SecurityIntelligence: The Rise of the Selfie Authentication as a New Security Factor

The idea is a good one: Use the cellphone camera to take a selfie and employ it as another login authentication credential. Both MasterCard and LogMeOnce have introduced a type of selfie authentication. I talk about ways that they differ and how they can add an extra layer of security in my latest article for IBM’s SecurityIntelligence blog here.

Coping with Mixed Operating Systems: Strategies for Supporting Enterprise Heterogeneity

Back in October 1993, I wrote a story for Computerworld about how IT shops are dealing with supporting a mixture of OS’s. Back then, we didn’t have Chrome OS, or BYOD, or even a common TCP/IP protocol that was in much use to connect disparate systems. I wrote then:

When it comes to supporting enterprise networks, heterogeneity has become a fact of life, and this is especially true when it comes to supporting operating systems. For better or worse, the networks of today have become a real mixed bag.

How very true. For a look back in time, check out the link above.

FIR B2B Podcast #48: Content Marketers Need Journalists, Oh Yes They Do

Lois PaulIn this week’s episode, Paul Gillin and I pay homage to Lois Paul, who is retiring. The cofounder of Lois Paul and Partners and a respected technology journalist before that, she has been an inspiration to many people, including our co-hosts. Her work ethic, integrity and judgment are legendary in the New England PR industry and elsewhere. We expect that in retirement, Lois might cut her work week back to 35 hours. Whatever she does with her time, she will do it well.

A long post on the Curata blog asserts that “Content Marketers Desperately Need More Journalists.” It cites recent Curata research that shows that companies continue to invest heavily in content marketing but struggle to find quality content. At a time when the challenge of rising above the noise is greater than ever, why would you not want to hire people who already know how to do it? (We can offer a few suggestions, too!)

China is cracking down on news sites that use social media as sources, saying that tweets aren’t a substitute for good old-fashioned fact-checking. We wish more U.S. news organizations would take a cue from Beijing and be more responsible.

Finally, new research by Forrester finds that CMOs are feeling their oats. More than eight in 10 report that their performance is now lined with business targets and nearly 1/3 have P&L responsibility, which is way up from last year. Click below to listen to our podcast.

The goodness that Yahoo has brought us is mostly gone

Back in November 2011, Yahoo’s then CEO, Carl Bartz was fired. I wrote about this event for (then called ReadWriteWeb). I thought it was worth recalling today, on the news that much of Yahoo’s core products has been sold to Verizon. 

Firing Carol Bartz made us go into the Wayback Machine to recall the many good things that Yahoo has created over its life. While there are many that are lining up to take shots at the Yahoos certainly justified, there are still some things worth noting.  (Below is an early home page, others can be found at ITworld here.)

Some of Yahoo’s developer services were way ahead of their time, and many of them are no longer with us (updated with 2016 information):

  • FireEagle (location services), one of the early geo-location services, before there was Foursquare and so many others. Still around, barely. Closed in 2013.
  • Hadoop (Big Data): Yahoo initiated and put up some heavy investment in this project. It is the go-to framework for big data and an integral part of Yahoo’s cloud businesses. Very much living and breathing, especially since  it has been taken over by Apache.
  • Delicious (tagging/shared bookmarks), one of the pioneers in tagging and early crowd sourced bookmarked recommendations of content, sold earlier this year to the founders of You Tube. Still here, but not top of mindSeems to be gone for good, despite a series of corporate maneuvers.
  • Yahoo Pipes (mashup tool), probably still one of the most useful development tools that anyone has ever invented. Pipes can manipulate RSS feeds and extract content from a variety of Web programming languages. Sadly, it was killed off in 2015.
  • Yahoo Query Language (programming language), a programming language that works across Web services, somewhat akin to what SQL does with databases. Still supported in 2016.
  • BOSS (build your own search service), open search and data services platform that can use Yahoo’s search technology. Wait, you didn’t know that Yahoo has its own search technology? Just kidding. Sill supported in 2016.
  • Blueprint (mobile site creation), it was an early effort in building mobile Web sites. Closed in 2011.

Yes, Yahoo was always a day late and a dollar short when it came to its webmailer, its IM client, and eventually its search service. But still, it has traffic. One Internet commenter said, “they should use their front page as a fire hose, projecting mainstream users onto these platforms” such as the ones mentioned above. Fair enough. And once upon a time, I thought their Yahoo Groups email list service was terrific: the last few years haven’t been kind to this service. And while my Yahoo email inbox seems perennially spam-filled, their financial and movie pages are top-drawer.

Many comments around the ‘Net seem to label Yahoo as an engineering company that can’t get its products marketed or gain any adoption. One said “Yahoo lost its motivation, its excitement.” Now it is has lost its CEO. Maybe Bartz’ successor can see their way towards a better future. Sadly, that last prediction wasn’t to be.

Better cybersecurity training through gaming

I came across a report entitled Video Games as a Training Tool to Prepare the Next Generation of Cyber Warriors by the Software Engineering Institute. While out for a year, it still worth reading. The authors are part of a project at Carnegie Mellon University and suggest that the coming cybersecurity skills gap will be critical and require some non-traditional methods to fix. Their thesis is that we have to turn to video games to heighten some new interest, and to start with young children. By grabbing kids’ attention and building a solid foundation of skills and infosec knowledge, the games could help motivate a passion towards finding a career cybersecurity later in life.

One of the reasons why games make sense for cybersecurity is that they are designed for multiple players; promote team building and scenario-based problem solving. All of these are very valuable when it comes to responding to digital attacks and other IT-related situations.

Plus, under the category of unintended consequences, getting kids involved in security-related games could help narrow the gender gap as well: nearly half of gamers are girls, who have been historically under-represented in the cybersecurity field. And with more than 175 million gamers in just the US alone, there is a wide pool of potential recruits.

The idea isn’t new: the sci-fi series “Ender’s Game” by Orson Scott Card and the movie “The Last Starfighter” both have had a similar plot line — and both are from decades ago. In the real world, the modification of the game Doom by the US Marines has been out for decades as well. When it was first developed in the early 1990s, it cost about $25,000 and took about six months to develop. It proved to be so popular with the soldiers that they would queue up in the evenings to get a chance to play. Since then, the US Army released its own game, called America’s Army, that was designed as a recruitment and public relations tool but migrated into helping new enlistees learn about the state of weaponry and tactics that they would be learning in basic training exercises.

But what is new is that there are a number of video games, include one from a CMU-affiliate, that can help bridge the gap. The report reviews several of them. These include games for children, such as MySecureCyberspace and CyberCiege; Control-Alt-Hack, a card game targeted at teens; Cyber Awareness Challenge and Cyber Protect, two games created by the DoD several years ago; and Watchdogs, a game for various consoles that has been out since 2014. Some of these games get pretty deep into things such as understanding appropriate IT policies such as setting strong passwords and implementing biometric access to sensitive data. Think about that for a moment: when was the last time you could learn about setting a firewall rule with a tactic in some first-person shooter game? Card’s Ender was ahead of his time.

Sadly, none of these games is really optimally suited for the proposed task of training cybersecurity defenders. It is a fair assessment, since none of them really had that as an original design goal. The authors state that it is “time to invest in a cybersecurity training video game that can be used to prepare the next generation of cyber-warriors and infosec professionals.” The report is well worth reading.

FIR B2B Podcast #47: Hank Weghorst and account-based marketing

Paul Gillin and I talk today on our FIR B2B podcast with Hank Weghorst about account-based marketing (ABM) and why it is catching on now, along with some of the mistakes that potential users of ABM can first make. Weghorst gave this TED Talk about the process where he describes how his company has assembled a huge database of more than 50 million companies worldwide, and makes this information available to his customers via various desktop programs. Paul and I find out what ABM is all about and why it’s time has come. Listen to our podcast below.

Fast Track blog: Is it Time for Citizen Developers to Replace IBM Notes?

Nearly 30 years ago, Lotus Software came out with a radical new tool called Notes that has since become a corporate staple. More than an email program, it was used by IT and non-IT alike to build collaborative apps. Think of it as the origin of the citizen developer movement.

But Notes has stalled and many corporations are looking to move on to something else. You can read my post on QuickBase’s FastTrack blog here about what can citizen developers do to get the decommissioning party for Notes started.

iBoss blog: There’s No Single Magic Bullet for IoT Protection

An earlier post of mine for iBoss addressed the issue of wearable fitness devices and smartwatches and their network threat. And while that post has lots of suggestions on how you can protect your network, there is still a lot going on with the IoT world.

In this post for iBoss, I discuss recent exploits using an all-webcam botnet, how the NSA wants to use IoT devices to profile your communications, and how enterprises are using mobile device management tools.

Veracode blog: Why firewalls aren’t your only friend

Firewalls have been protecting networks for decades, and many of us can’t remember life before them. But they aren’t your only friends, and these days just having a firewall isn’t enough to keep the bad guys from penetrating your network. While they are a good first step, you need to start thinking beyond firewalls to keep your infrastructure secure. You can read my post here about what else you need.

Subscribe now to Inside Security

You may be surprised that the overall rate of malware infections is at its lowest point in three years, at least according to one source (Engima Software) that measures these things through its own network of sensors deployed across the globe. Yet this average obscures a lot of other trends, such as that the rate here in St. Louis has actually not dropped all that much, putting my fair city at the number two spot for the most infected places to compute (Tampa is #1).

This is just one of the many news nuggets that you will get if you subscribe to my twice-weekly Inside Security email newsletter, a separate effort from Web Informant that is being done through the auspices of The company has started several other newsletters, including one on Teslas and one on virtual reality.

Also this week, two new forms of Mac-based malware have been discovered, one called Pirrit and one called Eleanor-A. For years the Mac has been a relative safe haven, especially when compared to Windows. But with the rise in its popularity comes a more tempting target for malware writers. The former one is a piece of adware that actually acts like an infection, while the latter comes as part of a fake document conversion tool called EasyDoc that is just a container for a collection of remote access Trojans that persist even after you try to delete the application.

Speaking of Safe Harbor, and by that I mean the EU’s prior privacy regulations that were struck down some time ago, there is now a replacement called Privacy Shield. I link to the new regulations, along with some insightful commentary at Ars Technica (for the non-lawyers) and at SociallyAwareBlog (for those that want more or who are lawyers themselves).

Finally, do you want to examine the code that ran the Apollo spacecraft guidance computers? Now, thanks to some diligent volunteers, you can on Github, provided you know how to read Assembler. The code contains copious nerd humor and 60s-era POV, along with modern day space enthusiast insider comments too. Houston, we have a program!

There is a lot more on my newsletter this week, including links to how to learn to become a CISO and other noteworthy security reports, so subscribe here now.