Author Archives: bredemarket

Marketing and writing services.

“Somewhat You Why” in Minnesota

Remember my earlier post “‘Somewhat You Why,’ and Whether Deepfakes are Evil or Good or Both”?

When I posted it, I said:

I debated whether or not I should publish this because it touches upon two controversial topics: U.S. politics, and my proposed sixth factor of authentication. 

I eventually decided to share it on the Bredemarket blog but NOT link to it or quote it on my socials.

Well, I’m having the same debate with this post, which is ironic because I learned about the content via the socials. Not that I will identify the source, because it is from someone’s personal Facebook feed.

Just a random picture of Princess Diana. Public domain.

My earlier post analyzed my assumption that deepfakes are bad. It covered the end of National Science Foundation funding for deepfake research, apparently because deepfakes can be used as a form of First Amendment free speech.

Well, the same issue is appearing at the state level, according to the AP:

X Corp., the social media platform owned by Trump adviser Elon Musk, is challenging the constitutionality of a Minnesota ban on using deepfakes to influence elections and harm candidates, saying it violates First Amendment speech protections.

As I previously noted, this does NOT mean that X believes in a Constitutional right to financially defraud people.

  • Or do I have a Constitutional right to practice my freedom of religion by creating my own biometric-free voter identification card like John Wahl did?

Again, is it all about intent? Somewhat you why?

And if your firm provides facial recognition, how do you address such issues?

If you need help with your facial recognition product marketing, Bredemarket has an opening for a facial recognition client. I can offer

  • compelling content creation
  • winning proposal development
  • actionable analysis

If Bredemarket can help your stretched staff, book a free meeting with me: https://bredemarket.com/cpa/

(Lincoln’s laptop from Imagen 3)

Amazon in Upland: Is a Bear a Non-Person Entity?

So the day approaches, and the Upland Amazon Fresh will hold its grand opening on Thursday, May 1.

Amazon Fresh, Upland, California.

Wonder if the bear will show up.

Image from https://abc7.com/amazon-driver-bear-delivery-in-upland-caught-on-video/11503470/

What? You forgot about the bear?

“Yes, that’s an Amazon driver in the foreground, raising his hands to try to scare a bear away so he can make his delivery. He was successful. 

“The full Storyful video can be found here. (And of course it’s a Ring video. You didn’t expect a Nest video, did you?)”

I wonder if the bear’s paw will work with the palm vein reader.

Imagen 3. What’s the Amazon One error rate for THIS demographic group?

By the way, this is a reminder that Bredemarket provides its services to local Inland Empire businesses also. I can offer

  • compelling content creation
  • winning proposal development
  • actionable analysis

If Bredemarket can help your stretched staff, book a free meeting with me: https://bredemarket.com/cpa/

And one more thing…

After I wrote the main body of this post, I realized that I accidentally wrote the Bredemarket trifecta, covering all three of my concentrations:

  • Identity (Amazon)
  • Technology (Amazon)
  • Inland Empire (Amazon)

If you’re concerned about Amazon taking over everything, don’t fear. It will eventually fail.

But until it does, I’m gonna make some money!

#fakefakefake

Why Replacing Your Employees with VLM NPE Bots Won’t Defeat Social Engineering

(Scammed bot finger picture from Imagen 3)

Your cybersecurity firm can provide the most amazing protection software to your clients, and the clients still won’t be safe.

Why not? Because of the human element. All it takes is one half-asleep employee to answer that “We received your $3,495 payment” email. Then all your protections go for naught.

The solution is simple: eliminate the humans.

Eliminating the human element

Companies are replacing humans with bots for other rea$on$. But an added benefit is that when you bring in the non-person entities (NPEs) who are never tired and never emotional, social engineering is no longer effective. Right?

Well, you can social engineer the bot NPEs also.

Birthday MINJA

Last month I wrote a post entitled “An ‘Injection’ Attack That Doesn’t Bypass Standard Channels?” It discussed a technique known as a memory injection attack (MINJA). In the post I was able to sort of (danged quotes!) get an LLM to say that Donald Trump was born on February 22, 1732.

(Image from a Google Gemini prompt and response)

Fooling vision-language models

But there are more serious instances in which bots can be fooled, according to Ben Dickson.

“Visual agents that understand graphical user interfaces and perform actions are becoming frontiers of competition in the AI arms race….

“These agents use vision-language models (VLMs) to interpret graphical user interfaces (GUI) like web pages or screenshots. Given a user request, the agent parses the visual information, locates the relevant elements on the page, and takes actions like clicking buttons or filling forms.”

Clicking buttons seems safe…until you realize that some buttons are so obviously scambait that most humans are smart enough NOT to click on them.

What about the NPE bots?

“They carefully designed and positioned adversarial pop-ups on web pages and tested their effects on several frontier VLMs, including different variants of GPT-4, Gemini, and Claude.

“The results of the experiments show that all tested models were highly susceptible to the adversarial pop-ups, with attack success rates (ASR) exceeding 80% on some tests.”

Educating your users

Your cybersecurity firm needs to educate. You need to warn humans about social engineering. And you need to warn AI masters that bots can also be social engineered.

But what if you can’t? What if your resources are already stretched thin?

If you need help with your cybersecurity product marketing, Bredemarket has an opening for a cybersecurity  client. I can offer

  • compelling content creation
  • winning proposal development
  • actionable analysis

If Bredemarket can help your stretched staff, book a free meeting with me: https://bredemarket.com/cpa/

Is Milwaukee Selling PII for Free Facial Recognition Software Access?

(Part of the biometric product marketing expert series)

Perhaps facial recognition product marketers have heard of stories like this. Or perhaps they haven’t.

Tight budgets. Demands that government agencies save money. Is this the solution?

“Milwaukee police are mulling a trade: 2.5 million mugshots for free use of facial recognition technology.

“Officials from the Milwaukee Police Department say swapping the photos with the software firm Biometrica will lead to quicker arrests and solving of crimes.”

Read the article at https://www.jsonline.com/story/news/crime/2025/04/25/milwaukee-police-considering-trading-mugshots-for-facial-recognition-tech/83084223007/

As expected, activists raised all sorts of other concerns about facial recognition in general. But there’s an outstanding question:

What will Biometrica do with the 2.5 million images?

  • Use them for algorithmic training? 
  • Allow other agencies to search them?
  • Something else?
  • And what happens to the images if another company acquires Biometrica and/or its data? (See 23andMe.)

Biometrica didn’t respond to a request for comment.

And other facial recognition vendors operate differently.

How does your company treat customer data?

And how do you tell your story?

Do you have the resources to market your product, or are your resources already stretched thin?

If you need help with your facial recognition product marketing, Bredemarket has an opening for a facial recognition client. I can offer

  • compelling content creation
  • winning proposal development
  • actionable analysis

If Bredemarket can help your stretched staff, book a free meeting with me: https://bredemarket.com/cpa/

(Wheelbarrows from Imagen 3)

Now I’m Just Playing with Google Gemini

I asked Imagen 3 to help me illustrate nth party risk management.

Where you are connected with everyone to whom your connections are connected.

But I wanted to illustrate third-party risk management in a clean way. Back when AIDS became a sad feature of our lives in the 1980s, the description of how it spread from person to person could get a little graphic.

Why Does TPRM Fail? Not Because of the TPRM Software Providers.

For years I have maintained that the difficulties in technology are not because of the technology itself.

Technology can do wonderful things.

The difficulties lie with the need for people to agree to use the technology.

And not beg ignorance by saying “I know nothing.”

(Image of actor John Banner as Sgt. Schultz on Hogan’s Heroes is public domain.)

Case in point

I just saw an article with the title “TPRM weaknesses emerge as relationship owners fail to report red flags.

Unlike some clickbait-like article titles, this one from Communications Today succinctly encapsulates the problem up front.

It’s not that the TPRM software is failing to find the red flags. Oh, it finds them!

But the folks at Gartner discovered something:

“A Gartner survey of approximately 900 third-party relationship owners…revealed that while 95% saw a third-party red flag in the past 12 months, only around half of them escalate it to compliance teams.”

Among other things, the relationship owners worry about “the perceived return on investment (ROI) of sharing information.”

And that’s not a software issue. It’s a process issue.

wildebeests on a stairway, young to old, with the oldest wildebeest possessing a trophy
Wildebeest maturity model via Imagen 3.

No amount of coding or AI can fix that.

And this is not unique to the cybersecurity world. Let’s look at facial recognition.

Another case in point

I’ve said this over and over, but for U.S. criminal purposes, facial recognition results should ONLY be used as investigative leads.

It doesn’t matter whether they’re automated results, or if they have been reviewed by a trained forensic face examiner. 

Facial recognition results should only be used as investigative leads.

Sorry for the repetition, but some people aren’t listening.

But it’s not the facial recognition vendors. Bredemarket has worked with numerous facial recognition vendors over the years, and of those who work with law enforcement, ALL of them have emphatically insisted that their software results should only be used as investigative leads.

All of them. Including…that one.

But the vendors have no way to control the actions of customers who feed poor-quality data into their systems, get a result…and immediately run out and get an arrest warrant without collecting corroborating evidence.

And that’s not a software issue. It’s a process issue.

No amount of coding or AI can fix that.

I hope the TPRM folks don’t mind my detour into biometrics, but there’s a good reason for it.

Product marketing for TPRM and facial recognition

Some product marketers, including myself, believe that it’s not enough to educate prospects and customers about your product. You also need to educate them about proper use of the product, including legal and ethical concerns.

If you don’t, your customers will do dumb things in Europe, Illinois, or elsewhere—and blame you when they are caught.

Illinois, land of BIPA. I mean Lincoln.

Be a leader in your industry by doing or saying the right thing.

And now here’s a word from our sponsor.

Not the “CPA” guy again…

Bredemarket has openings

There’s a reason why this post specifically focused on cybersecurity and facial recognition.

If you need product marketing assistance with your product, Bredemarket has two openings. One for a cybersecurity client, and one for a facial recognition client. 

I can offer

  • compelling content creation
  • winning proposal development
  • actionable analysis

If Bredemarket can help your stretched staff, book a free meeting with me: https://bredemarket.com/cpa/

Bredemarket has openings. Imagen 3 again.

“Somewhat You Why,” and Whether Deepfakes are Evil or Good or Both

I debated whether or not I should publish this because it touches upon two controversial topics: U.S. politics, and my proposed sixth factor of authentication.

I eventually decided to share it on the Bredemarket blog but NOT link to it or quote it on my socials.

Although I could change my mind later.

Are deepfakes bad?

When I first discussed deepfakes in June 2023, I detailed two deepfake applications.

One deepfake was an audio-video creation purportedly showing Richard Nixon paying homage to the Apollo 11 astronauts who were stranded on the surface of the moon.

  • Of course, no Apollo 11 astronauts were ever stranded on the surface of the moon; Neil Armstrong and Buzz Aldrin returned to Earth safely.
  • So Nixon never had to pay homage to them, although William Safire wrote a speech as a contingency.
  • This deepfake is not in itself bad, unless it is taught in a history course as true history about “the failure of the U.S. moon program.” (The Apollo program had a fatal catastrophe, but not involving Apollo 11.)

The other deepfake was more sinister.

In early 2020, a branch manager of a Japanese company in Hong Kong received a call from a man whose voice he recognized—the director of his parent business. The director had good news: the company was about to make an acquisition, so he needed to authorize some transfers to the tune of $35 million….The manager, believing everything appeared legitimate, began making the transfers.

Except that the director wasn’t the director, and the company had just been swindled to the tune of $35 million.

I think everyone knows now that deepfakes can be used for bad things. So we establish standards to determine “content provenance and authenticity,” which is a fancy way to say whether content is real or a deepfake.

In addition to establishing standards, we do a lot of research to counter deepfakes, because they are bad.

Or are they?

What the National Science Foundation won’t do

Multiple sources, including both Nextgov and Biometric Update, are reporting on the cancellation of approximately 430 grants from the National Science Foundation. Among these grants are ones for deepfake research.

Around 430 federally-funded research grants covering topics like deepfake detection, artificial intelligence advancement and the empowerment of marginalized groups in scientific fields were among several projects terminated in recent days following a major realignment in research priorities at the National Science Foundation.

As you can probably guess, the cancellation of these grants is driven by the Trump Administration and the so-called Department of Government Efficiency (DOGE).

Why?

Because freedom:

Per the Presidential Action announced January 20, 2025, NSF will not prioritize research proposals that engage in or facilitate any conduct that would unconstitutionally abridge the free speech of any American citizen. NSF will not support research with the goal of combating “misinformation,” “disinformation,” and “malinformation” that could be used to infringe on the constitutionally protected speech rights of American citizens across the United States in a manner that advances a preferred narrative about significant matters of public debate.

The NSF argues that a person’s First Amendment rights permit them, I mean permit him, to share content without having the government prevent its dissemination by tagging it as misinformation, disinformation, or malinformation.

And it’s not the responsibility of the U.S. Government to research creation of so-called misinformation content. Hence the end of funding for deepfake research.

So deepfakes are good because they’re protected by the First Amendment.

But wait a minute…

Just because the U.S. Government doesn’t like it when patriotic citizens are censored from distributing deepfake videos for political purposes, that doesn’t necessarily mean that the U.S. Government objects to ALL deepfakes.

For example, let’s say that a Palm Beach, Florida golf course receives a video message from Tiger Woods reserving a tee time and paying a lot of money to reserve the tee time. The golf course doesn’t allow anyone to book a tee time and waits for Tiger’s wire transfer to clear. After the fact, the golf course discovers that (a) the money was wired from a non-existent account, and (b) the person making the video call was not Tiger Woods, but a faked version of him.

I don’t think anyone in the U.S. Government or DOGE thinks that ripping off a Palm Beach, Florida golf course is a legitimate use of First Amendment free speech rights.

So deepfakes are bad because they lead to banking fraud and other forms of fraud.

This is not unique to deepfakes, but is also true of many other technologies. Nuclear technology can provide energy to homes, or it can kill people. Facial recognition (of real people) can find missing and abducted persons, or it can send Chinese Muslims to re-education camps.

Let’s go back to factors of authentication and liveness detection

Now let’s say that Tiger Woods’ face shows up on YOUR screen. You can use liveness detection and other technologies to determine whether it is truly Tiger Woods, and take action accordingly.

  • If the interaction with Woods is trivial, you may NOT want to spend time and resources to perform a robust authentication.
  • If the interaction with Woods is critical, you WILL want to perform a robust authentication.

It all boils down to something that I’ve previously called “somewhat you why.”

Why is Tiger Woods speaking?

  • If Tiger Woods is performing First Amendment-protected activity such as political talk, then “somewhat you why” asserts that whether this is REALLY Woods or not doesn’t matter.
  • If Tiger Woods is making a financial transaction with a Palm Beach, Florida golf course, then “somewhat you why” asserts that you MUST determine if this is really Woods.

It’s simple…right?

What about your deepfake solution?

Regardless of federal funding, companies are still going to offer deepfake detection products. Perhaps yours is one of them.

How will you market that product?

Do you have the resources to market your product, or are your resources already stretched thin?

If you need help with your facial recognition product marketing, Bredemarket has an opening for a facial recognition client. I can offer

  • compelling content creation
  • winning proposal development
  • actionable analysis

If Bredemarket can help your stretched staff, book a free meeting with me: https://bredemarket.com/cpa/

(Lincoln’s laptop from Imagen 3)

The Military, Cyberattacks, and Maturity

Everyone knows that cyberattacks don’t just target private organizations. They also target governments, particularly aiming for agencies that either deal with a lot of money (unemployment agencies) or contribute to defending a country (military, homeland security).

The Chief Information Officer of the U.S. Department of Defense has a vested interest in preventing cyberattacks, not only against DoD, but against its third-party suppliers, which are the subject of today’s acronym, DIB (defense industrial base).

And if you’ve followed along in the Bredemarket blog lately, you know that a key component of preventing cyberattacks is raising your organization’s process maturity in the cybersecurity realm.

And yes, there’s a maturity model and a certification for that, the Cybersecurity Maturity Model Certification, or CMMC.

Cybersecurity is a top priority for the Department of Defense (DoD). The defense industrial base (DIB) faces increasingly frequent, and complex cyberattacks. To strengthen DIB cybersecurity and better safeguard DoD information, the DoD developed the Cybersecurity Maturity Model Certification (CMMC) Program to assess existing DoD cybersecurity requirements.

It’s no surprise that the CMMC incorporates multiple levels, in this case three of them.

  • Level 1: Basic Safeguarding of FCI (Federal Contract Information)
  • Level 2: Broad Protection of CUI (Controlled Unclassified Information)
  • Level 3: Higher-Level Protection of CUI Against Advanced Persistent Threats

And not only is there a maturity model certification for the defense industrial base, but there’s a conference to help everyone out. After all the geeks celebrate May the Fourth Be With You day, some of the geeks will continue to celebrate on May 5, the date of the fifth annual CMMC Day. Party on.

Also see Biometric Update’s article, as well as NIST SP 800-171 Rev. 3, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.

And if you need product marketing assistance with your cybersecurity product, Bredemarket has an opening for a cybersecurity client and can help with compelling content creation, winning proposal development, and actionable analysis. Book a call: https://bredemarket.com/cpa/ 

(Military wildebeest image from Imagen 3)

You’re Not Lost in the Supermarket. The Supermarket Knows Exactly Who and Where You Are.

I’m all lost in the supermarket
I can no longer shop happily

Facial recognition laws and regulations vary from jurisdiction to jurisdiction, and as organizations apply facial recognition, they can’t just assume that facial recognition laws are the same as other privacy laws.

Caution urged as UK supermarkets check out facial recognition

This is the point that UK professor Fraser Sampson makes in a Biometric Update article. Among other things, Sampson (former UK Biometrics & Surveillance Camera Commissioner) notes the following:

This is not just any data processing, this is biometric processing. Major retailers have deep and wide experience handling customer data at macro level, but biometrics are elementally different. Using a biometric recognition system in the UK means they are processing ‘special category data’ and biometric data differs even from other types of special categories. This brings a number of significant risks, obligations and restrictions, some technological, some legal, some societal. The opportunities for missteps are many and the consequences profound. An early decision for the supermarket would be whether they want to be the controller, joint controller or processor; an early mistake would be to think it doesn’t matter.

Data controllers and data processors

For those who don’t inhabit the world of GDPR, the UK GDPR, and other privacy laws, here is Data Grail’s definition of a data controller:

A data controller is a service provider or organization determining the purposes and means of processing personal data. In simpler terms, a data controller decides why and how personal data collection, storage, and use occurs. They have the ultimate responsibility of ensuring data processing activities comply with applicable privacy laws and regulations. Data controllers bear the legal obligations associated with data protection, including providing transparency, obtaining consent, and safeguarding the personal data of data subjects.

Contrast that with a data processor:

Data processors are entities or organizations that process personal data on behalf of data controllers. They act under the authority and instruction of data controllers and handle personal data for the specified purposes defined by the data controller. Data processors are contractually bound to ensure data security and confidentiality. They don’t have the same decision-making power as data controllers and must adhere to the instructions provided by the data controller.

If you’re a supermarket in the United Kingdom, and you’re collecting facial biometric (and other) data, do you want to be a data controller or a data processor? And how will you manage the privacy aspects of your data collection?

Enter the facial recognition vendor

And if you’re a vendor of facial recognition software selling to UK supermarkets, how will you advise them?

And…you should have known this was coming…how will you provide content for your prospects and customers that educates them on the nuances of facial recognition privacy regulations?

If you need help with your facial recognition product marketing, Bredemarket has an opening for a facial recognition client. I can offer

  • compelling content creation
  • winning proposal development
  • actionable analysis

If Bredemarket can help your stretched staff, book a free meeting with me: https://bredemarket.com/cpa/

Bredemarket has an opening for a facial recognition client.

(All images from Imagen 3)