Bredemarket

Clean Fast Contactless Biometrics

The COVID-19 pandemic may be a fading memory, but contactless biometrics remains popular.

Back in the 1980s, you had to touch something to get the then-new “livescan” machines to capture your fingerprints. While you no longer had messy ink-stained fingers, you still had to put your fingers on a surface that a bunch of other people had touched. What if they had the flu? Or AIDS (the health scare of that decade)?

As we began to see facial recognition in the 1990s and early 2000s, one advantage of that biometric modality was that it was CONTACTLESS. Unlike fingerprints, you didn’t have to press your face against a surface.

From https://www.youtube.com/watch?v=4XhWFHKWCSE.

But then fingerprints also became contactless after someone asked an unusual question in 2004.

“Actually this effort launched before that, as there were efforts in 2004 and following years to capture a complete set of fingerprints within 15 seconds…”

This WAS an unusual question, considering that it took a minute or more to capture inked prints or livescan prints. And the government expected this to happen in 15 seconds?

A decade later several companies were pursuing this in conjunction with NIST. There were two solutions: dedicated kiosks such as MorphoWave from my then-employer MorphoTrak, and solutions that used a standard smartphone camera such as SlapShot from Sciometrics and Integrated Biometrics.

Slide 10 from the NIST presentation posted at https://www.nist.gov/system/files/documents/2016/12/14/iai_2016-nist_contactless_fingerprints-distro-20160811.pdf.

The, um, upshot is that now contactless fingerprint and face capture are both a thing. Contactless capture provides speed, and even the impossible 15 second capture target was blown away.

Fingers and faces can be captured “on the move” in airports, border crossings, stadiums, and university lunchrooms and other educational facilities.

Perhaps Iris and voice can be considered contactless and fast.

But even “rapid” DNA isn’t that rapid.

Ensuring Accurate Product Marketing Messaging

One of the drawbacks of LinkedIn’s collaborative articles is that the answers end up in a difficult-to-access place.

So I’m repurposing my recent answer to an article on ensuring accurate messaging. My original answer is buried within https://www.linkedin.com/advice/3/sales-promoting-misleading-product-claims-how-hpzxf?contributionUrn=urn%3Ali%3Acomment%3A%28articleSegment%3A%28urn%3Ali%3AlinkedInArticle%3A7277750320556855296%2C7277750322389807104%29%2C7291507111144919040%29&dashContributionUrn=urn%3Ali%3Afsd_comment%3A%287291507111144919040%2Curn%3Ali%3AarticleSegment%3A%28urn%3Ali%3AlinkedInArticle%3A7277750320556855296%2C7277750322389807104%29%29&articleSegmentUrn=urn%3Ali%3AarticleSegment%3A%28urn%3Ali%3AlinkedInArticle%3A7277750320556855296%2C7277750322389807104%29 (told you it was difficult to access).

First, create the correct messaging, both internal and external. If Sales has no material, they’re going to say whatever they want.
Second, get executive buy in on the messaging. And make sure they’ve bought in. One of my projects was doomed when I received no response, then kinda sorta got an OK, then later got a “why are we doing this?”
Third, communicate the messaging. That’s why you need the internal part.
Fourth, enforce the messaging.

Justin Welsh on Being Boring

(Imagen 3)

I’m not the only one who grips my keyboard. On Saturday, Justin Welsh wrote “The hidden power of being boring.” Excerpt:

If you ask me, success isn’t about unlocking secrets — it’s about doing the boring stuff, day in and day out….

I write. I write every single day. Even when I don’t feel inspired. Even when nobody seems to care. And even when it feels like I’m talking to an empty room. I’ve now written for over 2,100 consecutive days without missing.

But of course, that’s not what people want to hear.

Discovery With Your Ears

(All images Imagen 3)

You probably have meetings with potential customers. The common term for these meetings is the “discovery call.”

Because I’m contrarian, I never use the term “discovery call,” and instead just refer to a “30 minute content needs assessment.” I should add, a “FREE 30 minute content needs assessment.” (Although 99% of these initial meetings are free anyway.)

Whatever you call the meeting, your job in the meeting isn’t to be like Christopher Columbus and chart new lands and persist in the mistaken belief that you’re in China.

Your primary job is to LISTEN.

It’s not all about me

Using Bredemarket as an example, my primary goal in the meeting isn’t to blather on about my 30 years in biometrics, or my more than 30 years of writing, or how I was a former Radio Shack Battery Club card holder, or how I shook Gerald Ford’s hand once.

There is a well-known marketer who starts every one of their webinars with a five-minute introductory video that describes how great the marketer is. After sitting through a few of these introductions, I resolved to intentionally attend the next webinar five minutes later so that I didn’t have to sit through that again. But as time passed, I found I wasn’t attending any of the marketer’s webinars at all.

It’s all about you

Returning to Bredemarket, my goal for the initial meeting is to listen and focus upon what the potential customer needs.

Another in-vogue term is “pain points,” and that’s a term that I actually DO use. The potential customer has a problem, and maybe Bredemarket can help solve it, or maybe Bredemarket can’t.

And I’m not going to know that if I don’t let the potential customer speak.

It’s all about us

Now if you’re a potential customer that needs content, proposal, or analysis marketing and writing services, you can read about Bredemarket’s services on my “CPA” page.

And you can decide whether you want to book a “Free 30 minute content needs assessment” with me.

TPRM

Third party risk management, illustrated by a locked safe connected to a breached safe.

(Imagen 3)

A little (just a little) behind the scenes of why I write what I write.

What does TPRM mean?

I was prompted to write my WYSASOA post when I encountered a bunch of pages on a website that referred to TPRM, with no explanation.

Now if I had gone to the home page of that website, I would have seen text that said “Third Party Risk Management (TPRM).”

But I didn’t go to the home page. I entered the website via another page and therefore never saw the home page explanation of what the company meant by the acronym.

They didn’t mean Trade Policy Review Mechanism.
They didn’t mean Topic-based Personalized Ranking Model.
They didn’t mean TimePiece Public Relations & Marketing.

They meant Third Party Risk Management.

Unless you absolutely know that everybody in the world agrees on your acronym definition, always spell out the first instance of an acronym on a piece of content. So if you mention that acronym on 10 web pages, spell it out on all 10 of them.

That’s all I wanted to say…

How is NIST related to TPRM?

…I lied.

Because now I assume you want to know what Third Party Risk Management (TPRM) actually is.

Let’s go to my esteemed friends at the National Institute of Standards & Technology, or NIST.

In 2020, NIST issued (PDF) NIST Special Publication 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations. Note that this is different from other special publications, such as the NIST 800-63 series of digital identity documents that I’ve referenced before (for example here). However, SP 800-53 does not explicitly mention TPRM.
Nor does (PDF) NIST Special Publication 800-37, Revision 2, Risk Management Framework for Information Systems and Organizations.
Nor does the (PDF) NIST Cybersecurity Framework (CSF) 2.0.

What is TPRM?

But TPRM is implied in a NIST document entitled (PDF) Best Practices in Cyber Supply Chain Risk Management. Because there are a lot of “third parties” in the supply chain.

When companies began extensively outsourcing and globalizing the supply chain in the 1980’s and 1990’s, they did so without understanding the risks suppliers posed. Lack of supplier attention to quality management could compromise the brand. Lack of physical or cybersecurity at supplier sites could result in a breach of corporate data systems or product corruption. Over time, companies have begun implementing vendor management systems – ranging from basic, paper-based approaches to highly sophisticated software solutions and physical audits – to assess and mitigate vendor risks to the supply chain.

Because if MegaCorp is sharing data with WidgetCorp, and WidgetCorp is breached, MegaCorp is screwed. So MegaCorp has to reduce the risk that it’s dealing with breachable firms.

The TPRM problem

And it’s not just my fictional MegaCorp. Cybersecurity risks are obviously a problem. I only had to go back to January 26 to find a recent example.

Bank of America has confirmed a data breach involving a third-party software provider that led to the exposure of sensitive customer data.

What Happened: According to a filing earlier this month, an unidentified third-party software provider discovered unauthorized access to its systems in October. The breach did not directly impact Bank of America’s systems, but the data of at least 414 customers is now at risk.

The breach pertains to mortgage loans and the compromised data includes customers’ names, social security numbers, addresses, phone numbers, passport numbers, and loan numbers.

Note that the problem didn’t occur at Bank of America’s systems, but at the systems of some other company.

Manage your TPRM…now that you know what I mean by the acronym.

WYSASOA

A wildebeest staring at a poster with a confusing jumble of letters.

(Imagen 3)

A few of you may come away puzzled when I use the term “WYSASOA.”

I don’t understand this.

Isn’t it OBVIOUS that “WYSASOA” stands for “Why You Should Always Spell Out Acronyms”?

That’s pretty stupid, John, you’re saying. If you use acronyms and phrases without defining them, your readers are going to be confused and aren’t going to buy from you.

The counter-argument is that if you don’t know what WYSASOA means, then I probably don’t want to do business with you.

To a point, that’s true.

But why make it hard on yourself?

Perhaps someone doesn’t use WYSASOA, but does use EYA.

(pause)

“EYA” is “Explain Your Acronym.”

Do I have to spell out EVERYTHING to you?

Yes I do.

An Apple a Day Keeps the Doctor Busy

(Imagen 3)

Like Google Glass before it, Apple Vision Pro truly shines in vertical niche applications—not the mass market. Take healthcare:

“Apple Vision Pro’s price and weight are of no concern to doctors in the operating room, as the spatial computing platform helps replace expensive monitors and stiff necks.”

From “300 doctors attended a summit on Apple Vision Pro’s applications in surgery”

https://appleinsider .com/articles/25/01/31/300-doctors-attended-a-summit-on-apple-vision-pros-applications-in-surgery

People for Sale

News about iProov. According to Metropoler, the company discovered a dark web group in Latin America.

The group is

“amassing a substantial collection of identity documents and corresponding facial images, specifically designed to defeat Know Your Customer (KYC) verification processes. Rather than traditional theft, these identities may have been obtained through compensated participation, with individuals willingly providing their image and documentation in exchange for payment.”

To uncover such fraudulent activity, a mere government ID to selfie comparison is not enough, since both are from a real person. You need more sophisticated checks such as liveness detection, which iProov offers. You can find iProov’s ISO 30107-3 Presentation Attack Detection Level 2 confirmation letters on iBeta’s page.

But why?

Why would anyone sell their identity, either legitimately (to the World ex Worldcoin folks) or illegitimately (to this dark web outfit)?

Sadly, desperation. If you have a basic need to eat, who cares who is using your ID and what they’re doing with it?

Email fail #1409

I have an email account at one of my Bredemarket client’s domains, and Slack (the real Slack) sent this email to me.

I can think of one edit…

Clean, the Cleanest I’ve Been (EtO)

There’s a critical difference between biometrics for identification and biometrics for health. Well, MOST biometrics for identification; what I’m about to say doesn’t apply to DNA.

When you capture biometrics from people, you don’t really care about cleanliness. If the person’s fingernails are dirty, you capture the fingerprints anyway. If the eye is infected, you capture the irises anyway.

But when you get into the healthcare arena, cleanliness is next to you-know-what.

And there are technologies for that.

Ethylene Oxide (EtO) gas is one of the most common ways to sterilize medical devices, a safe, tightly controlled, highly regulated process which is critical for preventing infections and ensuring patients have safe surgeries and medical treatments.

And in some cases, EtO is the ONLY way to sterilize some medical devices.

So great! Use it all the time! There’s just one teeny problem…

EtO is a human carcinogen. It causes cancer in humans. Scientific evidence in humans indicates that regular exposure to EtO over many years increases the risk of cancers of the white blood cells, including non-Hodgkin lymphoma, myeloma, and lymphocytic leukemia. Studies also show that long-term exposure to EtO increases the risk of breast cancer in women.

Workers who use EtO as a part of their jobs and people who work, live, or go to school or daycare near facilities that use EtO may breathe in EtO at levels that can increase cancer risk.

So there are companies (I won’t name them here, but you can find them) who specialize in mitigating EtO risk to humans.

And these companies need content, proposal, and analysis services.

But let’s get on to the important part: the song I quoted in the title of this post.

From https://www.youtube.com/watch?v=h1mD-_DKHc0.