Some bit of tough love on IP protection in Kenya. I have heard of companies requiring their IT depts or hired devs to develop unhackable apps. To say this is ludicrous is an understatement because tech nerdistry alone can't protect your company's IP #CyberSecurity
IMO, IP protection should be hinged on the following key pillars
~ sound legal advice/support
~ BYOD policy
~ data privacy/protection policy
~ skilled IT staff
~ sober C-suite
Companies ought to start by seeking proper legal advice. I understand there are lawyers that......
focus solely on intellectual property. A BYOD policy is equally important because companies tend to focus on outsiders misappropriating their IP when studies have shown employees pose an even greater threat. Corporate espionage ring a bell?
On #dataprivacy, companies must have clear guidelines on who can access what kind/type of data, where, when, and how. Kenya now has a #dataprotection legal framework and companies ought to make sure they align with it. This is addition to compliance with GDPR etc
Skilled staff is where most companies get it completely wrong. Some companies hire a few techies and expect them to do everything from creating and launching websites/apps to warding off cybercriminals. This is wrong on so many levels.
For starters, most web developers focus on either front-end or back-end ops. You have no idea how many frameworks and libraries devs have to deal with. Adding cybersecurity onto their plate is a big ask and a recipe for disaster. My advice, add skilled pentesters to your IT team
If a company wants to develop and publish a secure mobile app, it should have a skilled reverse engineer on its dev team. Here's why - example based on Android OS. An android app is just a zip file, which means unzipping it and accessing it's contents is very easy
To access the source code in .dex files all you need is a java decompiler and voila you have become a hacker. Now, an Android app could have code written in C/C++ and compiled to an ELF binary. These binaries are usually placed in a folder called "libs".
This is very important in IP protection because reverse engineering ELF binaries is not easy especially when the file is heavily obfuscated. Plus there are programming techniques a skilled dev can deploy to thwart rev eng. The skill set required to crack such a file is rare.
But here's the problem, I'm yet to see a Kenyan company advertising for a software reverse engineer. To wrap up my rant, all the above will be in vain if a company does not have a sober C-suite. We all know what could go wrong at that level.
Whether Kenyan companies like it or not, the IT dept or contracted developers cannot wave a magic wand and conjure IP protection solutions out of thin air.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
On facebook's data privacy. I have never installed facebook or instagram on my android test phone yet zuckerberg and co won't leave me alone. How do i know, because i proxied web traffic through a mitm tool and caught fb sending data about my phone to its data centers. Here's how
Facebook leverages its sdk installed across diverse apps to create and maintain profiles of consumers even if they don't use any of its apps. In my case, the culprit is an English Premier League app. Data sent to facebook datacenters includes phone orientation in 3d space - x,y,z
Battery stats, rooted/non-rooted, GDPR applicability - no in my case, my location, app with fb sdk, time, phone model, consent status - of course this rides on consent granted to app with fb sdk. Sneaky imho, among other data points. Where is all this data sent to,
The Nigerian central banks' move to bar its citizens from undertaking any crypto currency transaction is going to backfire spectacularly. Firstly, how are they going to enforce this regulatory action? Last time I checked, there were thousands of different cryptocurrencies.
How are they going to determine who owns a specific crypto. If countries with better technical knowhow struggle to track crypto transactions, how is the Nigerian govt going to do it? Secondly, companies that handle crypto transactions fall under different regulatory frameworks,
goodluck trying to access information from companies domiciled in countries such as Japan and Germany