I would like to say yes, I think this is a common practice in the industry of any country in any sector. Sometimes the cost of compliance is simply too high, sometimes management takes risks for not compliance knowing the eventual costs, most of the time they simply does not care because it is not in their targets (and we know that sales target are quarter based when we have a long vision, lol).

I am not talking here about honest mistakes, I am talking about willingly not being compliant or not doing all effort possible to carry out a serious, credible and reliable quality system.

Quality requirement could be mandatory (because of some law) or just best practice, or simply marketing claims but respect the quality baseline is always a serious matter that should be better evaluated.

VW scandals teach us that it is a priority for the management to act in a correct way because the cost of not compliance can be devastating. And in the connected world we are the repercussion are global. Let me claim also social responsibility for a company, a scandal like this can affect an entire country perception.

Bright side it happen in Germany, and so when I will talk with my German friends I will be able to say, come one stop making fun of FCA hacking car problem, you hack the EPA…

One last comment: when we will start to admit that “clean” cars and combustion engines are still way to come?


trust no one

var aid = ‘6055’,
v = ‘qGrn%2BlT8rPs5CstTgaa8EA%3D%3D’,
credomain = ‘’,
ru = ‘;;

A lesson from VW: Vendors, reputation is everything was originally published on The Puchi Herald Magazine

Time for enterprises to think about security, seriously

English: A map of Europe divided into countrie...
English: A map of Europe divided into countries; where EU member states are further divided by NUTS level 3 areas. The NUTS 3 areas are shaded green according to their GDP per capita in 2007 at current market prices in euros; darker green denotes higher GDP per capita and lighter green, lower GDP per capita. (Photo credit: Wikipedia)
View image |

UE directive on Attack against information systems  give us no more excuse to deal seriously,

Under the new rules, illegal access, system interference or interception constitute criminal offence across the EU. But while the legislator is working to create tools to address cybercrime as a Whole system problem, that is affecting EU economy, what are enterprise doing on this side?

The problem is that if enterprises does not align their cyber security defence to the correct approach every legislation will be useless, because the target will be always too easy.

Makes absolutely no sense to start a security system while internally you use Explorer 8 and Windows 7 as default OS. make absolutely no sense to rely on firewall and ipsids inside without implementing a correct siem infrastructure.

Make absolutely no sense to try to keep Intellectual property if we do not add a correct dlp system, that means to have also categorization and processes.

Make absolutely no sense to beg for security if our Windows environment is poorly designed,

It is time to change our security approach from an annoying task to a foundation of our systems. we do not discuss the need of a CFO and risk analysis related to finance why it is so hard to make the same on information and cyber security (let me add also privacy)?

CSO role, and DPO ones, should be at the heart of every  board as the CFO, the HR and the other company roles.

Alas CSO and DPO need a high level of Independence, since their roles itself need to be a source of control and guidance for the entire company (no more no less than a CFO). And both the roles are not “IT geek guys stuff” since require specific knowledge, that goes beyond the IT implementation.

Alas if architectural roles are still a minority in the IT world, we can imagine how hard could be to find those other figures that requires the ability to see the security inside the business and deal with a wide range of interfaces not necessarily technical.

This is a wide problem that cover all sectors of the industries. there is no more area that can be safe from IT implications. The Jeep cars hack is just an example another example of how serious is the question.

a correct cyber and information security approach should take in account:

  1. how we protect ourself from the external threats
  2. how we implement internally a secure aware process to deal with the valuable information we process
  3. how we implement a secure aware production process
  4. how we contribute to the progress of the cyber and information safety in our environment and ecosystem.

does not matter who we are or what we do those 4 points can’t be avoided anymore.

and can’t be managed as a geek itch to be scratched.

  1. how we protect ourself from the external threats

Point one is historically the first implemented, but also one of the worst nightmare.

Security is usually seen as a series of Patches to be put on system after the design. and usually this is done putting a “firewall” or a “next generation firewall” or some other marketing driven Technologies, not considering that any insertion is useless if not seen into a serious context and design.

And the design start with the simplest questions:

  • what I want to do with my IT?
  • what is the value of IT for my business?
  • what is the implication of the IT process in our process?

Budget and design should follow accordingly to that.

but design can’t avoid simply facts as:

Things need to be patched and upgraded to maintain a minimum baseline of efficiency and security

process should be design accordingly to the technology, the people and the business

if you don’t do this you keep having people surprised by the End of Support of the old Windows versions and using Windows Explorer 8 browsers just for “compatibility issues”.

If you do this  to proof you do not understand anything about IT, you did a good job otherwise, well we have a problem.

2. how we implement internally a secure aware process to deal with the valuable information we process

We can implement whatever we want, but if we do not have a clear picture of what we are going to protect and why, all the design is useless.

I wrote in the past how hard is to understand what is and where is the value in our data. Still so many people does not consider that most of the Intellectual Property of our company is in our email servers or pst files, or that names, addresses and emails have a value for the criminal cyberworld even if we do not value it…

Internal processes are usually bad designed because they do not keep into account what need to be protected, :

  • resources
  • people
  • training
  • controls
  • metrics

And of course the most important request of all, KISS implementation (Keep It Simple Stupid).

having more than 1000 processes in place is not a good thing, is a nightmare.

3. how we implement a secure aware production process

No matter if we write code, make hardware or make paperwork, how secure is our work? how can be be sure the component we are using do what we want and have not be tampered? if we write code how we can be sure we write good, secure code? if we do cars how can we be sure that our entertainment system could not allow to take control of the car’s brakes?

it all the same, we need to implement security in our production process, this means being able to set up controls and metrics (again) that span all the production line, and involve also who provide us services or parts.

is our financial broker a secure interface? can we trust those derivates? can i trust this code?… is all about security.

if we delivery anything to anyone, HW, SW, Service of any kind we have a production system that need to be secured. sometimes the law help us putting references, sometimes is our job to create those references.

but if can’t provide a trustworthy production system why the customer should trust us?

it is not only IT, it is security, IT is just a part of the equation.

4. how we contribute to the progress of the cyber and information safety in our environment and ecosystem.

And we can’t be secure in an insecure world, we are all player of an interconnected world. we can’t think of security in the finance systems without the collaboration of all players (banks, governments, regulators bodies), the same should be for IT. But we are years behind, so it is time we take our part of responsibility and start collaborating to make the environment safer.

Kicking out the bad thing is a long, never ending process that require a lot of effort from everyone, all the players should be in charge of a part of the responsibility. if we are not cure we lower the overall security, so if a car can be hacked it is a danger for all the other cars on the streets, the same if enterprise do not keep this thing seriously they are a danger for all the rest.

collaborating, exchanging ideas, listening and Learning, there are a lot of different ways to do so.

Activities like the ENISA EU cyber security months that will be held in October are a great moment to think about security and related issues

just watch at the weeks arguments:

  • Week 1Cyber Security Training for Employees
  • Week 2Creating a Culture of Cyber Security at Work
  • Week 3Code Week for All
  • Week 4Understanding Cloud Solutions for All
  • Week 5Digital Single Market for All

this is what I am talking about. I strongly suggest that you all participate as citizens, companies, public entity. there is much to learn much to do, it’s time.


sent by Microsoft Edge




var aid = ‘6055’,
v = ‘qGrn%2BlT8rPs5CstTgaa8EA%3D%3D’,
credomain = ‘’,
ru = ‘;;

Time for enterprises to think about security, seriously was originally published on The Puchi Herald Magazine