Breaking Out of the ‘Cheap’ Cycle:

When money is tight, you’re often shoehorned into buying the cheap version of the item. While this solves the problem in the short term, what you’re usually doing is just kicking the can down the road six months or a year or two years or whatever until that version you just bought wears out and then you’re back to where you started.

On the other hand, if you spent a lot and bought a reliable version up front, that cycle gets much, much longer. It becomes a matter of five years or 10 years or a lifetime before you have to even consider replacing the item, and it does the job well, too.

Yet, when you’re on a tight budget, that high-quality, reliable version of an everyday item is just out of reach, or else it just seems like a frivolous purchase, even though the total cost of ownership is lower over the time you’re using the product and it’ll save you time and headache dealing with a failing item and replacing it down the road.

I’ve been there, and it’s rough. You’re trying to keep your spending low, but when you do that, you end up buying cheap items that end up costing you more down the road. Sometimes, you’re basically forced into that situation.

I like to put it like this: Sometimes, people can’t afford the low cost of ownership items. That seems strange, but the issue is that items that have a low cost of ownership are often items with a big upfront cost, and people often can’t afford that upfront cost. An $18 pair of socks might last for years and years and years and it’s very likely that such a pair will end up costing you less than buying bags of cheap socks, but it’s $18 for a pair of socks. 

There is a road out, however. Here are several things you can do to help break out of the cycle of buying cheap versions of the items you rely on so that you can get reliable ones that won’t fail constantly.

(Via The Simple Dollar The Simple Dollar)

Read the while article for the advice. And remember, no one cares what you spend on anything except for your financial partner. Don’t argue yourself out of a sound financial decision because of what you think “they” will think, whomever “they” are.

Rules for Online Sanity:

Loving these rules for Online Sanity put together by Kai Brach. If you’re not subscribing to his newsletter Dense Discovery, you’re missing out. Super thoughtful and full of delight. Here’s the newsletter I found this gem in.

(Via swissmiss)

Other than #6, these apply to life and work and being. Drop the “online” reference from #2 and you have a decent set of communication precepts.

Minimal surface nirvana:

Every time Apple introduces a new model of iPad, that old, nasty, stupid, pointless debate rears its ugly head. I’m referring of course to the Can this iPad replace a traditional computer? debate. Also known as Can the iPad become your primary, or even sole computer? Also known as Can the iPad be used for Serious Work?

The constant in this debate is the attitude of the two main user groups involved, as each seems to hold this position: My way is the right way, and you’re a fool for thinking otherwise.

Now, my decades-old habits, my work-related needs, but also my personal preferences put me in the Mac OS / traditional computer group. The way I organise my workspace, the way I multitask, my need for lots of screen real estate, make Mac OS the ideal environment to work in. But I’ve been using iOS and iOS devices for a long time as well. I can appreciate that some people have managed to make them their primary platform and device. I know that Serious Work can be carried out on an iPad. It really, ultimately depends on what you do for a living.

The point that some iPad die-hard fans seem to miss is that it’s not a matter of people not wanting to adapt to an iOS-based workflow; it’s not a matter of people lacking mental agility to ditch their computers and switch to iPads for work. It’s that their work imposes different solutions, in the form of dedicated software, company-issued computers, multitasking requirements (e.g. ability to monitor more than three applications simultaneously on a bigger screen), etc.

(Via English – Riccardo Mori)

Amen! I grow weary of this ever intensifying debate around iPad versus Mac/PC.

My take: I need a toolbox with a variety of tools (or golf bag full of clubs, if you prefer a sport metaphor) that I can use depending on the work and in what context. I’m not going to arbiltrarilly limit myself.

Japanese Soup and Noodle Dishes to Rival a Bowl of Ramen | Japan Cheapo:

Ramen, like sushi, is a Japanese food that needs no explanation. Typically enjoyed by locals as an easy dish on the go, the old bowl of soup n’ noodles is making quite a resurgence with trendier food-obsessed tourists. Sure, we all know that Ichiran restaurants are great because you don’t have to look at anyone while you’re making a soup splashing mess. And, yes, popular Afuri is worth lining up in the rain for at least once—but if you’re only about the ramen, you’re missing the many more incredible Japanese soup + noodle combos that the country has to offer. Here are just some of the best.

(Via Japan Cheapo)

I will sample more of the other options this weekend. There’s the Nabe Festival at Hibiya Park and the Soba & Sake Festival at Yoyogi Park.

Yum!

Influence – overestimating effects of what we say:

In our attempts to influence others, we often overestimate the effects of what we’re going to say and underestimate the effect of consistent thoughtful action.

(Via A Learning a Day)

What Happened to Cyber 9/11?:

A recent article in the Atlantic asks why we haven’t seen a”cyber 9/11″ in the past fifteen or so years. (I, too, remember the increasingly frantic and fearful warnings of a “cyber Peal Harbor,” “cyber Katrina” — when that was a thing — or “cyber 9/11.” I made fun of those warnings back then.) The author’s answer:

Three main barriers are likely preventing this. For one, cyberattacks can lack the kind of drama and immediate physical carnage that terrorists seek. Identifying the specific perpetrator of a cyberattack can also be difficult, meaning terrorists might have trouble reaping the propaganda benefits of clear attribution. Finally, and most simply, it’s possible that they just can’t pull it off.

Commenting on the article, Rob Graham adds:

I think there are lots of warning from so-called “experts” who aren’t qualified to make such warnings, that the press errs on the side of giving such warnings credibility instead of challenging them.

I think mostly the reason why cyberterrorism doesn’t happen is that which motivates violent people is different than what which motivates technical people, pulling apart the groups who would want to commit cyberterrorism from those who can.

These are all good reasons, but I think both authors missed the most important one: there simply aren’t a lot of terrorists out there. Let’s ask the question more generally: why hasn’t there been another 9/11 since 2001? I also remember dire predictions that large-scale terrorism was the new normal, and that we would see 9/11-scale attacks regularly. But since then, nothing. We could credit the fantastic counterterrorism work of the US and other countries, but a more reasonable explanation is that there are very few terrorists and even fewer organized ones. Our fear of terrorism is far greater than the actual risk.

This isn’t to say that cyberterrorism can never happen. Of course it will, sooner or later. But I don’t foresee it becoming a preferred terrorism method anytime soon. Graham again:

In the end, if your goal is to cause major power blackouts, your best bet is to bomb power lines and distribution centers, rather than hack them.

Tags: , , , , ,

(Via Schneier on Security)

The SEC and Cybersecurity Regulation:

American companies are getting hacked, and the Securities and Exchange Commission wants corporate executives to do something about it. According to a White House Council of Economic Advisers report released earlier this year, malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016. The report acknowledged a widely recognized root of the problem: “[C]yberattacks and cyber theft impose externalities that may lead to rational underinvestment in cybersecurity by the private sector relative to the socially optimal level of investment.”

But despite outrage and hearings in Congress after major breaches, like the Equifax hack disclosed last year, Congress has not passed new legislation. There is no current central federal mandate that offers protections for personal data. Instead as a legal treatise puts it, the U.S. “has a patchwork system of federal and state laws and regulations that can sometimes overlap, dovetail and contradict one another.”It’s in that context that the Securities and Exchange Commission (SEC) has, under its authority of enforcing the federal securities laws, steadily increased its regulation of cybersecurity-related matters. A top SEC official said last year that: “The greatest threat to our markets right now is the cyber threat.” And SEC Chairman Jay Clayton told the Senate Banking Committee that in regard to cyber attacks, companies “should be disclosing more” and that there should be “better disclosure about their risk portfolios and sooner disclosures about intrusions.” In another statement, Clayton announced:

The Commission is focused on identifying and managing cybersecurity risks and ensuring that market participants––including issuers, intermediaries, investors and government authorities––are actively and effectively engaged in this effort and are appropriately informing investors and other market participants of these risks.

The SEC’s jurisdiction covers a considerable range of cyber-related issues. This post tracks the commission’s strategy for incentivizing investment in cybersecurity defenses by mandating disclosure and imposing liability on the victims of data breaches. Recent SEC activity suggests that this is a direction the agency is headed in, particularly with little sign of cybercrime slowing anytime soon.

The SEC’s Cybersecurity Foray

In 2011, at the urging of Sen. Jay Rockefeller, then the chairman of the Senate Commerce Committee, the SEC’s Division of Corporation Finance issued guidance on companies’ disclosure obligations relating to cybersecurity risks and cyber incidents. The document established that: 

The [Securities Act of 1933 and Securities Exchange Act of 1934], in part, are designed to elicit disclosure of timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision. Although no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, a number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents. In addition, material information regarding cybersecurity risks and cyber incidents is required to be disclosed when necessary in order to make other required disclosures …

The SEC then went on to identify several specific areas that require disclosure of cyber-related information, including investment “risk factors,” the business’ description of itself, disclosure controls and procedures, among others. The SEC later affirmed the importance of these guidelines in a 2014 roundtable event convened shortly after the release of the NIST Cybersecurity Framework. At that event, SEC chairwoman Mary Jo White stated: “The SEC’s formal jurisdiction over cybersecurity is directly focused on the integrity of our market systems, customer data protection, and disclosure of material information.” Following the roundtable, the SEC’s cybersecurity oversight principally consisted of issuing further guidance documents, risk alerts, and, in some cases, directing companies to disclose information on specific cyberattacks in comment letters.  

Liability for Victims of Breaches

In October 2015, the agency brought its first an action against a corporation that suffered  a data breach. Under Regulation S-P, which requires financial firms to adopt written policies and procedures that are “reasonably designed” to protect customer records and information, the SEC found that a St. Louis investment firm had failed to establish cybersecurity policies and procedures in advance of a data breach that compromised the information of approximately 100,000 people. The firm ultimately settled with the SEC for $75,000. In announcing the settlement, a SEC official noted: “[I]t is important to enforce the safeguards rule even in cases like this when there is no apparent financial harm to clients.”

In 2016, the SEC again brought an action under Regulation S-P. After a former Morgan Stanley employee downloaded data related to 730,000 accounts to his own personal server, which was then likely hacked by a third-party, the bank agreed to a $1 million penalty. (The employee, Galen Marsh, also pleaded guilty to illegally accessing confidential client information.) In particular, the SEC order noted that Morgan Stanley’s policy and procedures failed to include “reasonably designed and operating authorization modules … that restricted employee access to only the confidential customer data as to which such employees had a legitimate business need; auditing and/or testing … and monitoring and analysis of employee access.”

The Creation of the Cyber Unit and the Commission’s 2018 Guidance

In September 2017, the SEC chairman Jay Clayton issued what a Washington Post report described as “an unusual eight-page statement on cybersecurity.” In that statement, Clayton revealed that hackers had breached a SEC network that stored documents filed by publicly traded companies, potentially giving the intruders access to nonpublic information. Also in that same statement, Clayton laid out a broader strategy for policing public companies’ cybersecurity strategies. He said:

[T]he Commission incorporates cybersecurity considerations in its disclosure and supervisory programs, including in the context of the Commission’s review of public company disclosures, its oversight of critical market technology infrastructure, and its oversight of other regulated entities, including broker-dealers, investment advisers and investment companies. 

Then a few days later, the SEC announced the creation of a Cyber Unit within its Enforcement Division; the new unit would be tasked with “targeting cyber-related misconduct.” Outlining the Cyber Unit’s priorities in a speech, a SEC official explicitly pointed to “requir[ing] registered entities to have reasonable safeguards in place to address cybersecurity threats” and “cases where there may be a cyber-related disclosure failure by a public company,” among others. 

Next, in February 2018, the commission voted to unanimously to approve a “statement and interpretive guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents.” The SEC described the new document as “reinforcing and expanding upon the staff’s 2011 guidance.” One area where the commission affirmatively noted that it had gone further than the staff guidance was in articulating “the importance of cybersecurity policies and procedures.”

The first part of the document tracks the specific disclosure obligations first announced in the 2011 guidance. In a company’s periodic reporting, the document said, disclosure of cyber risks and incidents are generally necessary for  a company’s: business and operations, risk factors, legal proceedings, management discussion and analysis of financial condition and results of operations, financial statements, disclosure controls and procedures, and corporate governance. Exemplifying its effort to compel companies to more rigorously consider cyber risks, the commission added a disclosure requirement for “the nature of the board’s role in overseeing the management of [cybersecurity] risk.”

After that, in a section titled, “Policies and Procedures,” the SEC recommended that: “Companies should assess whether they have sufficient disclosure controls and procedures in place to ensure that relevant information about cybersecurity risks and incidents is processed and reported to the appropriate personnel, including up the corporate ladder.” The SEC then went on to cite specific regulations requiring companies to have certain policies in place to identify and evaluate risk. Commenting on the implications of the document, a Mayer Brown post noted, “[t]he guidance encompasses more than disclosure.”

Notably, the commissions’ two Democratic-recommended members were critical of the guidance for not going far enough. Commissioner Kara Stein questioned the efficacy of “re-issuing staff guidance solely to lend it a Commission imprimatur.” She called for measures beyond disclosure, including seeking notice and comment for a slate of new rules that would require companies to take proactive security measures. (Stein, whose term ends on Dec. 31, also advocated for more robust cybersecurity regulation by the SEC in a recent speech at Georgia State University College of Law). Commissioner Robert Jackson Jr.’s statement cited analysis from the recent White House Council of Economic Advisers report that suggested that 2011 guidance had not resulted in meaningful disclosure. (A New York Times article in March of this year reported that in 2017, only 24 companies reported breaches to the SEC, while researchers found that there were more than 4,000 cyber-attacks during that period.)

Recent Actions Imposing Liability on Victims

Since the creation of the Cyber Unit, the SEC has brought two enforcement actions against victims of breaches. The agency also recently issued a substantial report suggesting future enforcement against victims of breaches that are not in compliance with certain safeguards. 

In April 2018, the SEC announced its first-ever enforcement against a company for a failing to disclose a breach. In 2014, Russian hackers stole the personal information for more than 500 million accounts from the company formerly known as Yahoo. But Yahoo did not disclose the breach until two years later, when it was in the process of closing the sale of its operating business to Verizon. Meanwhile, Yahoo made no mention of the breach in its SEC filings. The commission found that Yahoo’s statements violated both statutes and regulations requiring the accurate disclosure of “material” information. Yahoo ultimately agreed to a $35 million fine.

In September, the SEC brought another first-of-its-kind enforcement action. This time, the agency found a financial firm in violation of a rule that it had never enforced before that requires investment firms to maintain an up-to-date program for preventing identity theft. The order outlined a phishing scheme in which attackers impersonated the firm’s contractors over a six-day period in 2016 and convinced employees on the firm’s support line to reset certain passwords. The hackers then used the new passwords to gain access to the personal information of 5,600 customers. Even though the firm did have some protection in place, the SEC found them inadequate, in part because in two instances, the malevolent actors called from phone numbers the firm had previously associated with fraudulent activity. The SEC ultimately found the firm’s conduct so egregious that it deemed the violation “willful.” The firm agreed to pay a $1 million settlement.  

And, most recently, on Oct. 16, the SEC made headlines with an investigative report “cautioning that public companies should consider cyber threats when implementing internal accounting controls.” The report analyzed nine public companies that fell victim to cyber fraud, wiring a total of $100 million to hackers impersonating either executives (often the CEO) or third-party vendors. One firm made 14 payments amounting to over $45 million in losses before the scheme was uncovered by an alert from a foreign bank. While the commission declined to bring actions against the investigated firms, the report suggested that internal accounting controls required by federal securities laws “may need to be reassessed in light of emerging risks, including risks arising from cyber-related frauds.” As a memo from Davis Polk observed,“[t]he report thus effectively serves as notice that in the future, a company experiencing a cyber event could later find itself in the SEC’s crosshairs.”

***

Jack Goldsmith and Stuart Russell note in a recent Hoover essay that there has long been skepticism of the regulation of digital networks in the United States. Indeed, many attribute this lack of regulation to the U.S. technology sector’s extortionary record of innovation. But as a greater volume of  sensitive information is stored online and, in turn, stolen,, the pendulum may be shifting in the other direction. Especially in the absence of new legislation from Congress, the SEC seems determined to put cybersecurity on the agenda of the nation’s corporate boardrooms.

(Via Lawfare – Hard National Security Choices)

The key to workplace productivity is not an app:

You could waste a lot of time looking for the right productivity app.

There are over 19,000 productivity apps in the iTunes store, and endless recommendations of apps that promise to magically give hours back to your day. But here’s the thing: switching between apps all day long is actually the enemy of productivity.

Researchers have found that the average worker toggles between apps 10 times every hour. With each context switch, there’s another possibility of distraction. And after each distraction, it takes on average (pdf) 23 minutes and 15 seconds to truly get refocused on the task at hand.

So how might workers keep productivity software as a tool working for them, rather than the other way around? We spoke to three productivity app founders to find out.

“People talk about productivity like it’s all about numbers and lines of code, but real productivity is about the feeling you get when you close the laptop for the day,” says Moah. “I go home happy when I feel accomplished.”

(Via Quartz)

Why Apple Pay Suica is a success and Apple Maps is not:

Inbound Apple Pay Suica user experiences are endlessly fascinating and occasionally enlightening. This tweet video captures the usual ‘whoa, that’s fast’ first time reaction.

The responses are equally interesting with a few ‘so what? we have that in (London, Moscow, China, etc.)’ which is true but it’s not the same. Almost all of them are slower, don’t have e-money functions, don’t have nationwide coverage and are not hosted natively on pay platforms like Apple Pay or Google Pay. They rely on slow buggy EMV contactless credit card transactions on transit gates instead, in short they are not transit payment platforms.

Apple Pay Suica is clearly a great service and success that has not only changed contactless payments in Japan but changed Apple as well, with Apple incorporating global FeliCa and implementing A-12 Bionic powered Express Card with power reserve technology which matches the performance of dedicated Sony FeliCa Chips on the A-Series.

What makes Apple Pay Suica a success? It is a unique layering of hardware and software that tightly integrates into a single seamless experience. At the core is the basic Suica IC card format and the transit gate system technology created by JR East and Sony in the 1980s to solve a user experience problem with magnetic commuter pass cards. Successive layers were added over time: e-money, nationwide Transit IC card interoperability, and perhaps most important of all, Mobile Suica. The Super Suica additions will further enhance the fundamental technology in 2021.

Apple Pay support arrived in October 2016, global FeliCa was added in 2017. These were 2 layers from Apple that fit perfectly and extended the entire platform with a whole new ease of use service level. The result is a service where each layer builds on and enhances the whole. This is Steve Jobs 101: work from the user experience back to technology so that the total experience is greater than the sum of the parts.


The Apple Maps problem
Contrast this with Apple Maps. Justin O’Beirne recently published a detailed progress report of Apple’s ‘new’ (in America only) map. There was surprisingly little discussion on tech blog sites, Nick Heer was one of the few to share a few observations. O’Beirne and Heer both focus on data collection and prioritization as the core problem for Apple to fix if Apple is ever going to close the map gap with Google. I think that is a misconception that got Apple Maps in trouble in the first place.

I’ve never seen data collection as the biggest problem that Apple needs to fix. In Japan for example the data collection problem can be solved quickly by swapping out 3rd rate data suppliers with first tier JP suppliers like Zenrin who already field large data collection and verification teams. Google and Yahoo Maps Japan both use Zenrin and build on top of that solid foundation with their own data.

Integration and coordination have been, and continue to be the biggest problem. If Apple cannot do a good job integrating and coordinating different map service layers so that they build on each other, it will continue to be what it is now: a collection of loosely connected technology services that don’t work together very well and tend to pull each other down instead of up. A few examples:

  • Transit
    Apple has a very good Japanese transit data supplier Jourdan, the same one Google uses. Unfortunately the good transit data gets wasted by the limited search and sort App Maps transit UI that is completely manual, doesn’t dynamically update travel times or arrival estimates, or even provide location-based alerts when you arrive. Those kinds of integrated transit notifications on Apple Watch alone would sell a lot more devices.
  • Siri
    Siri is one the most important service layers for integrating navigation, transit and indoor maps. Unfortunately Siri is poorly connected where it should be hooked into every nook and cranny. Japanese Siri can locate the nearest station, usually, but that’s it. Siri doesn’t do transit searches or suggestions.
  • Navigation
    Turn by turn has been offered in Japan for a few years but it still basically useless without traffic information, which is still missing. Lane Guidance was only added just recently.
  • Data Duplication
    This happens all the time as Apple fails at coordinating and verifying data sets from different JP suppliers.

And so on. I included data duplication as it illustrates my basic point that no matter how good the basic data collection is, it’s worthless without a robust integration and coordination process. A smart team of human editors with deep local knowledge understand how services should connect, what works and how it should work. A truly  great team also knows how to focus and do more, much more, with less. This is impossible to achieve with the current one size fits all mentality.

Apple Maps Japan is a classic ‘the total is less than the sum of its parts‘ product. To be sure there are some good parts, but in Japan they don’t add up. The different layers stay separate and never integrate into a seamless whole like Apple Pay Suica does. It’s great that Apple is making process with its map reboot effort in America but the real test will be how well they integrate it all. Superior focus and integration is the only way Apple can close its map gap with Google.

(Via Ata Distance)

(Emacs+Org-Mode) Choosing The Best Writing And Publishing Software – Wisdom and Wonder:u

Here is my take on it, and it is as brief as I can make it. It took years and years of effort and pain and help from others and more effort and pain to get to the point where my feedback can be this brief—and it is still too long. Please know that the volume includes the abundance of clarity that I’d already gained. Sorry for it being longer because I didn’t make enough time for it to be shorter.

(Via Wisdom and Wonder)

I have a Latex setup for my Emacs and org-mode but never have a need to use it.

If you have a need for this setup, give this a read. If you’ve tried and failed, check out the last section of the post.