Here’s a new video that lets you know about Bredemarket: who I (John E. Bredehoft) am, what services Bredemarket provides, the process Bredemarket uses, and Bredemarket’s pricing.
Bredemarket: Services, Process, and Pricing.
But why…why did I create it?
Stealing from James Tuckerman
So I was reading my emails one day, and I saw how James Tuckerman created a video to introduce himself to prospects. This allowed Tuckerman, based in Australia, to introduce himself to prospects around the world without having to wake up in the middle of the night.
Now Bredemarket doesn’t do business outside the United States (with one exception), but I could certainly use an introduction video.
Wait…I already did that
Then I remembered that I already had several “talkies” from the time when I branded myself as a “CPA”—a content, proposal, analysis expert.
In early 1968, two boys found a dead body in New York’s East Village. There was no identification on the man, and no one in the neighborhood knew him. He was fingerprinted and buried in a mass grave, identified by the NYPD nearly two years later.
Potter’s Field monument, Hart Island. From Wikipedia. CC BY-SA 4.0.
In the 1960s, fingerprint identification of deceased persons—a laborious process in those days—often happened because the deceased had a criminal record.
His first arrest was in 1956, but he was not convicted of any crime until 1961.
“On May 1, 1961, he was arrested for attempting to cash a check that had been stolen from a liquor store the previous January, and at the same time was also charged with driving under the influence of drugs. He pled guilty to both charges and was sentenced to six months of treatment for drug addiction at the California Institute for Men at Chino.”
Driscoll reportedly cleaned up (his drug of choice was heroin), went east to New York City, and even achieved some fame.
“[H]e purportedly settled into Andy Warhol’s Greenwich Village art community known as “The Factory.” During this time, he also participated in an underground film entitled Dirt, directed by avant-garde filmmaker Piero Heliczer.”
But this was not Driscoll’s first film. He had been in a few films earlier in life.
And he provided the voice for the lead character in the later Disney movie Peter Pan.
Yes, Bobby Driscoll was a child star for Disney and other studios before appearing in Dirt.
But right after Driscoll’s voice became famous in Peter Pan, Disney declined to renew his contract. The reason? Acne…and the fact that he wasn’t a cute kid any more.
AI generated by Grok.
This led to his tailspin, which eventually led to his fingerprinting.
Do you want to skip the book and watch the movie version? Thanks to Google’s NotebookLM, you can.
I used the Federal Bureau of Investigation’s Electronic Biometric Transmission Specification (EBTS) for this exercise.
What should you NOT upload to NotebookLM?
But there’s two things I need to say about the EBTS:
First, the EBTS is a public document and not a top secret document. You can download the EBTS yourself from the https://fbibiospecs.fbi.gov/ebts-1/approved-ebts-1 URL. For my test I used version 11.3 of the EBTS from earlier this year.
Second, the EBTS is a public domain document and is not copyrighted. This is something I need to emphasize. If you’re going to take a magazine article and make a movie out of it, the copyright holder may have something to say about that.
Both points are important. If you want to upload your employer’s confidential report into NotebookLM for analysis…well, you probably shouldn’t. But the public, non-copyrighted EBTS is safe for this exercise.
Uploading the EBTS to NotebookLM
So I uploaded the EBTS into NotebookLM, and as expected, I received a short text sumnmary of the document.
“This document outlines the technical specifications for the electronic exchange of biometric and biographic information between various law enforcement agencies and the FBI’s Criminal Justice Information Services (CJIS) Next Generation Identification (NGI) System. It details the Transaction Offense Types (TOTs), which are the standardized requests and responses used for services such as identification, verification, investigation, and data management. Furthermore, the text specifies the precise data fields, formats, and codes required for the submission and retrieval of diverse biometric data, including fingerprints, palm prints, facial images, and iris scans, while also setting forth image quality specifications for scanner and printer certification.”
Now I could continue to query NotebookLM about the document, but I chose to request a video overview instead. This feature was introduced a few months ago, but I missed it.
“Video Overviews transform the sources in your notebook into a video of AI-narrated slides, pulling images, diagrams, quotes, and numbers from your documents. They distill complex information into clear, digestible content, providing a comprehensive and engaging visual deep dive of your material.”
So I launched the video overview creation feature, and waited. As I waited, I mused upon the time it would take me to create this video manually, and I also mused on the usual LLM warning that the result may contain inaccuracies.
I didn’t have to wait that long, maybe 15 minutes, and Google delivered this 7-minute video.
Inside the FBI’s EBTS. Created by Google NotebookLM based upon EBTS Version 11.3.
Not too bad…especially considering that the video was created based upon a single source. Imagine if I had provided multiple sources, such as an old version of the Electronic Fingerprint Transmission Specification (EFTS); then the video may have covered the evolution of the standard.
Unpacking the EBTS standard. Created by Google NotebookLM based upon EBTS Version 11.3.
In an environment where many people like to watch or listen rather than read, this helps provide a quick overview. But you still have to dive into the document and read it to truly understand it.
Let’s take a step back from Module-Lattice-Based Digital Signature Standards (NIST FIPS 204) and see what quantum-infused fraudsters can do to bypass your security protections. Your “practically unbreakable” security system today may be wide open in 10 years…or 5 years.
Shor’s Algorithm
To understand how fraud can occur, you need to understand (Peter) Shor’s Factoring Algorithm.
According to Classiq, Shor’s Factoring Algorithm can find the prime factors of any number, including very large numbers.
“Factoring numbers with Shor’s algorithm begins with selecting a random integer smaller than the number to be factored. The classically-calculated greatest common divisor (GCD) of these two numbers, the random number and the target number, is then used to determine whether the target number has already been factored accidentally. For smaller numbers, that’s a possibility. For larger numbers, a supercomputer could be needed. And for numbers that are believed to be cryptographically secure, a quantum computer will be needed.”
So what? I appreciate that people like the late Richard Crandall were into finding prime numbers with 20th century technology, but how does that relate to whether a fraudster can drain my bank account?
Breaking RSA encryption
It definitely relates, according to the MIT Technology Review. This article was written back in 2019.
“[C]omputer scientists consider it practically impossible for a classical computer to factor numbers that are longer than 2048 bits, which is the basis of the most commonly used form of RSA encryption.
“Shor showed that a sufficiently powerful quantum computer could do this with ease, a result that sent shock waves through the security industry.
“And since then, quantum computers have been increasing in power. In 2012, physicists used a four-qubit quantum computer to factor 143. Then in 2014 they used a similar device to factor 56,153.”
The largest recent record number that I found was 261,980,999,226,229, as described in this paper. It should be noted that many of these numbers were factored by a variety of methods: using a pure Shor’s Factoring Algorithm, the maximum number factored so far is 21.
What does this mean?
So what does this mean for 2048-bit encryption? 2048 bits is equivalent to hundreds of decimal digits. I’ve found different numbers of decimal digits, but for all practical purposes I can’t calculate them anyway. Heck, I can’t calculate trillions in my head. And there’s RSA-4096 encryption, but…well, we’ll get to that.
But when quantum calculating abilities can crack algorithms, then it’s trivial to compute the number of combinations to crack an encryption…or guess a password…or generate a face.
“Brute force attacks function by calculating every possible combination of passwords. As the password’s strength increases, the amount of time to crack it increases exponentially. So, in theory, if hackers tried to brute force their way into a key with AES-128 encryption, it would take approximately 1 billion years to crack with the best hardware available today [2023].
“But what if we lived in a post-quantum computing world? How long would a brute-force attack on popular cypher technologies take?…[We’re] likely still a decade or two away from Quantum computers that can easily break many of the cypher technologies in use today….
“[I]n a recently published report from Global Risk Institute (GRI), the time to break RSA-4096, which is practically impossible to break with classical computing technology, is under three days with a theoretical 1 megaqubit computer. While we are still a long way from a 1 megaqubit computer, the resources and time required are reducing rapidly at the same time we see advancements in Quantum computing which are in development.”
I have no idea how much lattice-based access control mitigates these threats, but if you go around saying that strong encryption will never be broken, you are a fool.
In this edition of The Repurposeful Life, I’m revisiting a prior post (“Is the Quantum Security Threat Solved Before It Arrives? Probably Not.“) and extracting just the part that deals with the National Institute of Standards and Technology (NIST) Federal Information Processing Standard (FIPS) 204.
Thales used the NIST “FIPS 204 standard to define a digital signature algorithm for a new quantum-resistant smartcard: MultiApp 5.2 Premium PQC.”
The NIST FIPS 204 standard, “Module-Lattice-Based Digital Signature Standard,” can be found here. This is the abstract:
“Digital signatures are used to detect unauthorized modifications to data and to authenticate the identity of the signatory. In addition, the recipient of signed data can use a digital signature as evidence in demonstrating to a third party that the signature was, in fact, generated by the claimed signatory. This is known as non-repudiation since the signatory cannot easily repudiate the signature at a later time. This standard specifies ML-DSA, a set of algorithms that can be used to generate and verify digital signatures. ML-DSA is believed to be secure, even against adversaries in possession of a large-scale quantum computer.”
ML-DSA stands for “Module-Lattice-Based Digital Signature Algorithm.”
Now I’ll admit I don’t know a lattice from a vertical fence post, especially when it comes to quantum computing, so I’ll have to take NIST’s word for it that modules and lattice are super-good security.
“A lattice is a hierarchical structure that consists of levels, each representing a set of access rights. The levels are ordered based on the level of access they grant, from more restrictive to more permissive.”
You can see how this fits into an access control mechanism, whether you’re talking about a multi-tenant cloud (NordVPN’s example) or a smartcard (Thales’ example).
Because there are some things that Tom Sawyer can access, but Injun Joe must not access.
In reality, job applicant deepfake detection is (so far) unable to determine who the fraudster really is, but it can determine who the fraudster is NOT.
Something to remember when hiring people for sensitive positions. You don’t want to unknowingly hire a North Korean spy.
Another SoCal Tech Forum presentation on Saturday, this one on banking technology from Carey Ransom of BankTech Ventures.
FoundrSpace.
Only a small reference to financial identity, but excellent nonetheless. While I live-posted the event here on my personal LinkedIn account, I wanted to summarize my three main takeaways from Bredemarket’s perspective.
One: Differentiate
Yes, community banks need to differentiate. Perhaps back in the 1980s before the advent of national banks, community banks could offer a standard suite of services for their communities. But now they’re competing against national banks that do business in their prospects’ communities, and in their prospects’ phones. (We will get to phones in a minute.)
One example Ransom gave: why do community banks offer credit cards? Are their credit cards better than the credit cards from the Really Big (Banking) Bunch? Probably not.
But unlike the Capital Ones and Chimes of the world, community banks know their communities. And they know what local businesses need, and are ideally suited to deliver this. (We will get to services in two minutes.)
Yes, I know that Bank of America may have someone attending and sponsoring your local events, but that person is not Brian Moynihan. And if you don’t know who Moynihan is, your prospects don’t know him either.
But John, you may be saying to yourself, you can’t bank on a phone. How do you deposit checks? And how do you get cash?
Well, let’s look at this:
Bredemarket hasn’t received a check in over three years, but when one of my clients was paying me by check, I would use my phone to take a picture of it and deposit it.
And as for cash, this is needed less and less, especially since many merchants take Apple Pay and Google Pay.
In fact, bank branches are so irrelevant to today’s—and tomorrow’s—bank prospects and customers that Ransom referred to a $3 million dollar bank branch as a really expensive billboard. Probably none of the people who are reading this post WANT to go into a bank branch.
And those that do? Here’s a little secret: if the average age of the people who bank at your bank is in their 70s, they will…um…not be long-term bank customers. The 18 year olds that will bank for decades? They’re opening accounts on their phones. Can they use a phone to open an account at your bank? And why would they do so? (See the differentiation discussion above.)
Three: Supplement
One way a bank can differentiate is via the services they offer.
At the most basic level, a bank can make money by loaning the funds they receive from deposits.
But they can offer many more services to 21st century clients, thanks to legislation such as the Gramm-Leach-Billey Act that allow financial holding companies to own financial or complementary firms.
And not just investments and wealth management.
Ransom provided an illustrative example: cybersecurity.
Banks need to have expertise in cybersecurity to stay alive, and to comply with Know Your Customer and other financial regulations.
So why not offer cybersecurity services to their customers?
This not only gives the banks another revenue stream, but also reduces the risk that their own customers will experience fraud from hacks.
Four: Market
I know I said there were three takeaways. I lied.
Ransom also noted that CapitalOne spends 20% on marketing, including everything from TV ads to cafes. Your typical community bank spends much less, maybe 1%.
How are your prospects going to know what differentiates your bank if they don’t have awareness of those differentiators?
Or perhaps you need proposal or analysis services.
Bredemarket, a provider of content, proposal, and analysis services to technology (and identity) firms, can work with you to create the words you need. Learn about my offerings and book a free meeting here.
Bredemarket 