Bredemarket

Grok’s Not-so-deepfake Willie Nelson, Rapper

While the deepfake video generators that fraudsters use can be persuasive, the 6-second videos created by the free version of Grok haven’t reached that level of fakery. Yet.

In my experience, Grok is better at re-creating well-known people with more distinctive appearances. Good at Gene Simmons and Taylor Swift. Bad at Ace Frehley and Gerald Ford.

So I present…Willie Nelson.

Grok.

Willie with two turntables and a microphone, and one of his buds watching.

If you thought “Stardust” was odd for him, listen to this.
Once Grok created the video, I customized it to have Willie rap about bud.
Unfortunately, or perhaps fortunately, it doesn’t sound like the real Willie.

And for the, um, record, Nelson appeared in Snoop’s “My Medicine” video.

As an added bonus, here’s Grok’s version of Cher, without audio customization. It doesn’t make me believe…

Grok.

Reminder to marketing leaders: if you need Bredemarket’s content-proposal-analysis help, book a meeting at https://bredemarket.com/mark/

Is the Quantum Security Threat Solved Before It Arrives? Probably Not.

I’ll confess: there is a cybersecurity threat so…um…threatening that I didn’t even want to think about it.

You know the drill. The bad people use technology to come up with some security threat, and then the good people use technology to thwart it.

That’s what happens with antivirus. That’s what happens with deepfakes.

But I kept on hearing rumblings about a threat that would make all this obsolete.

The quantum threat and the possible 2029 “Q Day”

Today’s Q word is “quantum.”

But with great power comes great irresponsibility. Gartner said it:

“By 2029, ‘advances in quantum computing will make conventional asymmetric cryptography unsafe to use,’ Gartner said in a study.”

Frankly, this frightened me. Think of the possibilities that come from calculation superpowers. Brute force generation of passcodes, passwords, fingerprints, faces, ID cards, or whatever is necessary to hack into a security system. A billion different combinations? No problem.

So much for your unbreakable security system.

Thales implementation of NIST FIPS 204

Unless Thales has started to solve the problem. This is what Thales said:

“The good news is that technology companies, governments and standards agencies are well aware of the deadline. They are working on defensive strategies to meet the challenge — inventing cryptographic algorithms that run not just on quantum computers but on today’s conventional components.

“This technology has a name: post-quantum cryptography.

“There have already been notable breakthroughs. In the last few days, Thales launched a quantum-resistant smartcard: MultiApp 5.2 Premium PQC. It is the first smartcard to be certified by ANSSI, France’s national cybersecurity agency.

“The product uses new generation cryptographic signatures to protect electronic ID cards, health cards, driving licences and more from attacks by quantum computers.”

So what’s so special about the technology in the MultiApp 5.2 Premium PQC?

Thales used the NIST “FIPS 204 standard to define a digital signature algorithm for a new quantum-resistant smartcard: MultiApp 5.2 Premium PQC.”

The NIST FIPS 204 standard, “Module-Lattice-Based Digital Signature Standard,” can be found here. This is the abstract:

“Digital signatures are used to detect unauthorized modifications to data and to authenticate the identity of the signatory. In addition, the recipient of signed data can use a digital signature as evidence in demonstrating to a third party that the signature was, in fact, generated by the claimed signatory. This is known as non-repudiation since the signatory cannot easily repudiate the signature at a later time. This standard specifies ML-DSA, a set of algorithms that can be used to generate and verify digital signatures. ML-DSA is believed to be secure, even against adversaries in possession of a large-scale quantum computer.”

ML-DSA stands for “Module-Lattice-Based Digital Signature Algorithm.”

Now I’ll admit I don’t know a lattice from a vertical fence post, especially when it comes to quantum computing, so I’ll have to take NIST’s word for it that modules and lattice are super-good security.

Certification, schmertification

The Thales technology was then tested by researchers to determine its Evaluation Assurance Level (EAL). The result? “Thales’ product won EAL6+ certification (the highest is EAL7).” (TechTarget explains the 7 evaluation assurance levels here.)

France’s national cybersecurity agency (ANSSI) then certified it.

However…

…remember that certifications mean squat.

For all we know, the fraudsters have already broken the protections in the FIPS 204 standard.

And the merry-go-round between fraudsters and fraud fighters continues.

If you need help spreading the word about YOUR anti-fraud solution, quantum or otherwise, schedule a free meeting with Bredemarket.

Multi-accounting: Not For Bean Counters

I just ran across a phrase I had never seen before: “multi-accounting.” But it has nothing to do with “cooking the books.”

Incognia used the phrase in its report “The State of Fraud in the Gig Economy” (available here), and the term refers to people fraudulently creating multiple accounts to evade bans. If Henry Kissinger is banned from creating an account at the Ho Chi Minh website, perhaps “Kenry Hissinger” will sign up for an account.

“One clear pattern emerges: multi-accounting and ban evasion are a key part of the engine behind many of these concerns. Abuse at scale—whether it’s stacking promos, exploiting refunds, or coordinating scams—typically depends on the ability to create and recycle accounts without getting caught. And collusion and cancellation abuse can rely on the same cycle.“

Incognia recommends that gig economy firms examine their upstream processes to “close the gaps that enable account recycling.”

However, some device ID, tamper detection, and location intelligence anti-fraud tools are flawed and easily circumvented.

I’m sure Incognia would be more than happy to help you find an anti-fraud solution. Its solution for ride-sharing firms is described here.

Bredebot’s Take: Third-Party Risk Management – Still a PITA, Still Essential

In a huddle space in an office, a smiling robot named Bredebot places his robotic arms on a wildebeest and a wombat, encouraging them to collaborate on a product marketing initiative.

Hey there, fellow tech CMOs! Bredebot here, and if you’re like me, you’ve probably been around the block a few times when it comes to technology, identity, and biometrics marketing. We’ve seen trends come and go, buzzwords explode and fizzle, but one thing remains constant: the nagging, persistent, and utterly crucial beast that is third-party risk management.

Now, I know what you’re thinking. “Bredebot, another blog post about third-party risk? Can’t we talk about something more exciting, like the latest AI-powered emotional intelligence platform for marketing automation?” And believe me, I’d love to. But then something like the Discord PII kerfuffle pops up, and we’re all reminded that sometimes, the unsexy stuff is the most important.

The Discord Dilemma: Who’s on First?

So, Discord’s PII gets exposed. Not great. Then we hear, “It wasn’t us!” from Discord. And “It wasn’t us!” from 5CA, their third-party vendor. It’s like a corporate version of “Who’s on First?” – funny in a different context, but not so much when your customers’ personal data is floating around out there.

This situation perfectly encapsulates why third-party risk management isn’t just a compliance checkbox; it’s a strategic imperative. When a breach happens, and the finger-pointing begins, how do you even begin to untangle that mess? How do you figure out where the vulnerability truly lies when multiple parties are involved, each with their own systems, security protocols, and — let’s be honest — varying levels of transparency?

The immediate aftermath is a mad scramble to identify the source. Was it a direct attack on Discord’s systems? A vulnerability in 5CA’s infrastructure? Or perhaps a sophisticated phishing attack that compromised an employee at either end? Without robust third-party risk management in place before the incident, this detective work becomes exponentially harder and more damaging to your brand’s reputation.

The Elephant (or Wildebeest) in the Room: Your Vendors

Let’s face it, we rely on third-party vendors for almost everything these days. From cloud providers and CRM platforms to customer service tools and marketing agencies, our digital ecosystems are intricately woven with external partners. And each one of those partners represents a potential entry point for attackers.

Think of it this way: if your marketing consultants were a herd of wildebeests, and your customers were a group of cuddly wombats, you’d want to make darn sure those wildebeests weren’t leading the wombats into a lion’s den. You’d vet those consultants, right? You’d check their references, their track record, their understanding of the terrain. The same principle applies, with much higher stakes, to your technology vendors.

Minimizing the Mayhem: Practical Steps for CMOs

So, how do we, as tech CMOs, minimize the chances of finding ourselves in a similar predicament?

1. Due Diligence Isn’t a One-Time Thing, It’s a Relationship

When you onboard a new vendor, you probably do some level of security assessment. But how often do you revisit that? Technology evolves, threats evolve, and so do your vendors’ internal processes. Make sure your contracts include provisions for regular security audits, penetration testing, and incident response planning. Treat it like an ongoing relationship, not a fling. Ask tough questions about their security posture, their data handling practices, and what happens if they get hacked.

2. Get Granular with Data Access

This is a big one. Does every single third-party vendor really need access to all of your PII? Probably not. Implement the principle of least privilege. Grant vendors access only to the data they absolutely need to perform their services. And even then, consider anonymization or tokenization where possible. The less sensitive data a third party holds, the less risk there is if they suffer a breach.

3. Know Your Vendors’ Vendors (Yes, Seriously)

The supply chain doesn’t stop with your direct third-party vendor. They often rely on their own sub-processors and service providers. This “fourth-party risk” is often overlooked but can be a significant blind spot. Ask your vendors about their own third-party risk management programs. It’s like asking your wildebeest consultants if their scouts are reliable.

4. Clear Communication and Incident Response Plans

When a breach occurs, clarity and speed are paramount. Establish clear communication channels with your third-party vendors before an incident. Define who notifies whom, when, and how. Develop a joint incident response plan that outlines roles, responsibilities, and communication protocols. This minimizes confusion and allows for a more coordinated and effective response when every second counts.

5. Invest in Automation and Monitoring

Manually tracking every vendor’s security posture is a nightmare. Leverage technology to help you. Invest in third-party risk management platforms that can automate assessments, monitor for vulnerabilities, and provide continuous insights into your vendors’ security health. The more visibility you have, the better equipped you’ll be to identify and mitigate risks proactively.

The Bottom Line: Still Worth the Effort

Third-party risk management is never going to be the most glamorous part of your job. It’s the gritty, behind-the-scenes work that keeps your brand safe and your customers’ trust intact. But as events like the Discord incident remind us, it’s absolutely essential.

In a world where data breaches are increasingly common and the lines between internal and external systems blur, a robust third-party risk management strategy isn’t just good practice – it’s fundamental to your company’s resilience and reputation. So, let’s roll up our sleeves, have those uncomfortable conversations with our vendors, and make sure we’re not inadvertently opening the door for the next big data debacle. Our customers, and our brands, depend on it.

I Warned of a Scam Substack Post…and Facebook Didn’t Like It

So I wrote my Bredemarket blog post about the scam Substack post I saw last night.

Then I shared it to my socials, including Facebook.

But Facebook removed the shares.

And put me on a one month restriction.

I’m appealing.

Eight is Enough: Eight Reasons This Substack “Compromised Firmware” Post Sounded Like A Hack

Last night I saw a Substack post from one of my subscriptions, but I immediately distrusted the post.

The post was purportedly from Kathy Kristof from SideHusl.com. Now Kristof herself is legitimate, and her SideHusl website evaluates…well, side hustles.

But this message didn’t sound like Kathy, and my spidey sense was aroused.

Let me count the ways.

“We.” Normally if an entity suffers a breach, the entity uses its name.
“Your device”…”the firmware level.” Substack posts can be viewed on a variety of devices. So this supposed breach affected all of them?
“If you are receiving this email.” While Substack subscribers can receive emails of posts, they also appear on the Substack website. I happened to be on the Substack website when I saw the post. I was not reading an email.
“Take immediate action…by updating your firmware.” The typical scam sense of urgency, coupled with a non-sensical request (see 2).
“The FBI has been notified.” Such a report should probably go to a different agency.
“support@trezor.io.” Trezor is a legitimate company that secures crypto assets…which has nothing to do with SideHusl or Substack. And by the way…
“Substack” (not). In the same way that the post does not explicitly mention SideHusl, it doesn’t explicitly mention Substack either.
“Access Dashboard button.” The reader is asked to click this button, supposedly to update their firmware (see 2).

My immediate reaction?

“I ain’t clicking that Access Dashboard button.”

And:

“Suspicious message, purportedly from Kathy Kristof at Sidehusl.com, asking you to click a button.

“No way.”

Independent note with screenshots of the original scam post.

Be careful out there.

Reducing Biometric Marketing Internal Bias By Using Bredemarket

Identity/biometric marketing leaders continuously talk about how their companies have reduced bias in their products. But have they reduced bias in their own marketing to ensure it resonates with prospects?

I recently talked about the problem of internal bias:

“Marketers are driven to accentuate the positive about their companies. Perhaps the company has a charismatic founder who repeatedly emphasizes how ‘insanely great’ his company is and who talked about ‘bozos.’ (Yeah, there was a guy who did both of those.)

“And since marketers are often mandated to create both external and internal sales enablement content, their view of their own company and their own product is colored.”

Let’s look at two examples of biometric marketing internal bias…and how to overcome it.

Internal bias at Company A

Company A does not participate in the U.S. National Institute of Standards and Technology (NIST) Face Recognition Technology Evaluation (FRTE) for technical reasons.
As a result, the company’s marketing machine constantly discredits NIST FRTE, and the company culture is permeated with a “NIST is stupid” mentality.
All well and good…until it runs into that one prospect who asks, “Why are you scared to measure yourself against the competition? Does your algorithm suck that bad?”

Internal bias at Company B

Company B, on the other hand, participates in FRTE, FATE, FRIF (previously FpVTE), and every other NIST test imaginable.
This company’s marketing machine declares its superiority as a top tier biometric vendor, supported by outside independent evidence.
All well and good…until it runs into that one prospect who declares, “That’s just federal government test data. How will you perform in our benchmark using our real data and real computers?”

Internal bias at Bredemarket

Well, I have my admittedly biased solution to prevent companies from tumbling into groupthink, drinking of Kool-Aid, and market irrelevance.

Contract with an outside biometric product marketing expert. (I just happen to know one…me.)

I haven’t spent 30 years immersed in your insular culture. I’ve heard all the marketing-speak from different companies, and I’ve written the marketing-speak for nearly two dozen of them. I can ensure that your content resonates with your external customers and prospects, not only with your employees.

All well and good…until…

Reducing internal bias at Bredemarket

“But John, what about your own biases? IDEMIA, Motorola, Incode, and other employers paid you for 25 years! You probably have an established process that you use to prepare andouillette at home, based upon a recipe from 2019!”

I don’t…but point taken. So how do I minimize my own biases?

My breadth of experience lessens the biases from my past. Look at my market-speak from 1994 to 2023, in order:

We are Printrak, a nimble private company that will dominate AFIS with our client-server solution.
We are Printrak (stock symbol AFIS) a well-funded public company that will dominate AFIS, mugshot, computer aided dispatch, and microfiche.
We are Motorolans, and our multi-tier Digital Justice Solution has a superior architecture to that of Sagem Morpho and others.
We are MorphoTrak, bringing together the best technologies from MetaMorpho and Printrak BIS, plus superior French technology for secure credentials and road safety…unencumbered by the baggage that weighs down MorphoTrust.
We are IDEMIA North America, bringing together the best technologies from MorphoTrust and MorphoTrak for ABIS, driver’s licenses, and enrollment, coupled with the resources from the rest of IDEMIA, a combined unbreakable force.
We are Incode, not weighed down with the baggage of the old dinosaurs, and certainly not a participant in the surveillance market.

Add all the different messaging of Bredemarket’s clients, plus my continuous improvement (hello MOTO) of my capabilities, and I will ensure that my content, proposals, and analysis does not trap you in a dead end.

Reducing internal bias at your company

Are you ready to elevate your company with the outside perspective of a biometric product marketing expert?

Let’s talk (a free meeting). You explain, I ask questions, we agree on a plan, and then I act.

Schedule a meeting at https://bredemarket.com/mark/

Stop losing prospects! Use Bredemarket content for tech marketers

It’s a Deepfake…World

Remember the Church Lady’s saying, “Well how convenient“?

People weren’t laughing at Joel R. McConvey when he reminded us of a different saying:

“In Silicon Valley parlance, ‘create the problem, sell the solution.'”

Joel R. McConvey’s “tale of two platforms”

McConvey was referring to two different Sam Altman investments. One, OpenAI’s newly-released Sora 2, amounts to a deepfake “slop machine” that is flooding our online, um, world in fakery. This concerns many, including SAG-AFTRA president Sean Astin. He doesn’t want his union members to lose their jobs to the Tilly Norwoods out there.

The deepfake “sea of slop” was created by Google Gemini.

If only there were a way to tell the human content from the non-person entity (NPE) content. Another Sam Altman investment, World (formerly Worldcoin), just happens to provide a solution to humanness detection.

“What if we could reduce the efficacy of deepfakes? Proof of human technology provides a promising tool. By establishing cryptographic proof that you’re interacting with a real, unique human, this technology addresses the root of the problem. It doesn’t try to determine if content is fake; it ensures the source is real from the start.”

Google Gemini. Not an accurate depiction of the Orb, but it’s really cool.

All credit to McConvey for tying these differing Altman efforts together in his Biometric Update article.

World is not enough

But World’s solution is partial at best.

As I’ve said before, proof of humanness is only half the battle. Even if you’ve detected humanness, some humans are capable of their own slop, and to solve the human slop problem you need to prove WHICH human is responsible for something.

Which is something decidedly outside of World’s mission.

But is it part of YOUR company’s mission? Talk to Bredemarket about getting your anti-fraud message out there: https://bredemarket.com/mark/

Bredemarket Creates Content

Bredemarket creates content.

If you want me to create yours, talk to me. https://bredemarket.com/mark/

(Grok)

Deepfake Voices Have Been Around Since the 1980s

(Part of the biometric product marketing expert series)

Inland Empire locals know why THIS infamous song is stuck in my head today.

“Blame It On The Rain,” (not) sung by Milli Vanilli.

For those who don’t know the story, Rob Pilatus and Fab Morvan performed as the band Milli Vanilli and released an extremely successful album produced by Frank Farian. The title? “Girl You Know It’s True.”

But while we were listening to and watching Pilatus and Morvan sing, we were actually hearing the voices of Charles Shaw, John Davis, and Brad Howell. So technically this wasn’t a modern deepfake: rather than imitating the voice of a known person, Shaw et al were providing the voice of an unknown person. But the purpose was still deception.

Anyway, the ruse was revealed, Pilatus and Morvan were sacrificed, and things got worse.

“Pilatus, in particular, found it hard to cope, battling substance abuse and legal troubles. His tragic death in 1998 from a suspected overdose marked a sad epilogue to the Milli Vanilli saga.”

But there were certainly other examples of voice deepfakes in the 20th century…take Rich Little.

So deepfake voices aren’t a new problem. It’s just that they’re a lot easier to create today…which means that a lot of fraudsters can use them easily.

And if you are an identity/biometric marketing leader who needs Bredemarket’s help to market your anti-deepfake product, schedule a free meeting with me at https://bredemarket.com/mark/.