A similar arrogance is happening in CEP-land, where, it seems, each and every financial services event processing application is now a “CEP application” just because someone in capital markets puts “CEP” in the same paragraph. I find it ridiculous that the same market of folks who have helped destroy the global economy are now the world’s self-proclaimed authorities on complex event processing. Amazing, if you really think about it, isn’t it?

I read many posts these days by folks in the capital markets trading world, claiming their message routing application is “CEP,” or their algo trading application is “CEP,” - feeds and speed, typical of what “turns on” the financial services folks. As an editorial note: I recall when I worked for a software company, folks on the same team who worked on Wall Street would look down on folks with many years of IT experience outside of financial services. Some would say “he is only a security guy” in their attempt to put down anyone who does not have trading floor IT experience on their resume. I found it all quite ridiculous and foolish.

My resume, for what it is worth, has a number of financial services companies, including either assessing, architecting or building large scale security systems for S.W.I.F.T, Chase or SBC. This experience does not seem to “count” with the trading floor folks, since security is more about getting things right, not just supporting a form of gaming or gambling with other peoples money, with more feeds and speeds the better.

Of late, as I have watched the CEP/EP space evolve, and unfortunately, I see a similar type of “capital markets virus” spreading into CEP-land. Folks on the trading side of financial services seem to think that whatever they say or do is right, and whatever others outside of the trading side do is wrong. These folks are quick to ridicule others who have far more experience than they do, outside of the trading floor of capital markets.

After all, mostly what they do on the trading side is route orders - and if a little old lady in a small town in Iowa loses her life savings because of a bad investment decision, it means little to the folks on the trading floor, the market folks are into feeds and speed - just keep the beast alive. Place your bet on this market or that one! Away we go, faster and faster!!!!

I am sometimes a little sad to observe the same audacity in the CEP world. Instead of focusing on the hard complex problems that require accuracy, the original set of problems defined when the phrase “complex event processing” was minted, the capital market folks have hijacked the term for their marketing purposes in algo trading and order managment systems. These same people ridicule others who are working to solve the (originally stated) complex event processing problems, problems the capital market traders seemingly cannot understand, since they have never worked on complex network or security management problems.

Nevermind, that these “ultra low latency” systems cannot accurately detect a complex money laundering scheme or an elaborate fraud. Nevermind that these “CEP engines” cannot accuracy insure that Average Joe does not lose his hard earned money in a fraud scheme.

I have no problem with folks in capital markets using the term CEP, but they should not ridicule those in technical areas that are not focused on keeping the “trading beast” alive so people can lose their life savings in a blink of an eye; but instead focused on solving complex problems such as the class of problems called out when the three letter acronym “CEP” was created.

"consumers hate tokens."

"Everyone wants to be the single federation platform for everyone else."

"Federation will never work. It won’t work because the single most important consumer Web applications in the world are scared of it. Banks hate the concept because it becomes a weakest link in the chain problem."

"Tokens don’t actually solve most security problems, like man-in-the-middle, phishing, and keystroke-logging malware."

"Oh yes, and finally, consumers are going to have to carry around 13 of them just to make sure they can log into whatever they need to log into since no one will federate."

"Global federation is nowhere near a solid concept in the consumer space, despite what the vendors will try to sell you."

"This is a long term problem. If you work on it and make any progress against it, you'll find yourself much smarter at the far end, than you were at the near end.

When I was in Norway about 5 years ago, I was there very close to the summer solstice. I was wandering around town at 2 o'clock in the morning and there was plenty of light out. You come to a sign that says New Minsk about 60 km and it points south.

And I ask the lady "what country is this?"

She scratched her head for a bit, and said "well I think its Norway"

I said "well who plows the roads?"

"well Norway does, but he have to pay them."

There is a triple boundary in this town that I was in between Norway, Finland and Russia.

But what I did there, was, I had a card about wallet size, I stuck it into a machine, I punched in four digits, and it gave me about 2,000 krone, whatever the hell that is.

Now there are a lot of participants in that transaction. When I put a card into that machine, punch in a pin, and it gurgles for awhile, and finally gives me, a fairly large amount of money. There are a lot of participants in that transaction. The bank that owned the machine that gave me the money, it gave some money away -- that bank wants it back. The pin is necessary to convince my own bank that I'm me. But I don't want my pin to be broadcast all over the world. My bank in the us, it hasn't really given out or taken in any money, really. But there is a lot of credits involved here. Somebody needs to charge somebody else for having more money available. Even though there was actually no cash transfer.

And the problem that I have in mind is
- who are all the participants in an ATM transaction?
- what do those participants need to satisfy their problems?
- how is that in fact done?

In a general way, does the atm system actually work in some reasonable sense? To which the answer is by the way: yes. The atm system damn well works. With extremely high reliability and accuracy. It surprises me. Its quite a bit different than voting machines.

I went to the salon today to ‘get my nails did’ and was greeted with quite a ruckus. The entire staff is Vietnamese- no big surprise there- but the owners and most employees speak English extremely well and so everyone is always chit-chatting throughout the salon.

The wife side of the husband-wife team was especially giddy as she shared a little gem of a story with me today… and I didn’t feel I’d be doing you justice to keep it to myself. 

They (the salon staff) all live in one of the larger cities here in NC. One of their friends (a middle-aged guy) was out shopping Monday and was sitting in his car in a parking lot during a coming- or going- to a store. A young girl (mid-20’s) came up to his car and motioned to ask for use of his cell phone.

Now, at this point in the story, I could have told you the rest…

He opened the window a bit and the young lady asked to borrow his phone for a moment to call a family member. Turns out she had some car troubles and needed a ride. Being the nice gentleman that he is, he lent her the phone and she took a couple of steps away to make the call. Only… she didn’t stop. Evidently she got about 4 cars down the row before our chivalrous guy got out of the car and gave chase.

When he got in reach, she pushed him down to the ground and - yep - ran back to his car, phone still in hand… and drove away.

He now has no car and no phone. So, ironically enough, he then had to approach a stranger and politely ask for the use of their cell to phone home and let the group know he was bamboozled. A few tears were shed, but his wife assured him it would be fine and he shouldn’t be scared. (No, I’m not making that up).

I was giggling right along with her (and the guy’s wife, who happened to be there).

Moments later I thought to myself, “I hope that doesn’t happen to me!” Almost in the same instant I realized… it probably wouldn’t. I’ve been a bit of a paranoid freak since I was little, thanks probably in most part to having two ex-military intelligence parents. For all my life I’ve been raised with ‘the security mindset’ as Schneier refers to it.

Always suspicious… always calculating… always aware… and certainly never underestimating a situation.

And so then I had to muse… WHAT WAS HE THINKING leaving the car running and unlocked to go after the siren with the cell? For the sake of politeness, I kept my question to my ‘inside voice’, but I do have to wonder why you’d sacrifice the security of a vehicle for a $50 cell phone.

The moral of the story…  There are two. 1) Involve someone with a ‘security mindset’ and 2) Your security is only as strong as your people. A sweet damsel in distress… social engineering at it’s finest…

# # #

“Uh hi honey, sorry to wake you. Could you login to my email for me?”

Ah, the fun begins I thought.

“OK, my user name is [REDACTED] and my password is [REDACTED]”

Sigh, some folks just don’t get it. But, it gets better.

“No sweetie, that’s for my Gmail account”

Score.

At this point I glance around the train to see that I wasn’t the only person that found this fella’s call amusing. There were smirks to be seen. Then this takes a darker turn, for him at least.

“Now, sweetie I’ll need you to order a wireless router from [REDACTED] and my credit card number is 5, 5…

He proceeded to read out the entire number with expiry date and CVN. I was a little worried for the guy at this point. But, I guess Darwin was right. Then I heard a woman’s voice utter, “jackass”. I glanced up to see a little old lady shaking her head as she looked at the loud talker in disgust. A smile crept across my face.

A couple of weeks ago I was offered a free year membership in the Clear airport security program for registered travelers.  Though my home airports of Ft Lauderdale and West Palm Beach don't yet offer Clear access, I fly enough in airports that do like Denver and Regan that I thought for free, what do I have to lose.  I filled out the forms on line and last time I was in Regan airport I handed it in along with fingerprints, Iris scans, passport, etc.  This past week my Clear card came in the mail and I have been looking forward to using it.

I thought that with my background check and all, they knew that I was a low risk for terrorist or other type of activity and therefore would not be subject to the same scrutiny and testing that we all endure when we have to fly.  Turns out that I don't think that is exactly the case.  However what it does do is allow you to go right to the front of the line in security, much to the dismay of others waiting on those lines.

The experience was great.  I went to a special entrance for Clear members where I was met by a very helpful young lady.  She escorted me to a Clear machine where we inserted my card and did a fingerprint scan.  After that was done she escorted me to another young lady who walked me past all of the people waiting on line (and a long line it was).  At the head of the line, the Clear lady gave my boarding pass and ID to the TSA person.  The TSA person checked my id and pass, same as always and they passed me through.  Than my Clear escort brought me to a special metal detector line which had no one on it, just waiting for me.  Again skipping another line.  I put my computer and other metal objects in the same old grey bin, took off my shoes and went through the metal detector.  I thanked the Clear escort came out the other side, scooped up my stuff and proceeded to my gate.  The entire process took less than 3 minutes I bet!  That was great!  The looks on the faces of the people I bypassed on line also gave me a perverse pleasure as well, I will admit.

After finishing this though I sat down and thought about it.  What security did bypass?  They still checked my ID and boarding pass. I still went through the metal detector and took off my shoes.  In fact if anything security was added to my check in, as they now did a fingerprint match.  So fact is, with all of the background checks and everything, having the Clear program did not relieve me of any security obligations and tests. In fact it added to them.  What it did give me was a "first class" personal escort to the front of the line and than a first class que for the metal detectors.  Because I was willing to pay some money and have a background search, I got the first class treatment.

To me this is not a scalable solution.  As more Clear passengers come on board, having a dedicated person walking me through the security line is just not going to work.  Also, lets be clear (no pun intended), this is not about going through less security.  Why the background check and all?  This is about paying money and skipping the line, but still going through the same security procedures that everyone else goes through.  Just faster.  Hey, don't get me wrong.  I loved it!  But I was wrong to think this was about bypassing security, this is a "first class" traveler lane.  As long as you are "clear" with that, it is good by me!

A couple of weeks ago I was offered a free year membership in the Clear airport security program for registered travelers.  Though my home airports of Ft Lauderdale and West Palm Beach don't yet offer Clear access, I fly enough in airports that do like Denver and Regan that I thought for free, what do I have to lose.  I filled out the forms on line and last time I was in Regan airport I handed it in along with fingerprints, Iris scans, passport, etc.  This past week my Clear card came in the mail and I have been looking forward to using it.

I thought that with my background check and all, they knew that I was a low risk for terrorist or other type of activity and therefore would not be subject to the same scrutiny and testing that we all endure when we have to fly.  Turns out that I don't think that is exactly the case.  However what it does do is allow you to go right to the front of the line in security, much to the dismay of others waiting on those lines.

The experience was great.  I went to a special entrance for Clear members where I was met by a very helpful young lady.  She escorted me to a Clear machine where we inserted my card and did a fingerprint scan.  After that was done she escorted me to another young lady who walked me past all of the people waiting on line (and a long line it was).  At the head of the line, the Clear lady gave my boarding pass and ID to the TSA person.  The TSA person checked my id and pass, same as always and they passed me through.  Than my Clear escort brought me to a special metal detector line which had no one on it, just waiting for me.  Again skipping another line.  I put my computer and other metal objects in the same old grey bin, took off my shoes and went through the metal detector.  I thanked the Clear escort came out the other side, scooped up my stuff and proceeded to my gate.  The entire process took less than 3 minutes I bet!  That was great!  The looks on the faces of the people I bypassed on line also gave me a perverse pleasure as well, I will admit.

After finishing this though I sat down and thought about it.  What security did bypass?  They still checked my ID and boarding pass. I still went through the metal detector and took off my shoes.  In fact if anything security was added to my check in, as they now did a fingerprint match.  So fact is, with all of the background checks and everything, having the Clear program did not relieve me of any security obligations and tests. In fact it added to them.  What it did give me was a "first class" personal escort to the front of the line and than a first class que for the metal detectors.  Because I was willing to pay some money and have a background search, I got the first class treatment.

To me this is not a scalable solution.  As more Clear passengers come on board, having a dedicated person walking me through the security line is just not going to work.  Also, lets be clear (no pun intended), this is not about going through less security.  Why the background check and all?  This is about paying money and skipping the line, but still going through the same security procedures that everyone else goes through.  Just faster.  Hey, don't get me wrong.  I loved it!  But I was wrong to think this was about bypassing security, this is a "first class" traveler lane.  As long as you are "clear" with that, it is good by me!