About the Institute

The Hybrid Vigor Institute is dedicated to rigorous critical thinking and the establishment of better methods for understanding and solving society’s most difficult problems. Our particular emphasis is on cross-sector and collaborative approaches; we seek out experts and stakeholders from a range of fields for their perspectives or to work together toward common goals.
Principals | Advisors | What We Offer



hybridvigor.net houses the work of critical thinkers, researchers and practitioners who conduct cross-sector and cross-disciplinary explorations and collaborations.
Blog | Contributors | Topics

  Subscribe to Hybrid Vigor’s RSS Feed



Privacy | Funding


Contact Us



Intervention by Denise Caruso Read Intervention by Denise Caruso, Executive Director of the Hybrid Vigor Silver Award Winner, 2007 Independent Publisher Book Awards; Best Business Books 2007, Strategy+Business Magazine


by ~ December 14, 2011

It is five years almost to the day since I published Intervention, my book on genetic engineering and risk. And I am more convinced than ever that everything I wrote about was spot-on. It seems like every week there is a new revelation about harmful consequences of living biotech products in the wild — consequences that were predicted by so-called activists, but totally dismissed by the industry and regulators.

For example, genes from engineered plants do spread, despite industry’s early and repeated declarations that they cannot. One result? Superweeds that now have built-in resistant to several herbicides.

What’s more, insects are adapting quickly to transgenic plants with insecticide genes. In Illinois and Iowa, a new generation of insect larvae feeds on the roots of genetically engineered corn. And in India, the pink bollworm is unaffected by the insecticide growing in the cotton plants it is eating (for which Monsanto blames the farmers).

And it seems that eating transgenic food may not be so harmless after all.

Yet nothing changes. In fact, the Obama administration is supporting the planting of genetically engineered crops in more than 50 national wildlife refuges across the country.

So … I think it’s time for me to start researching a sequel to Intervention, focused on exposing the dangerously cozy relationships between industry and regulators that ignore scientific common sense and put all of us at risk.

But I’m going to need your help — and I’ll send you a gift, or even many gifts, in thanks for your generosity.

Here’s the deal: For every $20 you donate to Hybrid Vigor, we will send a free copy of Intervention to you, or to anyone you’d like. Signed and inscribed, if you choose.

You also can have your gift copies sent to libraries. Just specify in the instructions that you want to donate your gift(s) to a library, of your choosing or ours, and we will take care of the rest. We can also donate your book(s) to or companies or non-profits or corporate libraries — say, for example, to venture capitalists that are funding biotech startups …

Just click here and merrily Paypal away (you can use a credit card at this link also):

Your generosity will be much appreciated, and put to good use.


by ~ November 5, 2010

I recently wrote a post for Accenture on how industry support for social federation will revolutionize the industry. More to come on this topic.


by ~ August 26, 2010

USA Today reported on the growing trend for hackers to hijack people’s iTunes accounts:

They typically buy iTunes gift card codes, usually in $50 to $200 amounts. They then sell the codes — which can be used like cash to buy music and videos — at a steep discount, openly on the Internet.

If only these hackers could ensure their victims were from the landed class, they might be considered modern-day Robin Hoods. Alas, they’re garden variety thieves.

But what I liked about the article is that it captured the truly appalling apathetic attitude from Apple and financial institutions, who attempt to lay responsibility entirely on consumers:

Apple says there is little it can do about iTunes account hijacking. The company advises victims to change their passwords and contact their financial institution about being made whole.

Change their passwords? What good will that do? As the article points out,

iTunes logons also get stolen and sold off by hackers who spread computer infections containing keystroke loggers that capture logons as you type them.

So the hackers will capture you newly typed password, too.

Calls to your financial institution will likewise be met with a “talk-to-the-automated-hand” sort of attitude. After all, why should these guys care if you get hacked? These hackers drive up revenues by getting you to spend money that you wouldn’t have otherwise! Some economists would even argue that this kind of coerced economic activity is good for the economy!

Unfortunately, there’s very little consumers can do to protect themselves. How would you even know if you have a keylogger watching you all the time? Thanks to the lack of transparency in Windows and Mac OS, it’s difficult to tell when some rogue application is watching your every move. And of course, Apple shouldn’t be storing “credit and debit card, checking account and PayPal information” on their site. For their part, financial institutions need to come up with a better form of micro payments than opening a multi-year tab at iTunes on your personal credit card or PayPal account.

But will consumers care enough to boycott iTunes? Doubtful. So in the meantime, I recommend befriending a hacker.


by ~ August 25, 2010

John Fontana recently posted on the burgeoning interest in the topic of trust. One his links includes a discussion with two people I know and whom respect on this topic, Hilary Ward and John Clippinger (whose book “Crowd of One” I reviewed back in my Burton Group days). I highly recommend checking out all these resources!


by ~ August 18, 2010

My friend and security-industry-great, Gunnar Peterson gave a fantastic keynote presentation at the Cloud Identity Summit last month. During his speech, he used a series of images to show show some absurdly feeble attempts at security. One in particular caught my eye:

Bike Security

Given the subject of my presentation two days later—”trust” in the cloud—I couldn’t resist goading Gunnar a bit by countering that the bike’s security in fact passes muster. Here’s my argument:

According to Murphy’s Law, this bike should be stolen. And yet, there it is. Someone even took a picture or it. Is there something else going on here that’s keeping the bike from being stolen? I think so. In fact, I offer a special exception to Murphy’s Law. I call it “Mikey’s Law” and it goes like this:

Just because something can be stolen doesn’t mean it will be.

Perhaps in the society where the owner lives, simply putting a lock around something expresses one’s wishes for the item not to be taken—and that’s sufficient security because others respect that wish. People may even help you enforce your wish for respect of personal property by taking pictures and looking out for would-be thieves. Sounds like the kind of place where I’d like to live, in fact.

Idealistic? Perhaps. But for most of us it’s also part of our everyday experience. After all, do you lock up all of your valuables all of the time? Can you leave your wallet or purse in your office and expect to come back an hour later and find them just where you left them? In many cases, in fact you can. And that’s a good thing.

My point is that security practitioners are inclined to propose the “security society” as the ideal model for public safety. In a security society, citizens can’t trust others, fear that bad things always will occur, and lock up everything of value. In my view, the security society is the model of last resort. Where we “live” we should instead aspire to create a cooperative society, one based on trust rather than distrust. Yes, bad things will happen in the cooperative model, just as they do in the security society. But then again, all hell won’t break lose either, as some would have us believe. And even if the incidence of theft if a security society and a cooperative society were roughly the same, in which place would you prefer to live?


by ~ June 21, 2010

Just wanted to let everyone know about another blog I’m involved in: I recently helped Accenture (where I now work) launch a Security Blog.

Accenture has been involved in some of the largest and most complex security deployments of our time. So I believe the blog will be a great opportunity for senior people at Accenture to share some of their insights from these experiences. We’ll also be looking at new opportunities and growth areas for the online security space.

I’ll continue to post on HybridVigor.org as well as on the Accenture Security Blog. So make sure to keep both sites in your RSS feeds (for those of you who still use them) and in your bookmarks list!


by ~ June 1, 2010

Today is the first day of my month-long fellowship at the STUDIO for Creative Inquiry, in the College of Fine Art at Carnegie Mellon University.

I am here at the invitation of Golan Levin, director of the studio and, back in the day, a former colleague at Interval Research. The fellowship is funded by the National Endowment for the Arts.

Golan told me I could do anything I wanted, and so I invited Robin Gianattassio-Malle to come work with me on inventing a better way to help people learn and think about the consequences — both risks and benefits — of innovations in science and technology. We want to go beyond the usual binary, “fawning or damning” approach that dominates media coverage today, to actually informing people about these incredibly complicated issues.

I’m really excited about this project. It’s the first time in a long time I am going to have the opportunity to roll up my sleeves and do what I do best: to help people understand complexity in a way that is engaging, helpful and accurate. We are going to have to confront some tough design issues, but between us we have an amazing network to draw from.

Robin and I will be working at the STUDIO with two other fellows — Kyle McDonald and Jacob Tonsky — both of whom are wicked smart and from whom we expect to learn a lot.

We will be building a prototype over the next few weeks, and I will be posting updates about our progress. Yeehaw!


by ~ March 30, 2010

In reviewing my last several posts, I was beginning to wonder whether I’m cynical by nature or simply running low on happy pills. But then I found something really positive to write about: Microsoft announced at RSA that it would open source its U-Prove technology. This is really good news.

I hope the development community takes notice and begins contemplating the power of these tools for improving trust relationships online. I discussed some of its potential as part of my post on the “The Law of Relational Projection”  (scroll to the bottom of the post to find the specific reference).

So here’s a shout out to Kim Cameron, Stefan Brands, and the others who made this happen: Congrats!!


by ~ March 29, 2010

The word “trust” appears 32 times in the press release announcing the official launch of the Open Identity Exchange (OIX). Normally, I’d be enthusiastic about such dense coverage of a critical topic, but in this case I question the group’s understanding of the term.

A Governance Template, Not a Trust Framework

OIX is a kind of standards body where techies from various industries come together to prescribe satisfactory methods for identification, so that these IDs can be used across websites. From the OIX site, the process is as follows:

… policymakers representing a trust community (e.g., government, industry association, professional society) start by developing a trust framework specification. This document defines the identity proofing, security, and privacy policies that must be followed by identity service providers to reach a specified level of assurance (LOA). In some cases it will also specify the data protection policies that must be followed by both identity service providers and relying parties to reach a specified level of protection (LOP).

Lastly, the trust framework defines the qualifications necessary to be an assessor for the trust framework—a person or a company who has the professional experience necessary to assess whether an identity service provider or relying party is in compliance with the policies specified for a certain LOA or LOP.

Next the policymakers contract with a trust framework provider (TFP) to operate a certification program for the trust framework. A TFP who operates by the OITF model performs the following functions:

  1. Publishes the trust framework so it is publicly accessible.
  2. Accepts listings from assessors who meet the qualifications specified in the trust framework.
  3. Accept listings from identity service providers (and in some cases relying parties) who are successfully certified by a qualified assessor.
  4. Publish updates to the trust framework as it is revised, and periodically renew certifications of participants as required by the trust framework.

Lastly, the OITF model includes roles for auditors and dispute resolution service providers to assist in ongoing assessment of trust framework participants and resolution of any disputes that may arise.

(Side Note OIX: also don’t abuse the word “lastly.”)

Apparently OIX just hosts the party and provides the napkins (for sketching), but little else. Defining the standards is up to the policy makers and certifying compliance is up to a Trust Framework Provider (TFP)—whatever that is.

Identification isn’t Trust

I suppose that, if successful, OIX will improve the way digital IDs are used. That’s not altogether a bad thing, but it’s also not trust.

By analogy, imagine that, in order to improve the effectiveness of TSA screeners, the government sets a policy requiring travelers to present both a driver license and passport at the airport. Does it follow that everyone inside the secure area of the airport will trust each other? If the TSA screener clears someone, does that mean the screener trusts the traveler? Or that the screener trusts the ID? Do the IDs foster any kind of trust at all?

If there’s one thing I’d like to get through to techies who work these protocols, it’s this: identification isn’t trust. Please find another word to describe what you’re doing.


by ~ March 19, 2010

Interesting tidbit in the NYT yesterday about how developers can use public information to get the remaining 5 numbers of your SSN:

The Carnegie Mellon researchers used publicly available information from many sources, including profiles on social networks, to narrow their search for two pieces of data crucial to identifying people — birthdates and city or state of birth.

That helped them figure out the first three digits of each Social Security number, which the government had assigned by location. The remaining six digits had been assigned through methods the government didn’t disclose, although they were related to when the person applied for the number. The researchers used projections about those applications as well as other public data, like the Social Security numbers of dead people, and then ran repeated cycles of statistical correlation and inference to partly re-engineer the government’s number-assignment system.

This is why the b-day listed on my Facebook account is NOT my actual birthday, just my Facebook Birthday. I encourage everyone else to do the same.

In fact, if some of you hackers out there want to put your skills to good use, I’ll open source this idea for a killer privacy app: Develop a “misinformation virus” that goes around the internet making false and conflicting claims about individuals (and their doppelgangers). Make it so only people who know a person can distinguish between fact and fiction. I’d gladly download a “Plausible Deniability” iPhone app that that swarms users together to generate bogus tweets, text messages, photo tags, etc. in the interest of privacy. Anyone want to take me up on this? Reply with the first four of my social so I know your for real.