Information Security Monitoring for companies rendering essential services is going to be closely watched by Romanian State

Deadline to submit the file to Romanian relevant authority is 17 December 2020.

It’s for companies in the industries offering essential services (mainly energy utilities, banking, payments services, etc)

Legal background:

Law 362/2018

Why deadline is 17 December 2020?

Because all related legal acts / governmental orders and so on have been culminated with HG 976/12.11.2020 published in Official Monitor as of 17 November 2020 and a stipulation says that legal documentation / complete file has to be submitted in 30 days (so, 30 days since 17 November 2020 is 17 December).

What if not complied with?

Companies have to make an analysis on their own and if qualify – according to the law – as providing / rendering essential services (mainly in industries as energy, banking, payment companies, etc), then they have to complete a file and submit it to relevant authority.

There are more to say, for example if the delivery of such services depend on a computer network and if they can suffer from a possible unavailability of such a network (in case of a security breach) then they qualify. If not dependant on a computer network to deliver the essential service yet they have to contact the relevant authority to be told if other criteria may make the company qualify for delivering essential services under the risk of unavailability in case of various events happen.

Pay attention: the penalties for not compliance are not small. So, if your company qualifies for the regulation, but if it is unaware about such legislation and does not do that internal analysis (and further to such analysis the conclusion is that it might be qualifying), the relevant State Authority may still check upon that company after deadline.

The fine is 5% of company’s turnover.

Despre Directoratul Național de Securitate Cibernetică – cîteva scăpări

Interesting opinion …


Scriu cele ce urmează după ce am lecturat de 3 ori propunerea de OG privind înființarea Directoratului Național de Securitate Cibernetică și pentru modificarea și completarea unor acte normative (la această oră nu știu dacă a fost aprobabtă). Am rezonat de prima dată de cînd am citit despre această inițiativă: este nevoie de un singur „creier„ care să deseneze viziunea, strategia, aspectele ce țin de conformitatea securității. Astăzi însă constat că, așa cum este scrisă propunerea, există posibilitatea să asistăm la nașterea unui monopol de stat („DNSC poate înființa, în condițiile legii, în numele statului, societăți cu capital de stat în România și în străinătate. De asemenea, DNSC poate participa, cu respectarea cadrului legal în vigoare din domeniul societar la majorarea capitalului social al societăților la care exercită, în numele statului, calitatea de acționar.) Sau poate înțelegerea mea este greșită în lipsa unei dezbateri publice pe acest proiect…

View original post 1,086 more words

A new digital assets exchange

Gets funding in a non-usual way

An IPO. Nothing new.

Business: provides services in trading digital assets. It was done already such a business.

Amount: 117 millions US dollars. It was done before, such amount is not unachievable.

So what is new?

SEC (Securities and Exchange Commission)-approved IPO is the first of its kind: investors can pay in Bitcoin (BTC), Ether (ETH), and USD Coin (USDC) – these are crypto-currencies.

Since launching the IPO, INX (the start-up company) raised $7.5 million by Sept. 10, the firm’s representatives said.

More than 3,000 retail and accredited investors registered for the INX token offering in the first three days.

Yes, that’s right. You read it correctly: a token. This is a new form of investment instead of shares or bonds or other equity form.

For those unfamiliar, a token is a form of digital assets that stays on a blockchain (a specific type of distributed databases network), is transferred back and forth over a blockchain and is issued electronically using a smart contract (a piece of software that is a feature of the blockchain).

So, no more need for papers, approvals, stamps, formalities and other similar stuff. Also, no more need for brokers. Investors can trade tokens using digital assests exchanges.

More precisely, this is a hybrid of IPO and security token offering (STO) that is registered with the SEC (a registration statement relating to the offering of these securities was declared effective by the SEC on Aug. 20), allowing everyday investors to legally participate in it.

The funds raised from the sale of INX tokens will be used to launch a multiservice digital asset platform. A regulated crypto trading platform for crypto, security tokens and their derivatives is intended to be created, as well as to launch a cash reserve fund.

STO (Securities Token Offering): Why is this a big deal anyway?

Because crowdfunding in a digital form takes place now in a regulated form.

Why was not regulated so far?

Because innovation was a step ahead of regulatory activities and this is since ever I would say. Blockchain as innovation makes no exception. Yes, the form not regulated was ICO (Initial Coin Offering)

In order to understand what an STO is, one must first understand ICO. The latter refers to a token offering from a company or organization in order to raise capital for a project. Buyers are issued with digital tokens. Unfortunately, ICOs are largely unregulated, thus putting investors at risk.


Web scraping. Get products prices of competition from their website. How to achieve the goal using a trendy programming language (i.e. Python) in 20 lines of code (part 1)

Web scraping is when one wants to copy the content of a web page (or targeted parts of an entire site) and this is done automatically by a programmed robot (or a pre-programmed application). I use Python (and an open source library) to achieve successfully potentially any web scraping task.

An interesting use of web scraping to get automatically (hourly) the prices of products sold by competition

In this article I presume the reader has a business that sells to consumers (B2C) and, as any normal business, it needs to diligently monitor the competition, having available data about prices of its competitors. I presume also that each competitor has a website (eCommerce website, for example) that displays the product prices for each and every product they offer to consumers.

Disclaimer: it is debatable whether web scraping is legal or ilegal. A recent case showed that web scraping is not clearly legal, although legal issues such as copyright infrigements or contract law breaches were not addressed in the respective case of law (as per the author, i.e. Mr Eric Goldman, a professor at Santa Clara University School of Law, where he teaches and writes about Internet Law, Intellectual Property and Advertising Law). Therefore, before to pursue with web scraping, I strongly recommend the reader to consult his/her lawyer.

I decline any responsibility whatsoever for any endeavour the readers might pursue upon reading this article. Use web scraping at your own risk!

What I think it is still legal: no competitor can forbid you at watching. You open your browser, enter the URL of competitor’s website, you watch at figures and take a pencil and write down what prices that website displays for a specific product. But this is a manual approach that obviously is far from an efficient one.

Remark: the case of law displayed in the Disclaimer mentioned above dealt with an automated tool. Apparently, that tool was the root-cause of the problem because the target website stopped working.

Let’s clarify one thing: I would never recommend anything like that. Blocking websites from proper functioning is not in my intentions.

Now, that we passed the disclaimer part, I would like to say a few words about what this article provides. I explain a very convenient, cost effective and flexible method to get public info from the reader’s competitors’ websites (without disrupting any target website) and build a database to be analysed further. Such database aids any business to assess competition and improve internal decisions.

Thus, data gathered from competition or from market falls into “business intelligence” category. It is normal to make use of it when drafting the price strategy or set the size of discounts you are willing to offer to consumers (in order to make a difference compared to your main competitors), all aiming at maximising your sales (volume) and profit.

Advantage: gathering data from the market that goes into company’s database to be available to your analysts is what keep a business more adaptable to market. You might decide to reduce some prices to a category of products and/or increase prices for another products.

Manual approach won’t work for say hundred or thousand of products. If an important volume of market data from competitors is to be gathered, the process is less efficient, because you need additional staff to do it manually (or you can do it with less staff, but it is more time consuming).

A pre-programmed application (or a robot) aimed to extract the right data at the right time has the following advantages:

  • extract data with the frequency desired (it can be even hourly), so you are updated with prices practiced by competition all the time;
  • no manual error;
  • data obtained can be saved in your database or in the format needed (i.e. “csv” – for example) ready to be imported in your company’s database;
  • the bunch of data obtained would allow for various models to be created, various scenarios of prices modifications, with corresponding sales volumes and related profit by product and/or total profit maximisation.

Now, the technical part: what’s behind the scenes at the competition? Web pages and HTML

Any website has a bunch of web pages. When we visit a web page, our web browser makes a request to a web server that sends back some files that tell our browser how to render the page for us. 

The files our browser receives fall into a few main types:

  • HTML format / language – here we have the main content of the page.
  • CSS (Cascading Style Sheets) that add styling to make the page look nicer.
  • JS (Javascript) files that add interactivity to web pages.
  • Images — in some image formats, such as JPG, or PNG, etc that allow web pages to show pictures.

HTML is the main focus for web scraping (because it has the content that we target to obtain).

HyperTextMarkup Language (HTML) allows you to do similar things to what you do in a word processor like Microsoft Word, namely make text bold, create paragraphs, and so on. HTML is not as complex as Python.

HTML consists of elements called tags. Wherever you see “<” followed by one or several other words and then a similar “>” that ends those words, then these are called “tags“.


<p> – indicates a beginning of a paragraph

“<a” – indicates a link then “>”. It is followed by the description of link (and finally followed by </a> at the end)

<body> – indicates the start of web page body

<head> – indicates the start of the header section of web page

and so on.

Why I entered into such details? Because usually, any web scraping tool uses these tags as the main elements needed to identify and extract the main content we are interested in.

Technical part of web scraping: as a tool used Python is the main actor

One of the most liked programming languages as per this link is Python.

In the next article I will continue with Python and a well known open-source module (or library) written in Python. I will explain how to create and approach web scrapping aimed at extracting the relevant content from your competitor’s website.

Customer Revenue Optimisation platform

Use-case: CenturyLink (this company is a member of the S&P 500 index and the Fortune 500)

An interesting use of AI (Artifical Intelligence) for increase revenue due to a better use of available data.

Due to a long history of mergers and acquisitions, CenturyLink (a telecom company now offering a bunch of digital services such as communications, network services, security, cloud solutions, voice, and managed services), created a number of information silos.

This most likely happens for companies that suffer such changes and the higher the number of such changes the higher the number of such information silos in the final company.

The drawback is that such silos prevent sellers from accessing the necessary account information about customers.

CenturyLink turned to Customer Revenue Optimisation (CRO) platform (name of provider is not important as I am not wrtiting this article to sell something specific).

“They (i.e. sales people) need AI insights to understand the kinds of triggers telling them which customer they should reach out to, and then look for other buying signals that can be reasons to go back and contact the customer. We like the prospect of leveraging activity as a way to give our frontline managers insight into what to do next, and AI helps drive that.”

Within three months of implementing the CRO platform, CenturyLink developed $250,000 a month in recurring revenue from one opportunity manager implementation, and a 350% funnel increase from top 40 accounts with account planning, according to

A major benefit of the implementation was the high level of accuracy it gave CenturyLink to make sales forecasts, which helped sellers to refocus on deals that were more attainable.

For more information about what IT solution you need that aid sales, is cost effective and suited to your specific situation, I would provide advise to your business (see my contact details)

SaaS businesses seem to have a good evolution at stock exchanges these times

A Software-as-a-Service company offers software from the cloud to its users

I touched the issue of SaaS (“Software as a Service”) in this post, when I discussed the delivery form of this software, looking more like a services and a little bit about differences compared to classic licensing model.

Companies that offer SaaS seem to be afloat the water in this new economic context.

As any novelty introduced by a new model in IT, this gets traction for various reasons, one of them might be because avoiding unnecessary costs since the value proposition of a SaaS could be maybe similar to a classical software application, but as a plus it includes also smaller fees for licensing than the classic model. In addition, nothing is delivered phisically (no CDs, no DVS, nor memory sticks with compiled installation executables – and therefore no headache with this bunch of stuff that is hard to control by the vendor not to be multiplied without a license by the buyer).

An understandable reason might be the job cuts that would indicate that many businesses might consider to reduce their costs, and since cloud computing looks like a cheaper alternative, this would be a way to minimise cashing out during this virus crisis. Although cloud costs – if not monitored – could add to the bill a significant amount also.


Python on a VPS (Virtual Private Server) for those who do not know Linux

A convenient way and secure enough to code in python language on Windows using a Virtual Private Server

VPS (Virtual Private Server) on Windows is nowadays a convenient use to code in Python if you don’t know Linux. Why a VPS? If you do not want to buy a computer, also if you want a speedy internet connection and no suden interruption of electrical power or forgot to save the work, with 20 $ a month you can have a VPS with a hosting provider.

Especially if you have some processing needs that might take longer than expected (I have some that takes more than 1 day), obviously to do it on laptop is not what you want. Even though a desktop placed at home that runs for more than 12 hours is exposed to suden interruptions when children go from a corner of the room to another, or the cleaning tasks might go over the wire … you know what I mean.

I have already a VPS (used on Windows Server 2012) since one year already and it works like a charm with python.

Note: please note that Windows Server 2008 will come to end of support in 2020, so you might want to choose some superior version of Windows Server .

Install and configure VPS

Access to the VPS is needed to be done using a VPN (Virtual Private Network) or other encrypted connection. In this short article I will go with VPN and I assume you have a hosting provider of VPS that offers VPN within its package.

Because on Windows, the RDP (Remote Desktop Protocol) is the standard to acces remotely a Windows computer, I have checked security of RDP and I am not in favor of it, without additional compensating security, i.e. VPN.

Only connect through VPN before to connect to VPS. THIS “before” IS A MUST. Otherwise, you will be exposed to hackers because Remote Desktop Protocol has flaws (see this link and this link in Romanian).

VPN is still good to go.

The next secure settings I have put in place for my VPS (after discussing also with one of my friends Adi Rusu – thank you Adi!). In my opinion, they are secure enough in my best reasonable judgement, based also on my experience of 12 years in IT field and having an engineering background, plus a CISA (Certified Information System Auditor) certification.

Please feel free to use them, but like anything in life do not take my word for free. Check for yourself and make your own judgement.

Therefore, use them at your own risk (DISCLAIMER: all these settings do not warrant you will be free from security incidents).

  • Create a user that is not admin (username not JIM, nor JOE, nor ADMINPOWER, etc, but something random like “Tdte59&eg0Y7)df6”)
  • Allocate only Remote Desktop rights to this new user. This is the only user that will be used for accessing the VPS
  • Session 24h for this user only (to keep the work going on 24/7 and the scripts to avoid be stopped by ending of session)
  • Create a second user with admin rights having random characters as a username (not ADMIN, nor ADMINISTRATOR, etc but something like “Rgdy6AGDTnr6el&5e” (or similar)). The longer the better.
  • Passwords at least 16 characters (special, upper case and numbers) to all users. The longer the better.
  • I saved these passwords (and also those long usernames) in a txt file on a memory stick that I attach to my laptop for small duration of time (like 30 seconds or so). I use that text file only when I go remote in order to access my VPS and want to connect. After I connect to VPS, the memory stick did its job and therefore I remove it. This makes my life easier (and hard to hackers). I will explain: convenient because I can use copy/paste from that memory stick when starting Remote Desktop Protocol to connect to VPS and do not need to remember such long and complex passwords. Hard for hackers: because (i) long passwords (ii) random usernames (hard to guess) avoiding usernames like ADMINISTRATOR for which they can do brute force attacks when do IP guessing and possibly find your IP (iii) my laptop is free of malware as it is configured as explained at last bullet, as to protect the credentials to access the VPS in two ways: no intruders allowed as no malware on the laptop and no credentials of VPS stored in my laptop anyway, but on a memory stick that is off line (in my pocket) (iv) and last, but not least: just in case a worst case scenario occur, i.e. say my laptop will get a malware (highly unlikely as I do not browse low quality sites and do not click sneaky attachments received to my email inbox), until the things go worst there are indicators that I am sensitive to, like slow processing, weird behaviour etc. So, I am confident will be able to notice in time and take appropriate actions (like stop using that laptop for accesing the virtual private server, disinfection, etc).
  • Pay attention: do not use that memory stick on public computers! Use it only on your personal computer after you are sure it is safe (no malware or virus on it – see last bullet below on how to achieve that)
  • Last step: the default ADMINISTRATOR account on Windows Server has to be deactivated (otherwise, if you do not configure properly the Windows Server, this account will be bombarded with brute force attacks from untraceable sources using Remote Desktop Protocol by hackers who might go random guessing your IP – I have searched the Event Viewer and saw those trials – so, deactivation of default admin account was the solution, as well as creation of another user account with admin rights having a random username – see fourth bullet point above)
  • Needless to say, your laptop (or home desk computer) that you use to access your VPS needs Anti-Virus and Firewall (I would strongly recommend to go for a paid solution and avoid free antivirus software like Avast – because, for example, data from Avast antivirus users was sold to advertisers, who can then combine it with other data they have on your activities to track you in great detail – see this link). Plus regular – at least weekly – full scans (of your laptop, not VPS). Last but not least, use a normal user (no admin rights) when you browse the world wide web from laptop. Even though there are temptations to use a full power user account on Windows (when I want to install something on my laptop and avoid installing errors), I log on using a normal user account I created. Thus, I have Windows 10 with a user that has no admin rights that I use all the time. Each time I need to install something on my laptop, that new application requires admin password, so no harm, I have control over browsing, as well as I can install whatever I want. These settings avoid a malware from a website I browse from laptop – that I do not know if it is malware or not – to be installed in the background, because if it is something that really needs to be malicious, it will ask for admin credentials. Therefore, if there is something that pops-up requring admin password and I don’t know what it is, I deny it.

That would be all regarding VPS (no need for anti-virus, firewall for server as long as you are invisible to the world wide web). No web server (IIS, Apache, etc) needed. On the contrary, I would advise to uninstall them if they are installed by default. So, this way your VPS will be invisible to hackers. But take care to NEVER browse world-wide web from the server (why would you do that? as long as you have the laptop already and can browse from it – and RDP allows for sharing the clipboard, you can transfer that information using copy from the browser of your laptop and paste onto the server – over RDP).

Install Python on Windows

Go on the server (Windows Server on your VPS).

I use version 3.6.4 (and Windows Server 2012 is on 64 bits) since more than one year.

The next link is to be used for downloading Python 3.6.4 (from official – always install from official sites:

Now, about “pip”:

I would highly recommend to install a tool that will always be needed for your convenience, when you want to benefit from open-source libraries written in python that are abundant on internet.

The next option is to be chosen when installing Python:

That would be all.

Now you have all you need to start scripting in python on Windows.

Libraries (like for example free work of others that usually is comprised in modules), depending on what you need will be downloaded and installed easily using pip (the optional feature above).

Usually, these librariries are installed from the command line (Powershell is also a possibility, instead of classic – inherited from DOS – command line).

Thus, to use classic command line, type “cmd” at start and right click “Run as Administrator”.

To use pip when installing python libraries available on github or elsewhere (where they specify pip as installing tool) type as follows from command line:

C:\WINDOWS\system32> pip installopensource library name that you want” (or whatever you want*)

You will notice a process that will follow in your command line, like a download of that library and additional components. The final outcome of that process should be finalised with success. This is the validation you have “downloaded” that library and you may start using it with python.

This “pip” and using command line are the most used features and also convenient for me when I explore various work in python made by others (usually they are free and could be found in a significant number on github).

Hope you will find enjoyable testing python on windows and convenient using a virtual private server (while you will be secure enough).


*) Still be cautious about “whatever you want”. I mean about open-source code you find on the web (not everything is checked by open source communities as for us to have the comfort we are free from malicious bugs).

ChowNow platform partners with Instagram

Los Angeles restaurant ordering based platform will add “Order Food” buttons and stickers. Local restaurants aided this way

Food pictures and videos on Instagram are widely used. Users will be able to easily order because buttons and stickers will link directly to ChowNow to complete order flow.

It’s a great marketing tool for restaurants, said Chris Webb (ChowNow’s CEO and co-founder) and an easy way for them to inform their customers that they are open for business — even if they may not have open tables.

Nice idea, especially as restaurants were hardly hit by this virus crisis.



Fidelity analysts: Chinese companies to thrive post-COVID-19

China did shut down travel, western countries did not shut down economy during virus spread

My opinion is that diferent countries will recover on different timeframes after COVID-19. It depends on when the pandemy started to spread in the relevant country and, of course, the extent of spread.

Ironically, it seems that the most and first affected country might be, in the end, better than others.




VPNs and Work From Home: Security under scrutiny in times of COVID-19

VPNs secures communication between company servers and employees’ devices, but end user devices are exposed if not secured enough. Also, other compensating measures need to be in place.

Courtesy of The Cyber Security Hub™ (TCSH), I would like to depict a link that TCSH had pointing to, citing that Work From Home(WFH) using VPN is not 100% secure, other risks existing in that activity (WFH). This article I wrote is for those who believe that VPN is all you need for a secure WHF. I extract selectivelly from the mentioned article only what I believe is critical in order for non-expert readers to grasp the essence.


  1. So, BYOD (Bring Your Own Devices) is a high risk. At least, it has to be approved by the company which the employee works in. This device MUST be secure enough against penetration, so I would strongly recommend: (i) remove admin rights from this device (to the extent possible) and (2) anti-virus and firewall on them is a must (although recently I have learnt that such amunition is not enough against a skilled hacker).

2) The IT infrastructure support generally i.e. in normal time (not these times of pandemic crisis) around 30% of users that work remote. Generally. During COVID-19, if all users go remote, then ” Houston, we have problem!”. I mean, no organisation has envisaged so far that its staff will work from home in such a huge majority. Therefore, buying an additional equipment to support the increasing demand of users to work using VPN takes time (months). Configuration and integrating such new equipment into the existing infrastructure also requires time.

3) I will end up with this recommendation (excerpt from the article) that I fully agree with:

So, stay safe not only from COVID-19 virus, but also to avoid get viruses (electronic form) or other electronic malware from hackers.

For this purpose, employees need a secure device (as I have mentioned above, i.e. remove admin rights and have installed anti-virus and firewall software) and instructions regarding how to counter phishing attacks (about these I hope you have already introduced regular simulations as I have recommended in this article on LinkedIn previously) so when employees working from home and they are not supervised or no quick requesting and support link with IT department, they hopefully be able to apply at home that knowledge.