Some of you may have noticed the new image I have added to the left-hand column of my website as well as below. It reads “I do solemnly swear to preserve, protect, and defend the Constitution of the United States to ensure that the country protects the right of all. – Signed Bradford Benn” (You can create your own image at the American Civil Liberties Union’s Take the #PeoplesOath webpage.
Seems an odd thing to put on a website at times. It is important to indicate that I believe in the importance of the US Constitution. I believe it is important that all people have the same rights. Not just donors or members of the political elite or celebrities, everyone. I can go into all the reasons that I feel that this stance is necessary. It doesn’t matter why I feel this way, I do believe that it is important to protect everyone. As news is coming in about various changes in openness in information as well as accuracy, I think it is important to do something about it. The approach of removing data is preventing people from having the right to make up their own mind. If one’s personal opinion does not agree with the datum currently available, it does not mean censoring or removing the data.
While we may not all agree on everything, I want to believe that the majority of us will believe in treating people equally. That information is available to everyone especially if it uses public funding. That science is factual. That privacy is a right. The preamble to the US Constitution is an important guidepost often overlooked.
“We the people of the United States, in order to form a more perfect union, establish justice, insure domestic tranquility, provide for the common defense, promote the general welfare, and secure the blessings of liberty to ourselves and our posterity, do ordain and establish this Constitution for the United States of America.”
I can go on, but the important thing is to know that the rights of all need protection. As the administration of the 45th President of the United States trundles forward I will probably be posting more of my views; I think that this post is a good start. All of us need to do what we think is right and important.
During my “day job”, I work on many projects that are subject to Nondisclosure Agreements (NDA). These projects range from new product development to new projects that have not been announced to details of clients and project contents. There are various levels of diligence called out in each agreement. I am not giving any legal advice on enforcement and application of NDA’s I am sharing some of the principles and practices that are common and I have found helpful. If in doubt, check with your legal advisor or company counsel.
The level of “paranoia” for lack of a better word you want to follow is up to you. I follow the most stringent NDA policies for all of my NDA projects. The reason is that remembering the nuances of each one is difficult. Some people find it humorous my personal level of privacy and security awareness, however these practices apply and help me be aware of things not typically considered. Some of the things I worry about may not be practical for your scenarios but it is still good to think about for things beyond projects. Confidentiality of things such as payroll, checking account balances, insurance information… etc. are still a part of daily life. The most effective practice I use is both simple and often overlooked. Chuck Palahniuk said it most succinctly, “The first rule of Fight Club is do not talk about Fight Club.” Seems rather simple, but it is often forgotten. The version that applies in this situation, “The first rule of Nondisclosure Agreements is do not talk about Nondisclosure Agreements.” I work within a large company [Harman] there are multiple teams and departments, about 28,000 employees total. Not everyone needs to know everything, engineering does not need to know that I am working with Bob’s Country Bunker on their expansion. If an engineer comes to me as they go to the Bunker every weekend and asks about the expansion, my answer is simple. “Sorry, I don’t know anything about it.” Yes, a lie or a fib. It also means that you are not as likely to be asked as many questions by friends looking for information. It also means not talking about the project in public, especially at industry conventions. However what I get out of this approach is I do not have to worry about someone else leaking the information.
People think it is odd that I have specific USB flashdrives or thumbdrives for different purposes and projects. Using a thumbdrive to share data can easily lots of data being shared unexpectedly. I hand person A a thumbdrive with person B’s data on it (that is covered by a non-disclosure agreement). Person A would then know about the project and if unscrupulous could have person B’s data. People don’t always think about it, but by sharing a USB drive one is basically sharing part of their computer’s hard drive. There are of course the other reasons such as not wanting to get a virus. My solution is that I format the thumbdrive when appropriate. Typically it is after a customer visit or a system commissioning. I will also backup and then erase the contents of the drive often during the process. None of us have ever lost a thumbdrive with key information on it.
This same approach holds for network storage and sharing solutions. Most people will think about Dropbox, SpiderOak, Google Drive, Box … etc. but these are not the only sharing services to be aware of. A standard computer attached to a network has the same issues at times. A company typically has a network server for storing and sharing project data, very often in addition to that the sharing feature on a laptop will be enabled as well. The shared drive or directory on a computer is most likely the largest liability of these items. If you want to know why, use the network in a hotel, coffeehouse, or even in an airplane. Depending on the security settings of the network one might be able to see other computers on the same network. Very often to make the computer user’s experience simpler shared directories or folders will advertise itself. Now everyone connected to the network is aware that there is a share on the network.
These services are very powerful and convenient. However misconfiguration can be very bad. The sharing features typically get set and forgotten, so data is just sitting around all over the place. Did you remember to change who has access to what within Dropbox? Is your Shared directory still active for everyone to see and edit documents. Did you turn off the sharing for the person that left the company? Is your network storage at home available via the Internet, does it have a strong password and current firmware? Are you using Two Factor Authentication (2FA), if not – why not?
There is the specter of e-mail and how easy it is to not redact or remove information before forwarding it. This issue becomes more and more important as the projects are more and more complex. I often will read an e-mail and store it, some contracts require that. If I need to gather more information from another party I do not simply forward the e-mail, I rewrite it to be as generic as possible. Part of this process is to make sure I understand the question I am asking. Part of it is just preventing information from being shared. Yes, we might work for the same company but I am the one who was given the information, often the NDA indicates that I can only share information when necessary.
I can continue with such things as lock your computer when you are not using it. Don’t carry information you don’t need to on your laptop; especially when you travel. That seems easy to say I know, and it is more realistic than ever to do. I can connect to a server that is secure via VPN connection and retrieve the documents I need when I need them. (This approach can also be helpful and preventative if a laptop is lost or a hard drive fails.)
Encrypt important data. Yes, the encryption word. It is important. It is not new. In the late 1990’s I was working on a theme park project just as e-mail was becoming common. To transmit documents electronically we were required to send them encrypted using Pretty Good Privacy or PGP encryption. I am not going into all the details, the Electronic Frontier Foundation has written a good article providing an overview. This process meant that I would compress a file, then encode it via PGP, then attach it to a message and send it. This process still exists and is still very viable. I encrypt data on my hard drive and on the cloud using PGP encryption, sometimes called GPG on Mac and Linux. Beyond just the encryption the fact that the email has a much higher probability of not being spoofed is reason enough to use it for me. If you want to test it out, my key can be found at my blog post.
Now that everyone is concerned, how to make things better so that you are not the leak? The first item is the Fight Club rule. The second task is I encrypt my connections and data whenever possible (check with your company’s IT department as the last thing that anyone wants is to have data be inaccessible). Find secure solutions for hosting data on the cloud. There are many solutions, I am not going to endorse one or claim one is better than the other, the key item I look for is 2FA. This process means that the person trying to gain access to an account will not only need the password, but a second piece of information to gain entry. Typically this is a numerical value, it can either be generated on a device such as a handheld digital device or sent via e-mail or text. There is more information about 2FA available from EFF as well. I have enabled it on the AVNation website administration tools and everywhere else I can, including Google and Apple cloud solutions. I think that this would go without saying, but just in case; do not click the remember me or have the browser remember your password. That basically means if someone has your computer they have access to all the site.
I am sure by this point I sound paranoid, however I will say that adhering to Non-Disclosure Agreements is valuable for business. No one wants to know as the person who leaked information. It is easier to make sure no one leaks the information by not letting them know about the project. Keeping projects secret and being digitally accessible is very possible. It requires attention to detail and understanding the processes. Do not let it scare you.
If you know me, you have probably seen news that my employer is being purchased by Samsung. Allow me to make a few comments about this situation before I go quiet about the issue. First and foremost, the opinions expressed in this blog and domain are entirely mine. They do not in any way, shape, or form represent the views of my employer, or anyone else.
So in no particular order:
I do not have additional information beyond what the press releases indicate. My role in the company does not involve me in any of these processes.
If I am asked a question I have not gotten an answer from my employer about that I can publicly share, I will not answer it.
I have recused myself from AVNation’s coverage of the story.
Until the acquisition is approved by regulators there will be no change in processes or business.
With apologies to Dr. Strangelove or: How I Learned to Stop Worrying and Love the Bomb
Let me put in the disclaimer first, this blog post as well as everything on this site are my opinions and do not reflect the opinions of my employer or anyone else.
One of the interesting things that has been occurring recently has been people around me talking about CTS certifications from InfoComm. It has ranged from ribbing from people who have certifications to people questioning my knowledge base in Audio & Video. I appeared on a Tech Chaos Podcast to discuss this topic during March 2016. During the InfoComm trade-show in June of 2016, I had heard enough. The breaking point was one of my colleagues when I did not know something off the top of my head, said well if you had a CTS maybe you would know.
With me being the sarcastic and acerbic person I am, responded by saying there is only so much RAM to hold information and that question at hand can be looked up as I pulled out my handheld device. The question was how does one calculate the viewing distance from a display. I then asked a question that is just as relevant in today’s AV world, were two IP addresses on the same subnet mask? Yes, I was being petulant, as I said I am sarcastic and acerbic. Basically someone questioning my knowledge base because they had a CTS certification and I didn’t rubbed me the wrong way. As the ribbing continued, I brought out the fact that I teach classes that qualify for Renewal Units (RU). (To maintain a certification, one must acquire 30 Renewal Units every three years.) The volley want back and forth, until I finally pulled out the sledgehammer and asked how many projects that they had designed, fabricated, installed, configured, and commissioned that were the lead story on the national news. It got very quiet.
I was able to formalize my thought after that discussion, many certifications simply indicate that someone can take a standardized test effectively or has sat through a class with not testing. I will give credit to InfoComm for pointing out that certification doesn’t guarantee competency. From the webpage Certified Professionals Directory:
Certification is not a guarantee for performance by certified individuals. Certified Technology Specialist™ (CTS®) holders at all levels of certification have demonstrated audiovisual knowledge and/or skills. Certified individuals adhere to the CTS Code of Ethics and Conduct and maintain their status through continued education. Certification demonstrates commitment to professional growth in the audiovisual industry and is strongly supported by InfoComm.
Chuck Espinoza and I had a discussion about the certification and the process during InfoComm 2016. He made some interesting points, so I decided I was going to sit for the certification. It would not be equitable for me to have an opinion without having a better sense of the process. Perhaps the other way to look at it, if you want to defeat your enemy learn to sing their songs.
I showed up at the appointed time and was shown to my test computer. The multiple choice test is administered via computer interface at an independent testing center. That makes good sense allowing the test to be taken easily by many people throughout the world. Any test is a combination of testing an applicant’s knowledge as well as their acumen at test taking. During my career I have taught classes for certifications and have also been the creator of the content and testing process. One of the things that I always stress to my students is select the most correct answer if they are not sure. I will follow the non-disclosure agreement I accepted as part of the testing process (yes, I am one of the people that reads the agreements before clicking accept) and be somewhat vague in my discussions.
As one can probably ascertain, I passed the test on the first attempt. However I learned quite a few things that I did not know. I did not know the standard symbols used in a Gannt Chart, despite having read them for over 20 years. I was not sure of the proper time to deliver a bid document package, but most of the projects I have been involved with had documented bid dates and processes. I could deduce what connector was a video connector, despite the fact I would not be able to identify it in the field. I also realized that the test is not solely about certification in technology but includes other items that are deemed good practices by the committee. To me that is where the certification started to diverge and I saw how this testing process might not be the best evaluative tool. I also realized at that point having the CTS certification be a prerequisite to attaining a CTS-I (Installation) or CTS-D (Design) is not appropriate.
A great installer might know nothing about the sales process, she knows that when there is a question about new additions or pricing to bring in the sales person or project manager. She could be capable of determining how much to derated an wire rope based on the angle of pull in her head. She might pass the CTS-I test with flying colors on the first try, but stumble during the CTS certification process. A Designer might not know how to read a Gantt Chart, but if the project manager keeps the team informed of the deadlines, it is not an issue. The Designer might not be aware of the procedure for service calls, but that is not his skill set. As a specialist, one should not have to take the generalist test first.
My opinion though is a little mixed now about the CTS process itself. I took the test without studying. I did not even open a book, I simply took a practice exam, paid my money, and took the test. I passed. That is reassuring as I have had a career in the AV industry for over 20 years. I was also surprised about the content itself and how much in my opinion it has to do with the full industry. The fact that the testing agency I took the test at said that they have about a 66% failure rate, also told me that I need to reevaluate the measure of the test. I am not hiding the fact that I hold a CTS certification.
I do however standby the point as InfoComm has pointed out, just because one passed the certification test it does not mean that they are qualified. I also know that there are challenges in the continuing education or renewal units (RU) process. Many of the RU classes are simply attend and get the units, it does not prove that anything is being retained. However that is for another blog post.
Some of you may already be aware that the Electronic Frontier Foundation (EFF) is one of the groups I support. Privacy, security, and freedom for the individual is one of my touchstones. I have written about these topics previously, both here and at AVNation.tv. (Yes, there will be overlap between this post and the one over there. My opinion hasn’t changed.)
There are proposed rule changes within the Federal Rules of Criminal Procedure that the EFF has made me aware of. I do not claim to be an expert on all the legalities and intricacies, however from the comments that the EFF have provided I immediately felt it was important to comment on. The proposed amendment to procedural Rule 41 would allow a judge to issue a warrant allowing law enforcement to remotely enter (hack) a computer when “the district where the media or information is located has been concealed through technological means,” or when the media are on protected computers that have been “damaged without authorization and are located in five or more districts.”
The first portion of this means that if one uses a means to hide their location, for any reason, a search warrant would be allowed. At AVNation I spoke about how this applies to business environments where Virtual Private Networks (VPN) are used to provide a secure connection between remote users and the office. A byproduct of that process is that one’s location is incorrect quite often, sometimes on purpose. When I travel to China I use VPN for personal use. I purposely set my VPN to connect me to a point of presence located in the US. This decision allows me to access my e-mail as well as other sites, such as news sites like New York Times or Los Angeles Times. I can continue on about the Great Firewall of China, but these couple of links should help provide background https://en.wikipedia.org/wiki/Great_Firewall or https://www.eff.org/search/site/china%20firewall.)
I also use a VPN connection, as well as other tools, when I am using a public hotspot. In fact I am using one right now as I sit in Starbucks using their WiFi. This approach prevents eavesdroppers to my communication. I will say that Google and Starbucks do a good job keeping things safe, however not everyplace is as secure. I want to keep my data encrypted as long as I can. Yes, there is Hyper Text Transfer Protocol Secure (HTTPS) that is secure and I use it as much as possible, but not every site supports it or for all traffic.
I can continue on as to why I use VPN, the important thing to take away is that there are legitimate legal reasons to use VPN. The fact that I use it should not change the way my data/privacy is viewed by the courts. To overly simplify it would be like saying, you locked the door to your car so you have given us a reason to issue a search warrant.
The second portion of the new procedure is also damaging in that it allows for innocent computers to be searched if they have been remotely hacked. If a computer is an unwitting member of a botnet that would meet a qualification for a search warrant. The infected or innocent computer could be searched even if the owner is not involved or suspected of wrong doing. Basically if someone has already broken into your computer, the government can break into it again as your computer might be doing bad things.
To me there is a third reason that this issue is important – this process is being done under the guise of procedural rules. There is no debate, no review by elected officials, just a procedural change to allow more access. Yes, Congress has to vote to approve the rules, but there was very little notice of the process. Luckily groups such as EFF and others are around to alert people to the changes. There is the comment of, “Well if you aren’t doing anything wrong, you have nothing to worry about.” I agree and understand that sentiment, but I also believe that once the first domino has fallen the erosion of privacy will continue. To quote James Madison, “There are more instances of the abridgement of freedom of the people by gradual and silent encroachments by those in power than by violent and sudden usurpations.” This procedural step is a gradual and silent move to most people.
Also if there is nothing to worry about, please send me your laptop or phone without clearing the history first. I will be more than happy to inspect it for you.
In this age of collaboration there are many tools available to help teams work together. There is software to help automate processes. There is unified communications software. There is project management software. There is customer relationship management software. There is bug tracking software. I have found one thing to be consistent among all of these software packages and solutions. They are not panaceas.
Software will not magically fix all problems. A piece of software will not magically make someone efficient any more than owning a treadmill will cause one to lose weight. There needs to be a basic understanding of the processes and problems that the tool is supposed to be addressing. To lose weight, one needs to walk, waddle, jog, or run on the treadmill, plus likely modify their diet; one has to accept the weight loss process. To become efficient using a software tool the same idea applies; one has to accept and integrate the process.
I have been involved with various software integration projects and found certain things to be common within any software configuration process. It all starts with the user documenting what they are trying to accomplish. If one is specifying an audio, video, control or lighting system the first step is the same: get the user requirements and determine what they are trying to accomplish. When looking at software that same step must occur. It is not just picking the latest or coolest piece of software. If one cannot document the process and what they are trying to accomplish on a piece of paper, how can workflow through a piece of software solve the issue?
I use and leverage technology when I can for my benefit. I own and have tried various pieces of software for keeping track of things and thoughts: Dropbox, Evernote, Notes, iThoughts, Wunderlist, Clear, NoteTakerHD…and the list continues. The most effective tool I have for creating and tracking ideas is the whiteboard in my office or the notebook in front of me. I then transfer the thoughts and ideas into a digital format.
That is an important thought. Software is a tool that simplifies the analog process. It is still key to understand the process and follow it through to completion. A user needs to be aware of what the software is tracking and indicating. If an internal tool calculates, whether analog or digital, a task or project will not be completed in time it still must be communicated internally and to the client and then acted upon as the client will often not have visibility of the tool.
Most importantly, if the tool is collaborative everyone on the team has to use and engage with the tool. If not everyone is using the tool, the data it provides is not accurate and each person has varying degrees of information. If you notice I say tool and not software. The reason for that is that this idea is key whether one is using a whiteboard, a spreadsheet, a database, or a specialized software package. If the users do not engage and keep the data current the tool is worthless.
Do not confuse a software package with a solution. It is simply a tool. One can run a project in the analog domain, one can run a project in the digital domain. The process is the same in both; sharing information with interested parties and keeping the data current. Software might make it easier but it still requires discipline.
There are many things on my mind about David Bowie’s passing yesterday. I am struck by the loss and the suddenness of it. Mr. Bowie knew it was coming and wanted to be private about it. Perhaps that is what makes, I should write made, him so special.
One of my favorite songs is “Heroes”. Whenever a dear friend of mine asks for a favor, he asks, “Will you be a hero…” followed by the request. Those interactions are resonating in my head today even more. My goal is to be a Hero just for one day. I hope you will join me in the effort.
“We can be heroes
We can be heroes
We can be heroes
Just for one day
We can be heroes”
-David Bowie & Brian Eno
Below is a piece I commissioned Mike McKone to draw at C2E2 in 2015. I am not very glad I did. Thank you Bill for convincing me; you are Henchman #1.
When traveling, I highly recommend bringing along a power strip or a power cube. Yes, we all travel with lots of electronics so this device comes in handy but there are other reasons as well. I use a Monster Outlets To Go Power Strip and its companion option with a USB port in it. The reason I like this device is that it is small, but it also has a power indicator in it. The rear of the male plug glows blue when there is power. In hotel rooms you would be surprised how much this simple feature helps.
The reason I like the power cube or Triple Outlet Adapter is that it helps to offset transformers that cover more than one outlet.
Another thing to consider is that the airplane in seat power outlets often times have a spring switch that needs to be despressed to provide power. I have been very unsuccessful with the typical USB power adapters as they are very light and get pushed out easily. Using the power strip or cube to provide additional mass has helped to keep the switch engaged.
This post originally appeared on AVNation.tv on Friday, October 13, 2015 as part of the AVNation’s 31 for 31 during October.
A jarring question but an important one. This question can be scary to think about at times but it needs to be addressed and thought about. For many in the AV industry the laptop is the tool of the trade. It is used to configure DSP engines, program control systems, and often calibrate the system. That is in addition to the key tasks it plays in business as being the e-mail, billing, and documentation tool.
Most people I have asked this question indicate that they have everything backed up to a USB thumbdrive. So then I ask the next important question, where is your USB thumbdrive? About half the time it is in their pocket the other time, it is in the laptop bag. So while that USB thumbdrive may help mitigate computer failures it does not address the loss of the laptop bag itself.
The part that most people miss is that-*when a laptop disappears a data breach just occurred. Let me repeat that, the data on the now missing laptop has most likely been breached. Typically people have lots of information on their laptop that they have not considered. The main ones to consider are passwords, account information and e-mails. Many people use the convenience feature of having a website “remember” their credentials. My first concern for the types of websites being accessed is of course the banking, travel, and shopping websites. That completely overlooks things such as possible network credentials for VPN that would let miscreants easily access to your company network.
There are some relatively easy things that can be done to prevent this situation. The obvious one is to not lose your laptop bag. The next-*is to encrypt your hard drive. Encrypting your hard drive limits the ability to access-*your hard drive by a nefarious person. The second one is to not have your browser store your login passwords. Something I have found out is that after an upgrade of a browser, your preferences may get changed. This one is especially important if one follows the other alarming trend of using the same passwords in multiple places. Most of us have already thought about that step but then become complacent and frustrated by remembering all the passwords. Using a spreadsheet that contains all the passwords and account numbers is not-*the answer. A password manager will greatly help with this task and insure that you are using strong passwords. For various reasons I recommend against ones that store your passwords online. There are many available but comparing and contrasting them is for another blog post.
Another thing to be aware of is that Chrome saves your AutoFill information, which quite often includes your mailing address. Please consider whether or not you want to store and possibly share that information. Also, if you store a password in Google Chrome it is also stored on Google’s computers as well as available on the Internet at-*https://passwords.google.com.
The option to me that is most effective is Two-Factor Authentication, often abbreviated as 2FA or TFA. Not every application supports this feature, and many of the ones that do are web based. This process requires two pieces of data in order to be able to complete a login, or authenticate into the system. The two most common ways to do this task are-*either using a token or having the service send you a message to confirm that you are making the request. Examples of these processes are PayPal sending a text message to a user that needs to be entered. The other typical case is using a token generator; an example of this approach is Dropbox if 2FA is enabled. The token generator can be installed on a device such as a smart phone, the generator then needs to be configured to work with the website.
Two factor is a great tool to make impersonating you harder. This idea is also predicated on the idea that your token generator is not in your laptop case at the time of loss. Typically there is a weakness of allowing a computer to be remembered and validated as shown above. That setting basically turns off two-factor authorization on that computer. An important thing to have is a way to deauthorize your computers. The same way one would call the credit card company to turn off a credit card that has been lost, one needs to do that for the missing laptop as well. To complete this task one typically needs another computer and the credentials to be able to login and deauthrorize the accounts in question. Most applications will also allow you to see the last time that device was connected to the service.
I hope this helps you. Make sure to check with your company’s IT department to see if they have plans in place for a lost device. Remember, security is a process not a destination. It takes constant attention to remain safer.
I have started purchasing more and more custom art. The artists vary from graphic novel artists to colorists to cartoon animators to musicians. As my friend Bill knows,when asked what I want for the piece I say “Artist’s choice.” I have said it to him so many times to him I think he is getting sick of it. The question he should be asking is “Why artist’s choice?” So Bill and my other loyal readers, here is why I do artist’s choice.
All too often musicians are asked for the same song over and over. The comedy request of Freebird has become irritating to some musicians I know. So irritating that more than one musician has created a different song called Freebird to counteract that trend. When an artist is preparing a setlist for their first time in a venue or an event, I do not want to change their plans. It is important to let the artists represent themselves. This point is important to me. If someone has an hour to play a set of music that is representative of their work and will help in getting invited back I do not want to mess it up for them
When requesting illustrations, I figure that some artists have drawn the same thing over and over again and again. How many times can one draw the same character before it becomes rote and no longer a creative art? Worse yet, it becomes unenjoyable for the artist. As a result when I commission a piece of art, I try to talk with the artist and explain what I like and that it should be artist choice. As a result I have ended up with some cool art, such as a sketch of David Bowie as the Joker from Mike McCone.
Even when taking part in Patreon and Kickstarter funding where the premium for the patron is custom art. I still select Artist’s Choice. I will provide guidance of what my interests and likes are, however it is still artist’s choice.
Yes, Bill – Artist’s Choice. Always.
Give it a try you will most likely be pleasantly surprised.