bredemarket

I’m Hurt. I Thought ViVi Contras Belleville Brown 429 Only Tried to Scam Me.

Do you remember ViVi Contras Belleville Brown 429, the long-winded scammer who contacted me at length about a position at “the intersection of Global Supply Chain and Systemic Accountability”?

Well, I guess I’m not the only candidate she targeted. I just received an email that read, in part, as follows. (I’m hiding the identity of the emailer to spare them from other scammers.)

“I received a very similar ‘contact’ from Vivi Brown trying to solicit my employment interest in the same AI/Energy Structure start-up. Oddest ‘interview’ procedure I have ever seen. No concrete job descriptions, organization structures, identification of Founders, etc. All communications mandated on WhatsApp (encrypted). Very verbose ‘corporate speak’ exchanges. When I asked if this was AI, they obviously denied that it was. Answers to background questions don’t necessarily add up. Company startup name given to me was “ARCLight’, and their interest in me reportedly ties to my mgt experience in Energy Structure Development. Numerous pictures (AI driven ?) of the young Vivi Brown have been forwarded with ‘feel good’ influence peddling formats, mixed in ‘business’ answers to my structure comments/questions. It looks like the AI derived Vivi was created as an Influencer on EezyCollab (“catfishing”?).”

I never encountered the WhatsApp red flag since I applied my KYB Fraud Failure flag early on, but I’m not surprised.

As for EezyCollab (which was NOT part of the scam, but may have been used by the scammer), it “connects AI products with the right creators across global markets — powered by an AI platform of 100M+ creators, direct pricing, and end-to-end delivery.” Plus its founder Yiki Chen is a marketer and vibe coder who has been vibe coding since 2021. Groovy.

Returning to Vivi, I found the website https://www.shvivi.com/#home for A.R.C (sic) Insight. (Not ARCLight.) It includes insights such as the following:

“Vivi Brown’s profile was not built through display. It was formed through consistency, disciplined judgment, and the gradual development of capability — producing a rare combination of written clarity, operational steadiness, and long-range strategic calm.”

Yes, written clarity.

So What About OMB M-22-09?

In a previous post I looked at the Biden Administration Executive Order 14028 – Improving the Nation’s Cybersecurity, including its championing of Zero Trust Architecture (ZTA) and least-privilege access.

During the Biden Administration, the Office of Management and Budget issued a related memorandum, M-22-09 (PDF), that dictated a particular approach. Again, ZTA was emphasized.

And the OMB proposed an action plan:

This memorandum requires agencies to achieve specific zero trust security goals by the end of Fiscal Year (FY) 2024. These goals are organized using the zero trust maturity model developed by CISA. CISA’s zero trust model describes five complementary areas of effort (pillars) (Identity, Devices, Networks, Applications and Workloads, and Data), with three themes that cut across these areas (Visibility and Analytics, Automation and Orchestration, and Governance).

Naturally I’m interested in the identity part.

Agencies must employ centralized identity management systems for agency users that can be integrated into applications and common platforms.

Agencies must use strong MFA throughout their enterprise.

MFA must be enforced at the application layer, instead of the network layer.

For agency staff, contractors, and partners, phishing-resistant MFA is required.

For public users, phishing-resistant MFA must be an option.

Password policies must not require use of special characters or regular rotation.

When authorizing users to access resources, agencies must consider at least one devicelevel signal alongside identity information about the authenticated user.

Did the Federal Government accomplish the OMB M-22-09 identity objectives?

Sort of.

While some agencies mostly moved to centralized systems, some legacy systems didn’t transition.
Authentication moved away from weak MFA (such as sending an SMS to a device as the second factor).
Device signals aren’t fully implemented. Using one example, dynamically blocking access in real-time if a virus is detected is NOT fully operational. But this is challenging when you consider all the computers, smartphones, and other devices (including Internet of Things devices) that are managed.

But the government said (in a 2024 Impact Report) that the government performed well.

In effect, OMB M-22-09 is now a legacy document since the 2024 deadline has passed. But it’s still referenced, somewhat, in government cybersecurity efforts.

Are you meeting your prospects’ zero trust needs?

If Bredemarket can help you with strategic and tactical analysis, content, and proposals that address the zero trust architecture, set up a free meeting with me to discuss your goals.

Jurisdictional Privacy and Consent

Where are you?

Who are you?

The answers to these questions affect if or how you obtain consent to use one’s personally identifiable information, or PII.

Privacy regulations can change when you cross country or even city lines, and they can also change depending on who you are: an individual, a business, or a government agency.

How?

On one extreme, some entities in some jurisdictions don’t need to obtain consent at all. For example, the General Data Protection Regulation (GDPR) doesn’t require consent to perform an anti-money laundering (AML) check, since this is a legal obligation.

On the other extreme, some entities in some jurisdictions must obtain express written consent. If I am a homeowner in Schaumburg, Illinois, and I use a doorbell camera to identify friends or foes approaching my door, the Biometric Information Privacy Act (BIPA) prohibits me from capturing their biometrics without their consent, and lets them sue me if I do it anyway.

Before you collect PII, check the laws in your jurisdiction first.

Oh, and check the laws in other jurisdictions in case they try to enforce their laws in your jurisdiction.

By the way: if you’re a software or hardware vendor, don’t assume that you bear no responsibility and that only your customer does.

You must educate your customers.

And Bredemarket can help you with my content-proposal-analysis services.

CPA

CPA.

(Told you I’d bring this landing page back.)

Proving Humanity

Does it sometimes seem like humanity is obsolete?

There are seemingly more non-human identities than human ones. Bots are selling, and bots are buying.

And we are preparing for this.

We are currently in the phase where human influencers tell human listeners how AI will change everything.
But this phase is only transitional, because the human influencers and human listeners are no longer needed.
Why does Satya Nadella have to criticize references to “slop” when a bot can issue those criticisms much more quickly…without the nearly $100 million price tag?

So humanity is no longer necessary.

Or is it?

There are pockets where people value humanity and think that a human brings something that a bot never could.

But before we stop relying on bots and start relying on humans, we need to know whether those humans are real, or if they are bots themselves.

To do this, we have to know who those humans are—proving humanity.

About the Operational Zero Trust Architecture Portions of Executive Order 14028

Phishing-resistant government systems are no longer a “nice-to-have,” but are now a federal mandate. Government agency information technology (IT) leaders are compelled to meet Zero Trust Architecture (ZTA) mandates.

One such mandate is Executive Order 14028 – Improving the Nation’s Cybersecurity, originally issued by President Joe Biden in 2021. Although portions of this executive order were subsequently modified by Executive Order 14306, the impetus toward ZTA remains.

As you can see from the sections quoted below, the Federal Government agency emphasis focuses on:

Zero Trust Architecture, which supersedes the prior notion that the “internal” portions of a network can be trusted. Threats can come from anywhere.
Securing cloud implementations, including Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).
Least-privilege access, in which each user (this was when users were assumed to be human) only has the privileges they require.

Section 3, Modernizing Federal Government Cybersecurity

(a) To keep pace with today’s dynamic and increasingly sophisticated cyber threat environment, the Federal Government must take decisive steps to modernize its approach to cybersecurity, including by increasing the Federal Government’s visibility into threats, while protecting privacy and civil liberties. The Federal Government must adopt security best practices; advance toward Zero Trust Architecture; accelerate movement to secure cloud services, including Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS); centralize and streamline access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks; and invest in both technology and personnel to match these modernization goals.

(b) Within 60 days of the date of this order, the head of each agency shall…

(ii) develop a plan to implement Zero Trust Architecture, which shall incorporate, as appropriate, the migration steps that the National Institute of Standards and Technology (NIST) within the Department of Commerce has outlined in standards and guidance, describe any such steps that have already been completed, identify activities that will have the most immediate security impact, and include a schedule to implement them…

(c) As agencies continue to use cloud technology, they shall do so in a coordinated, deliberate way that allows the Federal Government to prevent, detect, assess, and remediate cyber incidents. To facilitate this approach, the migration to cloud technology shall adopt Zero Trust Architecture, as practicable. The CISA shall modernize its current cybersecurity programs, services, and capabilities to be fully functional with cloud-computing environments with Zero Trust Architecture….

(i) Within 90 days of the date of this order, the Director of OMB, in consultation with the Secretary of Homeland Security acting through the Director of CISA, and the Administrator of General Services acting through FedRAMP, shall develop a Federal cloud-security strategy and provide guidance to agencies accordingly. Such guidance shall seek to ensure that risks to the FCEB from using cloud-based services are broadly understood and effectively addressed, and that FCEB Agencies move closer to Zero Trust Architecture.

Section 10, Definitions

(k) the term “Zero Trust Architecture” means a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries. The Zero Trust security model eliminates implicit trust in any one element, node, or service and instead requires continuous verification of the operational picture via real-time information from multiple sources to determine access and other system responses. In essence, a Zero Trust Architecture allows users full access but only to the bare minimum they need to perform their jobs. If a device is compromised, zero trust can ensure that the damage is contained. The Zero Trust Architecture security model assumes that a breach is inevitable or has likely already occurred, so it constantly limits access to only what is needed and looks for anomalous or malicious activity. Zero Trust Architecture embeds comprehensive security monitoring; granular risk-based access controls; and system security automation in a coordinated manner throughout all aspects of the infrastructure in order to focus on protecting data in real-time within a dynamic threat environment. This data-centric security model allows the concept of least-privileged access to be applied for every access decision, where the answers to the questions of who, what, when, where, and how are critical for appropriately allowing or denying access to resources based on the combination of sever.

The Bredemarket sales pitch

Can Bredemarket help you describe your zero trust architecture solution? If so, set up a free meeting with me to discuss your needs.

Identifying Non-Human Identities with SPIFFE and SPIRE

I once tried to see if non-human identities could verify and authenticate with the six human factors. (Yeah, six. Watch for the book.)

Definitions

In reality, non-human identities use entirely different authentication methods…with their own acronyms. For example:

SPIFFE is the Secure Production Identity Framework For Everyone.
SPIRE is the SPIFFE Runtime Environment.

So what are SPIFFE and SPIRE?

“SPIFFE and SPIRE provide strongly attested, cryptographic identities to workloads across a wide variety of platforms”

That wide variety of platforms is distributed.

“SPIFFE and SPIRE provide a uniform identity control plane across modern and heterogeneous infrastructure. Since software and application architectures have grown substantially, they are spread across virtual machines in public clouds and private data centers.”

Distinguishing between the two, the SPIFFE Project “defines a framework and set of standards for identifying and securing communications between application services, while the runtime environment SPIRE “is a toolchain of APIs for establishing trust between software systems across a wide variety of hosting platforms.”

Benefits

Forget all that. Let’s get to the benefits.

Enable defense in depth: Provide strongly attested identities to reduce the likelihood of breach through credential comprise

Reduce operational complexity: Consistent, automated management of identity reduces the burden of devops teams

Interoperability: Simplifies the technical aspects of full interoperability across multiple stacks

Compliance and auditability: Enables mutually authenticated TLS and multiple roots of trust to meet regulatory requirements

Use at Uber

But does anyone use it? Yes. Take Uber:

“We use SPIRE at Uber to provide identity to workloads running in multiple clouds (GCP, OCI, AWS, on-premise) for a variety of jobs, including stateless services, stateful storage, batch and streaming jobs, CI jobs, workflow executions, infrastructure services, and more. We have worked with the open source community since the early stages of the project in mid-2018 to address production readiness and scalability concerns.”

More here.

Now this is admittedly a whole new world for me, far afield from the usual 12345 and gummy arguments where I usually reside. But since bots will soon outnumber people (if they don’t already), we had all better learn it.

WordPress and Claude: No, Yes, Maybe, No, No…and No

There is a difference between a writer and a content creator. It becomes obvious when you read WordPress’ recent post, “How to Slop Your Content in Five Steps.”

Actually, that’s not the title.

Claude the content creator

Whoever or whatever wrote WordPress’ post used a more AEO-friendly title: “How to Build an Endless Stream of Content Ideas with WordPress and Claude.”

And there are five steps.

Step 1: Connect Claude to your WordPress.com website.

Step 2: Ask Claude to review your website and find content gaps.

Step 3: Ask Claude to prioritize topics and create a content calendar.

Step 4: Create Claude-assisted outlines and articles.

Step 5: Ask Claude to add the article to WordPress.com.

Bredemarket the writer

Before I discuss these five steps, let me state two things specific to me that may not apply to you.

I never let a non-human write the first draft, much less the final piece. This has been my policy since 2023.

With one glaring exception, the Bredebot project. This is a highlighted experiment to see how far a well-prompted bot will go.

So my specific response to these steps is to consider the gap analysis in step 2. Bots are good at such analysis, but they have to be watched in case they don’t get their facts straight.

But I won’t give Claude the permission to write and post articles, or even any permissions on WordPress. This is a security issue, after all; how do YOU control site access for non-human identities?

In fact, I may not even use Claude for step 2, even if it’s the cool kid this week last I checked. I may use Gemini…or a thousand Bangladesh techies…or a million Pentiums…or Mika.

How you work with outside content creators

But what about you?

Before answering, take the five steps above and change the name “Claude” to Barney…or Bredemarket.

Would you give Barney or Bredemarket that power over your website?

Maybe…or maybe not.

How Bredemarket works with you

In the case of Bredemarket, I usually do NOT have direct access to my clients’ websites, sending them Word documents instead. And in the one instance where I did have website access, I left every one of my drafts in draft mode.

And when I perform a gap analysis, I present my client with choices and ask the client to choose the topic, or at least approve my suggested topic.

Because your website is not mine, or Mika’s…or Claude’s.

Stop losing prospects! Use Bredemarket content for tech marketers

Bias…For Truth

If you are not “biased” with experience, you don’t know when generative AI is feeding you BS.

If you are biased with the experience of the truth, you know when to ask questions.

Fire (Walls!)

You don’t have to think much to know the origin of the computing term “firewall.”

It came from real life, from the walls that were built to protect structures from fires.

There was a song in the 1970s about fire, but it had nothing to do with firewalls.

How Do You Track Progress When People Resist Tracking?

How do you track project progress when people resist project tracking?

Track the project and don’t tell them.

Double-secret project management.