Drupal is a leading open source content management tool that hosts a significant portion of the most popular websites on the internet. If you have not heard about the Drupal security flaws from earlier this year, then you need to take a closer look at what happened and start taking precautions to protect your own installations. You can read my post in IBM’s Security Intelligence blog here.
Many of you have written me since getting a similar extortion email over the past few months. The emails all have similar characteristics: they usually mention an older password that you have used on one of your accounts in the subject line, and then suggest that the sender is monitoring your computer with spyware and will send out some compromising information about you if they aren’t paid the ransom.
As I said back in July, these emails shouldn’t be answered, or even opened. The sad fact is that if you are still using something with this password, you probably should be motivated to clean up your act and do a better job with your passwords.
I usually tell my correspondents to use this as an opportunity to do two things. First, to install a password manager. I use LastPass but there are plenty of others. These tools make your logins more secure because you can create complex passwords that you can’t remember, and more importantly, you don’t need to remember them either.
The second item is to use an authenticator app on your smartphone. These apps are probably the best security you can use to protect your accounts. Google, LastPass, Microsoft, Duo, Authy, and numerous other vendors have free ones. They work in conjunction with a one-time code that changes every minute or so. When you login to your accounts with this app enabled, you have that amount of time to enter the code that is shown on your phone’s screen into the web form as part of your login process. If someone has your password, they won’t be able to see this code and properly login.
Even better than using these authenticator apps is to make use of a special FIDO hardware key. Both Google and Yubico sell them. They are more secure but less convenient, because you have to remember to have the key on you when you need to login.
Certainly, there are other alternatives to authenticator apps and keys. Some of you have enabled a different authentication process with your logins, such as using an SMS text message to receive these one-time codes. This is much less secure than either the authenticator apps or the hardware keys, because a hacker can arrange to send this code to their own phone. Sadly, many websites (such as my bank) only support codes sent via the SMS method.
But here is the issue: apart from having authenticator apps and password managers, some of you are still writing your passwords down somewhere, and this is the most insecure thing you can do. Even if you keep a piece of paper in a locked safe, it is still less useful and less secure than the combination of password manager + authenticator app that I described above. That special piece of paper does you no good when you are across town from your office, for example.
There was this recent exchange on Twitter between Capital One and a customer, where the bank’s representative told the customer to not use a password manager. One person commented, “Hey Capital One! 1992 called. You need to hire a more up-to-date Security Officer.” Another recent study showed that password managers weren’t familiar or necessary to more than half of those surveyed.
Some of you have gone to great lengths to store your passwords on your phone’s address book, using a special code that will jog your memory about which password you have chosen for a particular site. Given the compromises that the mobile version of Facebook Messenger has at reading and distributing your contact data, this is also asking for trouble. It really isn’t worth the effort.
One of my readers called me about a month ago in a panic when he got the extortion email message. Once I calmed him down (he was up half the night worrying about it), we came up with a plan, such as I outlined above. I checked back with him recently and he did implement half of my suggestions. But he argued, “I can repeat my passwords on less sensitive accounts, because I don’t have anything to worry about with those accounts. There is nothing to steal here.” Wrong on these counts:
First, every reused password is another way for a hacker to worm their way into your digital life. Let’s say you purchase something from an online retailer, and never return to that site ever again. Meanwhile, you have forgotten that you saved your credit card on the retailer’s site, and then you have forgotten which retailer it was. When that retailer suffers a breach, your credit card is now at risk.
Consumers aren’t alone in reusing their passwords. A study for One Identity of 1000 IT professionals shows some poor security practices in place in several countries. They noted that admin passwords are often shared, among other bad practices.
Maybe you have a reused password for something blander, such as the account to your local library so you can download an ebook or two. Again, that library could be hit by an attacker, and that login could become compromised and reused on some other site. Hackers have automated routines that try username/login pairs across hundreds of websites, testing if you have used them elsewhere. While the hacker may not steal anything of actual monetary value, they are stealing and using your identity. So just don’t reuse them, ever. Please.
Second, whatever system you have developed to avoid using a password manager doesn’t scale. The more websites you need logins for, the more likely you are to forget you already used one of your favorite combinations. My password manager has more than 200 logins. Granted, I am an extreme case, but still your digital life is probably has dozens of logins too.
Third, you could argue that most modern browsers have password saving features to make it easier to login to websites, so you don’t need a password manager. Again, this gives you a false sense of security, particularly if you laptop or phone is lost or stolen. It is child’s play to read your saved password list on your device, and then you have a whole lot of hurt. When you install a password manager, you should turn off the saving password feature in your browser to avoid conflicts.
All the password managers have automated checks to tell you when you are about to reuse one of your existing passwords. Why would you have dupes with using the password managers? This is because you might not have changed all of your old passwords, and the manager is on the look out for one that it already knows about and has squirreled away.
Finally, another nice thing about password managers is that you can have your logins available for all your devices, even if you move around from laptop to phone to desktop. It just makes a lot of sense to use them. So take some time, and get on board, and be secure.
There are more than 20 different coworking places in the St. Louis metro area where I live. I have been to many of them, even though I have my own dedicated office. Why? Because I want to be a part of the startup community and that is where many of them work. The spaces also are great meeting places.
Coworking spaces are useful for several reasons. When you travel, you have a place to set your laptop down and a nearby bathroom. If you just need a space for a few days or a week, you don’t have to go through the hassle of a monthly office rental. And if you have outgrown your dining room or spare bedroom in your home, and want something other than the local coffee shop, it might be time to investigate the local co-working scene.
There are a wide variety of operators, from the global, multi-city ones such as Spaces, WeWork and Industrious to smaller, one-off locations that are quirky and anything but corporate. Finding the right one can be a chore, but you should take the time to make sure it matches your needs.
Why a chore? When you begin your research, you will find out that it is hard to track down exactly what you will be paying for renting an office. This is a combination of factors: First, occupancy varies widely, and many places charge for different sized offices. Rates can also vary depending on how many people will be housed in any given office, although some places don’t care (within reason). Many of the operators want you to come in person to check things out, so they can give you the hard sell. So my first suggestion is you should make sure you know the costs and contracts up front. Here are some other tips:
- Understand whom you will be working next to. Are you interested in meeting people like you or unlike you? The choice is up to you. Some have private offices, some have shared private offices, and most have bullpen-style tables where several people work at close quarters. Make sure you understand what your actual space will entail.
- Check out their vibe and décor. The spots also vary on their vibe, and that will be the hardest thing to pin down if you are looking to plant yourself in one of them. Some are more intimate, which could work or not depending where on the introvert/extrovert scale you are. Lots of them have a Scandinavian design, and some could range to the very artsy funk, which could appeal to some. Some are enormous, such as Chicago’s 1871 that is located on the top floor of the Merchandise Mart. Some are small enough to just house a few people.
- What are the amenities besides a desk and Wifi? With some places, you pay extra for printers, coffee, a gym membership, using conference rooms, having a live human secretary to answer your phone, having a dedicated postal mailbox and a dedicated office phone number. You may not care or need any of these things. Take the time to figure out what is important to you and what that will do to the ultimate rental price.
- Where are you going to get lunch? This isn’t so silly a question. Some places are located in suburban office parks and you have to travel some distance to find food. Others are in downtown areas or in walkable neighborhoods.
- Can you try before you rent? One of the places near me offers a free day pass to check them out. But they also offer the most flexible pricing and usage plans: you can rent an office for a single day or a year, and there are a wide variety of floor plans and even an interesting hybrid shared but private office that has a locked door but can house a dozen people sitting at study carrels. Other places may not be as flexible or offer a complete array of rental terms. Some can be useful just for temporary team conference meetings too.
- How quiet or noisy are the spaces? In my travels around to these places, many people worked with headphones on to isolate themselves and concentrate. You may want to check this out if the ambient sound level is important to you. Of course, the noise level varies depending on how many people are there on any given day.
- Do you need 24×7 access to your office? Some of the properties offer this, some don’t, some charge extra if you want to enter after normal work hours. If this is critical, make sure you ask for the details.
- Are you a party person? Some try to foster more of a sense of community with after-hours events and lectures. Others are strictly utilitarian.
- Do you really need your own office? Many of us can work with a laptop and a cellphone and not much more. If you need a lot of stuff as part of your job, you need a private office to house it all .Some places have lockers that you can store your stuff in as part of their rental fee.
- Will you be going to your office more often than not? If you are going to be out and about, or only in town occasionally, then having one of these spaces could be economical.
- Is parking a hassle? Some places have free parking or include in their rental fees, others you are on your own or pay extra.
- Does the place have arrangements for co-working in other cities? Some of the larger operators, such as WeWork and Spaces, offer complementary rentals in other cities in their networks.
This week Paul Gillin and I delve into details about the power of polarization in our podcast. Brands can certainly benefit, and this article shows exactly how Nike and Dick’s saw an increase in certain metrics after they took a particular political stand. Their experience shows that brands can reap benefits both from the positive and negative sentiment around a particular conversation. We wish more companies would take a stand on things that energize their most passionate advocates.
Next up is our favorite medium: podcasts. This story about how American Airlines turned an internal short podcast into a marketing benefit is worth noting. The podcast covers the behind-the-scenes thinking on airline policies. It was originally meant for employees, but executives decided to post the episodes publicly, saying “There really is no such thing as internal communications anymore.”
Speaking about podcasts, some media companies have begun to sour on using them. The problem is one of managing expectations, and that quality costs money. NPR’s “Serial” podcast is a good case-in-point: it was well done, but expensive.
We close this week’s show by talking about how the inevitable disappointment in voice (aka Alexa-based) marketing has set in, as witnessed by Marketing Week. Yes, the interface isn’t as intuitive as it could be, and certainly nowhere as comprehensive as typing on a keyboard. Plus, we all like to see the stuff we intend to buy, even if it is just a picture online. That reminds us of our favorite “Star Trek” clip of Mr. Scott, trying to use voice commands, only to end up typing on the keyboard.
You can listen to our 16min. podcast here:
Last month the US DoJ unsealed this indictment of a North Korean spy Park Jin Hyok that they claim was behind the hacks against Sony and the creation and distribution of Wanna Cry. It is a 170+ page document that was written by Nathan Shields of the FBI’s LA office and shows the careful sequence of forensic analysis they used to figure out how various attacks were conducted. In this post for CSOonline, I talk about some of the implications for IT managers, based on the extensive details described in the indictment.
We have a new co-working space in St. Louis that brings the total to six choices in my immediate neighborhood of the Central West End to locate your office. These are alternatives to renting your own office, or when your business has grown beyond your dining room and requires something more professional. Or when you need temporary conference space, or want to conduct a training session. They combine flexibility with the gig economy, and provide benefits and camaraderie too. I am a big fan of these places, even though I inhabit my own permanent office.
The new kid in the ‘hood is called Spaces and is part of a network of hundreds of sites located across the country and around the world. I wrote this review for Nicki’s Central West End Guide about them and its competitors. Surprisingly, it was hard to pin down prices on office rental. I also suggest a few things to think about when you are trying to choose your space that can apply no matter where you are located.
I wrote a series of blog posts at the SaltConf18 in September 2018. SaltStack is a devops automation, remote control and orchestration tool that has a great deal of power and is used in some very large enterprise networks managing hundreds of thousands of servers.I also wrote white papers about their technology and its applications.
Here are links to the various pieces:
— I wrote this white paper which talks about typical use cases of the SaltStack Enterprise product and Salt’s key features.
— The relationship of the digital and physical worlds has never been closer, a post about Cyndi Tetro’s session.
— Examinging how IBM Cloud and Cloudflare use Salt to manage their global networks (forthcoming)
This week we discuss a few different items, all revolving around one kind of disaster or another. First, we note the news about the Benioffs buying Time magazine. With a fire-sale price, perhaps they can keep the weekly news magazine afloat and fund journalism that the publishers couldn’t do on their own. But will either of us read it in the future? Doubtful.
Next up, Paul wrote this fascinating article about a Talend GDPR survey. It shows that marketers can avail themselves of numerous after-the-fact opportunities. Who is talking about GDPR since the May deadline? We’ve heard crickets. Clearly, there is still much to be said about compliance, and the punishments ahead, such as the recent breach of British Airways’ customer data. Lawyers are standing by, to be sure.
Given the situation in the Carolinas with Florence, it’s timely to discuss some caveats and suggestions for natural disaster marketing. The thoughts covered in this blog post about how to tread carefully during these times are worth reviewing.
Next, Paul has a beef with a “new” product announcement for a product that was announced on a company blog three weeks ago. This means to us that it wasn’t actually new. If it is in the public, that is the news moment. After all, we can look this stuff up. Don’t pass off your news when it isn’t; you won’t engender any trust.
We also mention this post, about how patients are desperate to resemble their doctored selfies. Plastic surgeons alarmed by ‘Snapchat dysmorphia. While it had its beginnings with Instagram and Facebook, the elective surgery is frightening and depressing. David suggested reading Alicia Eler’s Selfie Generation book. When we asked her about this trend, she said “I see this as part of the same trend of selfie dysmorphia found on Instagram. Snapchat is used most by people under 23, so this is just another facet of the same selfie psychology stuff.”
Listen to our 17 min. podcast here:
Normally, these essays are a lot less personal, where I write about something tech-related. Today I want to talk about myself. Actually, my hearing.
You see, I was born deaf in my left ear. I didn’t realize it for several years, until one day I happened to pick up a ringing phone in my left hand while I was eating something in my right hand. I didn’t hear anyone. Back in those days, they didn’t test kids for hearing until later on.
Being monaural meant I have never heard stereo, have difficulty locating the direction of sounds, and it is tough when I am in noisy places. My wife has so gotten used to being on my right side that when she is with her friends she tends to migrate to that position too.
But my deafness isn’t all that debilitating. At least not until 20 years ago, when I started getting these random dizzy spells. They would happen seemingly at random: sometimes when I was just sitting in my kitchen in the early morning, reading the paper. Once I got one when I on a flight – that wasn’t fun, but fortunately I could lie down across a row of seats and just hope it would be over quickly.
Eventually, I was diagnosed with Meniere’s Disease, which has no known cure and no simple cause. As you can see from the above diagram, your ear is a very complex organ, with a lot of moving parts. Some folks have it worse, with daily dizzy spells that severely limit what they can do. Mine were relatively minor. To try to fix things, I went through dietary changes, saw a lot of different doctors, gave up driving for a while. And then the dizziness went away.
However, it was replaced by something less onerous but equally vexing: Tinnitus. A constant ringing in my one working ear. Sometimes the ringing would be more noticeable at certain times than others. Lack of sleep, added stress, too much alcohol or caffeine: all of these would make the ringing noise worse. I can hear the ringing right now as I write this.
One of the interesting aspects of Tinnitus is that it comes in various shapes and sizes. People hear different sounds and at different modulations and frequencies. For some patients, it can be just as debilitating as my original Meniere’s. For others, like me, it is just mild enough to be annoying.
Over the years, I have learned to deal with it. Sometimes I would hold a pity party for myself, sometimes the ringing was more than annoying, especially when I was in crowded noisy rooms or restaurants. I remember one time I was at a professional conference of about 300 people. For dinner, we were seated at very long tables in a cavernous room and the noise was literally deafening. I quickly ate my meal and literally ran back to my room, in pain from the noise. I know it looked odd to my dinner companions.
For the most part I accepted the ringing and figured it was better that being dizzy and having the whole world spin around me. But it wasn’t until this summer when I went to a medical conference on Tinnitus that I realized what I hadn’t yet accomplished was actually owning my disease, and facing it head-on. Or ear-on, as it were.
What does owning mean? It means that you control it, rather than it controlling you. You aren’t defined by your Tinnitus, you aren’t at its mercy, and you manage your own treatment and your own response to the disease. The noise you and I hear may be all in our heads, but we have to use our brains to figure out a way to cope and live our lives. For some reason I didn’t really understand what owning my Tinnitus meant until I was sitting in that medical conference, listening to the various presentations. Then it all clicked, so to speak.
As patients, we tend to interact with the medical/industrial complex at the moment when we have a problem: we break a bone, we want it fixed. We have an infection, we want to get rid of it by taking medicine or getting surgery. But the single point of contact with our doctors method doesn’t work with a chronic condition such as Tinnitus (or Meniere’s or whatever). That is because research is ongoing: new drugs, new procedures, new devices, and so forth. We aren’t watching the medical literature like our doctors are doing, because we are busy living our lives. And even if we are willing to put the time into doing Internet research, we aren’t going to medical conferences and learning about many of the latest technologies and techniques that don’t reach the general public for several years.
So I came away from the Tinnitus conference with newfound conviction, and one of the first things that I wanted to do is to get fitted for a hearing aid. The process is relatively simple to explain: you sit in a sound proof booth and listen carefully as the audiologist plays various sounds to test your hearing. But like many medical solutions, the devil is in the implementation details. And as patients, we have to learn a lot before we can figure out the best course of treatment. I found I had some slight high-frequency hearing loss, which is pretty typical for someone my age. So while my hearing is “fine” I could benefit from an aid.
Here’s the thing. When you don’t hear across all the frequencies you are supposed to, your brain doesn’t get to process those sounds, and it is likely that your hearing will only deteriorate as you get older. You go to the gym to maintain and build muscle tone. You need the sonic equivalent of that to maintain your hearing “muscles.”
Before I got an aid I also had to conquer the “old man” stereotype about wearing one. My dad resisted getting an aid for a long time, and by the time he got one it was too late to do much help. But the modern aids aren’t that noticeable, and if I had long hair they would be almost invisible. This is because they separate the battery compartment and the sound processor (which sits behind your ear) from the speaker, which goes inside your ear canal. The two are connected by a very thin wire.
Then I had to decide which problem I wanted to fix more: Did I want a hearing aid that would simulate stereo by placing a microphone in my deaf ear and transmitting the sound to my hearing ear? Did I want an aid to give me more high frequency amplification? Did I want an aid to try to counteract my Tinnitus? Turns out I couldn’t have all three in a single aid.
To fix the deaf ear, there are specialized aids called CROS and BAHA that are available. Years ago I tried the BAHA and I could hear stereo and place the direction of sounds behind me, and it was amazing. But these aids require surgery, and I passed on that opportunity. I tried the CROS aid this time around and didn’t get much benefit from it. So forget that issue: I have lived up until now with a single ear. I decided to look elsewhere, and focus on the latter two issues (Tinnitus and high frequency boost).
At the Tinnitus conference, I got to see what the latest aid technologies were – and being a techy kinda guy, I was somewhat excited. The aids can be used as a Bluetooth headset for your phone. They have all sorts of programmable modes that work with your smartphone. They even come with GPS chips so you can try to track them down if you misplace them. They can help you cook your dinner. Well, not that last item, but almost.
Now, I should know better than to trust the wonderful claims of tech vendors. I found the software lacking: unless I set it up in a certain sequence, the smartphone app (as nifty as it possibly could be) would crash. Hearing the word “Bluetooth,” I immediately thought that the sonic quality of the aid would be close to what an Airpod would be, and it wasn’t even close. Outdoors in a high wind, the aid wasn’t very usable as a phone headset. I am still getting used to having something sitting in my ear canal during most of the day. And the various programmable modes that I can dial into on my phone really don’t have much difference (at least that I can distinguish) on what I can hear from the aid. My audiologist says that my results are typical for many of his patients. Some of the aids have even more buggy smartphone software controls.
However, if I leave these issues aside, I can hear better with my aid, especially those higher-frequency sounds. And the aid does help reduce the ringing tone of my Tinnitus, which was one of the original goals.
I am still learning how to own my Tinnitus, but the hearing aid is a great first step. And here are links to the American Tinnitus Association and the Vestibular Disorders Association, both of which have helped me find other sufferers and great helpful resources to cope.
There is a growing trend in information security to be able to hack back or use various direct measures to attack your attackers. There are several issues:
- attributing an attack to the right source,
- understanding the attacker’s intent, and
- developing the right red team skills.
In this talk given at Secure World St. Louis this month, I will talk about the ways that an enterprise can defend itself, and how to go about this process.