When Persistence Beats Protection: MFA Fatigue, Data Brokers, and Why Your Identity Was Already Stolen

I've been thinking a lot about exhaustion lately. Not the kind that comes from long hours or complex projects—the kind that attackers are deliberately weaponizing against us. And it's working.

The Attack That Exploits Human Nature

MFA fatigue attacks are a clever tactic in cybersecurity: an adversary who recognizes that the weakest part of any security system isn't the cryptography or the firewall. It's the person at 11 PM who just wants the notifications to stop.

Here's how it works: an attacker steals your credentials—probably through phishing, or from one of the countless breaches exposing nearly every American’s personal information over the past two years. They try to log in. Your phone buzzes with an MFA push notification. You decline it. Another notification. You decline again. Then another. And another. Midnight arrives. You're exhausted. The notifications keep coming.

Eventually, a large percentage of people just approve the request to stop it. The psychology is simple but devastating. We've trained users to respond to prompts. We've built muscle memory around tapping "Approve." And attackers have learned how to weaponize that conditioning. This leads me to a sidebar that matters more than it might seem.

Kevin Mitnick passed away in July 2023 from cancer. For those who don't know, Mitnick was once the most wanted computer criminal in the US—a social engineering pioneer who served five years in federal prison. What's worth remembering isn't just his criminal past but his transformation into one of the most respected white-hat security consultants.

One of my book's reviewers and a close friend, Andrew Starvitz, met Kevin Mitnick. He had a metal lockpick set as a business card—perfectly fitting for someone who spent his career showing that most security is just theater if you understand human nature. Andrew Starvitz also met Frank Abagnale Jr. at a Novell NetWare event, which dates us quite a bit. Abagnale's story—immortalized in "Catch Me If You Can”—follows a similar arc: extraordinary criminal ability redirected toward protecting systems he once exploited. These transformations remind us that understanding the attacker’s mindset isn't just of academic interest. It's critical. The best defenders often think like the people trying to break in.

Speaking of transformations and justice, Ross Ulbricht—founder of the Silk Road marketplace—received a full and unconditional pardon from President Trump in January 2025 after serving more than a decade of his double life sentence, plus forty years. Whatever your views on the case, Ulbricht's release reflects ongoing national discussions about proportional sentencing in tech crimes.

The breach that affected everyone

But here's a development that should keep you awake at night: the National Public Data breach of 2024.

NPD was a data broker—a company that collects, combines, and sells your personal data without your permission and largely without your knowledge. A cybercriminal known as "USDoD" compromised their databases starting in late 2023, exposing about 2.9 billion records and affecting over 272 million people. Names. Addresses. Social Security numbers. Phone numbers. Emails.

The company didn't publicly confirm the breach until August 2024, months after the data was already circulating on the dark web. The owner of Jerico Pictures, Inc.—which does business as National Public Data—is Salvatore Verini, Jr., a former Florida law enforcement officer. He was trusted with hundreds of millions of Americans' most sensitive personal info, stored it on insecure systems, and faced no real criminal consequences when it was stolen and leaked.

Let me be clear: in the past two years, almost every American’s personal information has been compromised through no fault of their own. Our government has been painfully slow at protecting consumers. Data brokers operate with little regulation, peddling our data with no accountability and no real way to opt out. You can check if your data was exposed at npd.pentester.com. Spoiler: it probably was.

The way forward: Passkeys

So, what can you do? Passkeys are the biggest leap forward in authentication security in decades. Passkeys replace passwords entirely with a public-private key pair linked to your device. When you verify your identity, your phone or computer uses biometric verification—your fingerprint, face, or PIN—to unlock a private key. This private key never leaves your device. No password to steal. No credentials to automate attacking.

The security is impressive: passkeys are resistant to phishing because they’re cryptographically tied to specific websites. They eliminate the threat of credential reuse. And they're more convenient because you use familiar authentication methods to unlock your device.

Major platforms now support passkeys. Google, Apple, Microsoft, and most big services have adopted them. Adoption is still early, but this is where authentication is headed.

The conclusion

MFA fatigue attacks succeed because our security systems rely on human vigilance, which ignores human limits. Data brokers have built an industry to gather and sell the info that enables these attacks, while laws lag far behind the threat. And breaches keep happening.

My recommended defense: turn on passkeys everywhere possible. Use number-matching MFA where passkeys aren't available. Never approve an auth request you didn't start—if you keep getting notifications, it’s an attacker, not a glitch. And assume your info is already compromised, because statistically, it probably is. We’re in an environment where identity theft isn't just a risk; it's a reality we must navigate. The real question isn't if your data is out there but how well you can limit the damage.

---------------

What's your experience with passkey adoption? Have you seen MFA fatigue attacks in your organization? Are the tools we're using keeping up with the threats?

Would love to hear your thoughts. Drop me a line at dr.samkm@protonmail.ch

The Architecture of Genius: How Elon Musk Built SpaceX on Failure (and Ignored 99% of the Experts)

After dissecting the Five-Strategy Framework in my last post (the one about scaling, remember?), I thought I was done with deep dives for the week. Then, during a mindless LinkedIn scroll—we all do it—this article about SpaceX’s collapse-to-conquest story absolutely snagged my attention. Full disclosure: I'm not here to fanboy over Elon Musk the person. But his sheer tenacity, that radical commitment to a First Principles engineering mindset, and the undeniable results of his leadership? Those are qualities I'm a permanent student of. So, let’s break down this alleged "GENIUS Framework" in my own words. I need to understand this architecture better, and maybe, just maybe, it’ll be the blueprint someone else needs today.

In 2008, SpaceX was a wreck. A financial black hole.

Three rockets. Three failures. $100 million gone. Elon Musk was down to his last $30 million, throwing it into the final launch.

The "experts" were unanimous: Cut costs. Play it safe. Pivot.

But Musk, ever the contrarian engineer, didn't just ignore 99% of the advice. He ignored the metric everyone else was tracking. He wasn't optimizing for profit margins, market share, or even successful launches.

He was obsessed with a single data point. The one that separates a pile of crumbling bricks from a towering skyscraper:

The Rate of Innovation.

That's it. How fast could his team iterate, learn, and improve compared to everyone else?

Musk treated engineering like a compounding asset. If SpaceX wasn't learning faster than NASA, they were, by definition, a dead company walking. This single-minded focus became the foundational architecture for the entire organization.

The Real Magic: Data from the Debris

This obsession created a culture where failure wasn't a funeral; it was precious data.

1. Flattened Hierarchy: Bureaucracy is a drag chute on speed. Musk killed the endless meetings and approval chains. The best idea—the one that moved the dial on the Rate of Innovation—won, no matter who proposed it.

2. Failure Analysis in Hours, Not Months: When a rocket failed, they didn't wait a year for a post-mortem report. They tore into the data in days, sometimes hours. While competitors were still fearing mistakes, SpaceX was celebrating the speed of their learning. By the time NASA figured out what went wrong on one test, SpaceX had already prototyped and tested three new solutions.

The ultimate takeaway? In this new culture, playing it safe was career suicide. The only true failure was not innovating. On September 28, 2008, the fourth Falcon 1 launch succeeded. It wasn't luck. It was the moment years of compressed learning finally paid off, laying the first solid brick in what would become a $350+ billion empire.

The GENIUS Framework: The Blueprint You Can Use

Musk’s strategy wasn't about being the smartest guy in the room (though he is). It was about constructing a system where learning and adaptation were the highest priorities.

Element	Definition: The Architectural Principle	How to Apply It
G – Grind Fast	Move fast. Launch fast. Learn fast. Perfection is the enemy of progress.	Stop over-planning the perfect version 1.0. Get a Minimum Viable Product (MVP) out the door and iterate based on real feedback.
E – Eliminate Bureaucracy	Kill the approval chains and flatten the hierarchy.	Empower the engineers/doers on the ground to make quick, informed decisions without waiting for layers of sign-off.
N – Normalize Failure	Mistakes are not shameful; they are high-value feedback.	Measure learning speed, not just success rate. If you fail fast and learn faster than your competitor, you are winning.
I – Iterate Relentlessly	Use every single test, failure, or micro-feedback loop to immediately build version 2.0.	Don't wait for quarterly reviews. Make iteration your continuous operating system.
U – Understand the Core Problem	Focus on first principles: "What is the fundamental problem we are solving?"	Don't optimize a broken process. Deconstruct the problem down to its physics, and rebuild a better solution from the ground up.
S – Speed of Innovation > Size of Company	Small, fast-learning teams will always beat slow, lumbering giants.	Measure team effectiveness by their output velocity and learning curve, not their headcount.

The truth about company collapse is often overlooked: they rarely die because they run out of money immediately. They die because they stop learning. Elon Musk bet everything he had on the single, simple act of learning faster than anyone else on Earth. 

Final Thoughts: What can we learn from Elon Musk’s strategy?

                Don’t chase perfection - chase speed of learning.

                Flatten your process. Good ideas can come from anywhere.

                Build a culture where failure is feedback.

                Make iteration your superpower.

                Measure progress by rate of innovation, not just revenue.

The truth?

 

And that, my friends, is how you build a universe-changing business.

Thoughts this morning from South east Asia!

Big 5 Strategy Framework

 

Why the Big 5 of Strategy Framework Will Change How We Talk About Leadership

I've spent years watching leadership teams struggle with a problem they couldn't quite name. The strategy was sound. The people were talented. But something wasn't clicking. Execution stalled. Alignment fractured. And no one could articulate why.

Then I came across the Big 5 of the Strategy Competency Framework, and it finally gave language to what I've been observing across technology governance, institutional transformation, and organizational leadership.

The Core Insight

The research behind this framework uncovered a fundamental finding: five universal strategy competencies define how individuals and teams create, shape, and execute strategy. These aren't personality types or work styles. They're observable patterns in how people approach strategic challenges.

The framework operates across three dimensions. First, there's the continuum between thinking and doing—from strategic analysis to strategic execution. Second, there's the tension between stabilizing and transforming—what must endure versus what must evolve. Third, there's adaptability—how quickly we sense, learn, and adjust when conditions change.

Anyone who's led a major technology implementation or institutional transformation recognizes these tensions immediately.

The Five Competencies

Grasp the Present. See reality as it is, not as you wish it to be. This is the competency that prevents the strategic planning document from becoming organizational fiction.

Shape the Future. Envision what's next and chart a bold course. Every institutional transformation starts here—but dies without the other four.

Move the System. Mobilize people and structures to drive change. Strategy documents don't transform organizations. People who can move systems do.

Deliver the Results. Turn plans into outcomes through focus and discipline. I've seen too many brilliant strategies fail because no one owned execution.

Adapt to Change. Stay resilient and responsive to disruption. In volatile environments, this competency often determines survival.

Why This Matters for Leadership Teams

Here's what strikes me most: this framework explains why some teams are cohesive and adaptive while others spin their wheels despite individual talent.

The Big 5 reveals complementary strategic strengths within a group. A team heavy on "Shape the Future" thinkers but light on "Deliver the Results" executors will struggle differently than one with the opposite imbalance. Neither configuration is wrong—but both create predictable dysfunction if you can't see it.

For those of us leading technology transformations, building governance frameworks, or navigating institutional change, this isn't abstract theory. It's a diagnostic tool.

The Strategic Application

I see immediate applications in executive retreats and team alignment sessions—anywhere leaders need shared language for understanding strategic capability. It's equally valuable in coaching relationships, where concrete competencies beat vague development goals every time.

The framework also offers something the strategy world has needed: a way to treat strategic capability as measurable and developable rather than innate talent you either have or don't.

This is more than a model. It's a new lens for understanding how people think and act strategically—and how we can do both better.

---

What patterns have you observed in high-performing versus struggling leadership teams? I'd be curious whether this framework maps to your experience.

The Future of Work Isn’t Coming—It’s Already Here

I recently came across an HBR IdeaCast interview with John Winsor and Jin Paik, authors of Open Talent: Leveraging the Global Workforce to Solve Your Biggest Challenges, and found myself nodding along to nearly every point they made. Not because the ideas were revolutionary—but because they perfectly articulated what I’ve been living for years.

Why Traditional Hiring Models Are Breaking Down
Winsor and Paik get straight to the heart of the matter: traditional hiring and talent development models are “too slow, rigid, and expensive” for today’s marketplace. This resonates deeply with my experience.
When you need a specialized cybersecurity expert for a three-month engagement, or a yacht designer who understands both luxury aesthetics and maritime engineering, or a content strategist who can translate complex theological concepts into digital learning experiences—the traditional “post a job, wait for applications, conduct rounds of interviews, extend an offer, wait for a start date” approach simply doesn’t work.

By the time you’ve filled the position, the opportunity has often passed. The market has moved. The project timeline is blown.

The Rise of the Micro-Entrepreneur

The interview touches on something I find particularly fascinating: digital technology hasn’t just changed how we find talent—it’s fundamentally transformed the nature of talent itself. We’re witnessing the rise of what they call “micro-entrepreneurs”: highly specialized professionals who have carved out global niches for themselves.
In my own network, I work with contractors who are simultaneously serving clients across three continents. They’re not employees anywhere, yet they’re invaluable to multiple organizations. They’ve built reputations in narrow, specialized domains—whether that’s Jenzabar system migrations, maritime charter operations, or developing cybersecurity curricula—that make them irreplaceable for specific challenges.

Building Agile Organizations Through Open Talent

The core thesis of Winsor and Paik’s work is that companies can become more agile and innovative by tapping into freelance workforces through digital platforms. This isn’t just about cost reduction—though that’s certainly a benefit. It’s about accessing capabilities that simply don’t exist within traditional organizational boundaries.

When I’m developing comprehensive cybersecurity course materials or architecting technology governance frameworks for institutional transformation, I need very specific expertise for very specific durations. Sometimes I need that expertise for three weeks. Sometimes for three months. Rarely forever.

The traditional model would have me either:
        1.      Hire full-time staff with these niche skills (expensive and often underutilized)
        2.      Go without the expertise (limiting what’s possible)
        3.      Wait months for traditional consulting engagements to spin up (too slow)
Open talent models offer a fourth option: access precisely the skills you need, exactly when you need them, from the global talent pool that actually possesses those skills.

The Strategic Implications

What strikes me most about this shift is that it’s not just operational—it’s strategic. The companies that will thrive in the next decade aren’t necessarily those with the largest HR departments or the most impressive headquarters. They’re the ones that can orchestrate diverse, distributed talent to solve complex problems rapidly.

This requires a different kind of leadership. You’re not managing employees; you’re orchestrating expertise. You’re not building an organization chart; you’re building a network of capabilities.

For those of us already operating this way—across technology operations, educational content development, international business ventures—this isn’t the future of work. It’s simply how work gets done now.

The question isn’t whether your organization will adapt to open talent models. It’s whether you’ll do it strategically and intentionally, or whether you’ll be forced into it by competitive pressures you didn’t see coming.

The Next Evolution of Ransomware

 The Next Evolution of Ransomware: Attacking the Integrity of Our Bricks

Ransomware has always been a digital menace—a straightforward economic transaction of coercion. It began as a simple digital mugging, encrypting our files and demanding payment for the decryption key. It then escalated to "double extortion," where attackers not only locked the data but also stole it, threatening public release. This represented an attack on our productivity and our reputation.

The next evolution, however, targets something more fundamental: our confidence in the truth of our data.

The Emerging Threat of Data Integrity Ransomware

While not yet widespread, security researchers are observing early indicators of a concerning new tactic: Data Integrity Ransomware. Unlike traditional ransomware, which announces itself loudly through encryption, this approach operates stealthily.

In this scenario, attackers don't just encrypt; they attempt to introduce subtle modifications into critical datasets—alterations in financial ledgers, patient medical histories, or industrial control parameters. The sophistication required is significant: attackers need deep domain knowledge, bypass detection systems, and maintain persistence long enough to corrupt backups. These barriers mean we're unlikely to see widespread adoption immediately, but targeted attacks against high-value organizations are increasingly feasible.

The victim organization faces a complex decision matrix:

1. Pay the ransom: The attacker claims to provide either restoration tools or detailed change logs—though trusting criminal actors with data integrity creates its own paradox.

2. Refuse to pay: Initiate expensive forensic analysis and verification processes, potentially rebuilding systems from known-clean backups while accepting operational disruption.

3. Ignore the threat: Risk operating with potentially corrupted data, accepting liability for any downstream failures.

The economic model here is more complex than traditional ransomware. Once data integrity is questioned, trust may never fully return—making this potentially a one-shot weapon that burns the target permanently.

The Double-Edged Sword of AI Acceleration

The same AI capabilities transforming legitimate business operations will inevitably be weaponized. However, both attack and defense will be amplified:

Attack Enhancement

Malicious actors will deploy specialized AI agents for:

• Reconnaissance: LLMs analyzing public data to craft sophisticated spear-phishing campaigns

• Vulnerability Discovery: Automated scanning and exploitation of configuration weaknesses

• Persistence Maintenance: AI-driven evasion of behavioral detection systems

• Corruption Patterns: Machine learning to identify high-value data targets that maximize impact while minimizing detection

Defense Amplification

Organizations aren't defenseless. Modern security stacks include:

• File Integrity Monitoring (FIM) systems that detect unauthorized changes

• Database Activity Monitoring (DAM) tracking all modifications to critical data stores

• Cryptographic hashing and digital signatures for critical documents

• Immutable backup systems with air-gapped verification copies

• AI-enhanced SIEM platforms detecting anomalous data modification patterns

The challenge isn't that these attacks are undetectable—it's that detection and verification at scale requires significant investment in both technology and processes.

The Real Target: Institutional Trust

The true damage transcends operational disruption. When a hospital can't trust patient allergy records, when a bank questions transaction histories, when a power company doubts sensor readings—the social contract between institutions and citizens erodes.

This erosion of trust has cascading effects:

• Regulatory scrutiny increases as authorities question data integrity

• Insurance premiums spike due to unquantifiable risk

• Transaction costs rise as every exchange requires additional verification

• Innovation slows as organizations become paralyzed by verification overhead

Consider the maritime industry’s wake-up call with GPS spoofing—ships receiving falsified position data leading to groundings and collisions. Unlike the El Faro tragedy, where outdated weather models proved fatal, these attacks involve actively falsified data streams. The lesson remains: our increasing dependence on data accuracy makes integrity attacks exponentially more dangerous than simple availability attacks.

Building Resilience Against Integrity Attacks

The defense isn’t just technical—it's architectural and cultural:

Technical Controls

• Cryptographic provenance: Blockchain-inspired append-only logs for critical data

• Multi-party computation: Distributed verification requiring multiple compromises

• Zero Trust Data Architecture: Every data modification requires verification

• Behavioral baselines: AI systems learning normal data change patterns

Process Controls

• Change management: Every data modification is tracked to an authorized source

• Segregation of duties: Critical changes require multiple approvals

• Regular integrity audits: Proactive verification rather than reactive recovery

• Incident response planning: Specific playbooks for integrity compromise scenarios

Cultural Shifts

Organizations must evolve from asking "Is our perimeter secure?" to continuously questioning "How do we verify the integrity of our operational data?" This means:

• Training staff to recognize subtle data anomalies

• Building verification steps into standard workflows

• Accepting that some efficiency must be traded for integrity assurance

• Creating clear escalation paths when data integrity is questioned

The Path Forward

Data integrity ransomware represents an evolution, not a revolution. Like previous ransomware waves, initial attacks will target unprepared organizations before defenses catch up. The organizations that survive will be those that:

1. Invest proactively in integrity verification infrastructure

2. Maintain offline verification capabilities for critical data

3. Build response plans specifically for integrity incidents

4. Create data governance frameworks that prioritize integrity alongside availability

5. Foster security cultures where questioning data integrity is encouraged, not dismissed

The bricks of our digital reality—our core data—must be protected not just from theft or encryption, but from the more insidious threat of corruption. As we build increasingly automated and interconnected systems, the integrity of our data becomes the integrity of our decisions. In this new threat landscape, paranoia about data integrity isn’t pathological—it’s prudent.

The question for every security leader is no longer "When will we be hit by ransomware?" but rather "How will we know if our data can still be trusted when we are?"