The evolution of internet faxing

Almost 30 years ago, two computer geeks – Marshall Rose and Carl Malamud — put together the first wide-scale attempt at sending faxes over the internet. In the beginning, it was fairly modest, with service reaching a few select cities in the USA and Canberra Australia. The two geeks were fans of the campy 1960’s movie “The President’s Analyst” which was why they named their venture TPC.INT. If you haven’t ever seen a .INT domain name, here is a list of them according to Wikipedia, they are websites for various international organizations. In true Rose/Malamud fashion, they wrote a series of internet RFCs (here is one) to document how the thing worked. (Here is a short history of TPC.INT domain and here is a collection of the first set of faxes they received at their launch.) It relied on a series of volunteers who would have internet-connected computers that would connect to a standard phone line and make local fax calls (this was before long distance VOIP lines were common, let alone cell phones) and make a call to an actual fax machine. The duo called TPC “an experiment in remote printing” because that was the concept: sending a document to a fax-based “printer” that was located at some other place in the world.

While TPC was getting together, PC component vendors were building in fax modems as part of their overall modem electronics. For those of you that think a modem is what connects you to the internet through your cable or DSL provider, back in the dial-up days we had modems that plugged into ordinary analog phone lines. One of the first successes was add-in board from Intel that was called SatisFAXtion. This allowed you to fax directly from your DOS applications. Here is a box shot of the adapter.

Anyway, those early experiments brought about an entire service industry that is now dominated by the likes of eFax and jFax. While TPC was just for sending faxes via email (and later via a web browser), these services have expanded to also receiving them (via a fax-to-email interface) and using a variety of modalities, including your mobile phone, cloud storage and dedicated clients.

Along the way, I wrote a few articles for businesses that wanted to use these services, such as “Faxing on the Go” in 1999 for Computerworld and another column for PC World about their basics in 2009. For years I maintained a table comparing services on my website, but given that there are so many places to find more in-depth reviews of these services (including PC Magazine, Tom’s Hardware, and NYTimes’ Wirecutter, just to name three), I gave up trying to keep the table current. If you are looking for an internet fax provider take a look at the Tom’s review. If you scroll down, they will help you frame your decision (do you need multiple inbound fax numbers, custom cover pages, searchable archives, and so forth). The two services that I currently use are eFax (I got on board their free service and still have a working inbound fax number) and FaxZero (which is great for the once-in-a-blue-moon frequency that I need to send faxes). The three review sites have their favorites based on various criteria.

Why was I thinking about internet fax? Last week I was opening a new IRA account. I began with a simple online application, then I needed to send in some documents to the bank. My delivery choices were as follows:

  • A secure file upload web portal
  • Sending regular postal mail with my check (not a good idea, given the state of the USPS these days)
  • Sending an overnight letter (to a different address than above, of course)
  • Or sending a fax.

If I used the portal or fax, I would need to talk to a bank representative to provide my existing bank account that they could use to collect the funds. I chose the portal. The experience was far from seamless, which is more a matter of why fax continues to this day. It seems when I have to deal with a bank, an insurance company, or a doctor’s office, all of them still use faxes.

Certainly, we have come a long way since those early days when fax machines used special paper that would fade in strong sunlight. And while there are a number of ways to securely send files (as I wrote about recently for The Verge here), sending a fax is still a lot easier.

Avast blog: School cybercrime attacks are on the rise

You may have heard the term “script kiddies”, which usually refers to adults who hack into business networks. However, lately there has been a significant rise in cybercrime attacks from actual school-age children. A new report from the UK’s National Crime Agency has found the average age for DDoS hackers has dropped to 15, with some students being as young as nine years old. The issue is that DDoS attacks are easy enough for even a kid to carry out.

You can read my analysis of the trend and what the UK is doing to stem the tide here in a blog for Avast.

Book review: Ahead of the Game

As someone deeply steeped in the tech industry, I am embarrassed to admit that reading Ahead of the Game by Kevin Ryan (a business tech reporter) is the first time I have heard of Delane Parnell and his rise to run one of the most successful startups of the modern era. His company, PlayVS, has grown into an eSports powerhouse, and Parnell’s origin story is told with lots of verve and interest in this book.

Parnell showed early signs that he was going to be a great business leader. As a teenager, he leveraged his way from working in a cell phone store to becoming a partner and owning several of them in his native Detroit.

When he funded his first venture round, he was the third largest such round by a Black-owned business. PlayVS was responsible for recruiting thousands of high school gamers to participate in the first ever varsity-level gaming contests, with almost half of the players being in their first after-school activity ever. The story shows the numerous obstacles that the venture capital world — like the rest of society — places on successful Black entrepreneurs and how Parnell managed to overcome them to build his company. For all potential entrepreneurs, this is a must-read book.

My former boss Jason Calacanis interviewed Parnell at the beginning of the Covid pandemic in April 2020 on This Week in Startups. If you don’t want to read the book, you can watch the interview, where Parnell talks about going to Jason’s Launch event as a teenager and getting inspired by the conference and meeting other startups.

CSOonline: how to run an effective red/blue team exercise

In the arsenal of cybersecurity defenses is the series of exercises that go by the name of red team/blue team simulated attack. These simulations are purposely designed to closely mimic actual real-world conditions. For example, one of the red team members would take on the role of an employee clicking on a phishing link that deposits malware on the network. The defending team members must then find this malware before it spreads across their network and infects web servers and other applications. To make things more realistic, the simulation replays real network traffic to obscure the attacks, just like in the real world.

In this piece for CSOonline, I discuss the difference between the various colored designations, why you would want to conduct these exercises, and some recommended steps to take to pull this off.

Linode has published an excellent series of red team exercises that is worth looking at.

The latest skirmish in the PR/journalist fight: ghosting each other

The Art of Selling in Public Relations - "What's HAppening" BlogSome of you might know about Cision as the company that currently operates PR Newswire (where vendors can post press releases). But they also maintain a database of press contacts with their beats and contact preferences. I have been on this list for decades, and periodically they ask me to update my data. Last week they asked me to participate in their latest survey that will form the basis of their “Global State of the Media” report. I gladly filled it out. One of the questions was: “What would make you block a PR person or put them on the “do not call” list?

Now, I sharpened my virtual pencil and got ready to dish. I have noticed a notable degradation in the quality of PR responses to my own queries. In a recent story for CSOonline on email security suites, four of the vendors (out of 13 initially contacted) didn’t even respond.

Anyway, to answer the question you were presented with lots of situations. I checked the following:

Last minute cancelation, spamming irrelevant pitches, repeated follow ups (more on that in a moment), broken embargo promises, failure to respond within my deadline and lack of transparency. All of these I have experienced since 1987 when I first began writing for PC Week as a tech reporter. The repeated follow-ups is a thing, and one of the subsequent questions from Cision was how often is too many follow-ups? (That’s easy. My answer, anything greater than zero. Assume no answer means no interest.)

I probably could have checked the others, but restrained myself:

Brochure-ware sounding pitches, inaccurate information (this is the only product that does X), calling me by my wrong name (making botched mail-merges obvious) and unsolicited social media pitches.

I will give you an example of “this is the only product” sort of email that I periodically get, this one taken from recently correspondence where company X was defined as “the only company that unifies identity proofing and passwordless authentication.” I replied: You could say the same thing about half a dozen companies right now, depending on how you define “ID proofing” or “passwordless” or even “authentication.” HYPR, Auth0, Secret Double Octopus, Trusona, Iovation’s TruValidate (maybe, but they didn’t respond to my queries), Cisco/Duo, and many that are part of the FIDO Alliance all could fall into this category. All of these vendors do identity validation beyond the “typical” multi-factor authentication mechanisms. My PR contact said, “Getting people to understand that identity and authentication are two different things is why account compromise attacks are so rampant.” Very true, dat.

Now, that was a nice discussion with this PR person, whom I have known for at least 15 years, and probably longer. He is genuinely good at his job, which is why we could have this back-and-forth discussion and not just hit the eject button to ghost each other.

As I have already hinted at, one of the preset responses that wasn’t included in the Cision survey was being unresponsive to my own queries. I am amazed at how few PR people (or at least their email address) don’t respond to a direct question about their products. What, they are too busy? One of the challenges of having this group email box is that it relieves everyone from any actual responsibility to follow up. The generally accepted reply time period is that same business day. Often, I have to send a second email, or try to track down a real person’s phone number, in search of an answer. You would think that a live press query would move the massive PR machine like a tsunami moving across the ocean, but in a good way I hope.

This isn’t new, sad to say. Around the virtual water-cooler that my fellow tech reporters frequent, the complaints about badly behaving PR folks is an evergreen topic. Some people do abuse their contact lists, to be sure. Given that the supply of freshly minted comms undergrads continues (my daughter is one of them, ahem), there will always be inexperienced PR folks to train and to learn the ways of world. Back in the late 1980s, the incoming tray of the PC Week fax machine would be filled to overflowing with unsolicited pitches. Now we just have our inbox, plus all of our social media accounts to deal with. I am not sure that is an improvement.

Let’s talk about that hallowed ground, the reporter’s email inbox, for a moment. Some people are offended by receiving a single email: I guess the effort involved in placing your middle finger on the delete key is too much effort. Certainly, this is more effort than tossing a bunch of faxed pages into the nearby trash. But I try not to get too worked up about my overflowing inbox. Yes, if I am out of the office (where else am I going to be these days, anyway?) for any extended period of time the emails do pile up.

Should we ghost each other? I don’t know but notice how I phrased that question. It has to be a two-way street. Should there be allowable offenses, or red lines that we can’t cross? Perhaps. Cision does try to indicate the preferred contact mechanism (hint: for me, it is email). One good thing about the modern era is that I almost never get a telephone pitch call, something that was common c.1989. But let’s hope we can treat each other with respect. We are in this together.

Book review: A biography of the Pixel by Alvy Ray Smith

Alvy Ray Smith played a key role in creating a great deal of digital graphics content over the decades he worked at Lucasfilm and Pixar, and this book is a tour de force and a tour of the people, places, technologies, and companies that played key roles in these creations. The book, A Biography of the Pixel,  serves to correct the historical record about how the early digital computers and computer graphics software came to be and also provides the links between these early efforts — some of which might be well-known to you and some won’t be — and how different (almost always) men stood on each other’s shoulders to get us to where we are today. The illustrations are genius and help to explain his points in the evolutionary cycles of the Fourier series, Kotelnikov’s sampling equations, and Turing’s computational efforts, how computers and digital animation worked hand-in-hand, and the great digital convergence that we know and love today and celebrate what Smith calls Digital Light. You don’t have to know any math to find his explanations lucid and indeed, delightful. These innovators not only had a great scientific idea but drove technology into a fruitful application, while finding powerful supporters to help promote them. Along the way, you’ll see some old myths busted that digital can fully represent analog pictures and sound and how computers don’t have to be electronic numerical calculators — instead, they have become the most “malleable tool ever invented by humankind.”

I realize that a 500+ page book is a big commitment. I would start by reading the Finale chapter, which is a neat summary of all that Smith has presented in one cogent narrative. That should whet your appetite to want to dive into the entire epic journey.

Is it time to consider web v3?

I am not so sure. For those of you keeping score at home, web v1 was the early days where we had web servers delivering static pages of mostly text, starting in the early 1990s and lasting until about 2003 or 2004. The next version was the dynamic web where we created our own content, and where we freely gave away our privacy and data so that we could post cat memes and dance videos to the now giants of Facebook /Apple/Amazon/Netflix/Google, otherwise called FAANG. (Facebook and Google have renamed themselves, but the acronym has stuck.)

But now it is time for a new iteration, and v3 attempts to create a more egalitarian internet, protected by encrypted tokens that can keep everyone’s identity and data private and secure. Say what? At least, that is the plan.

Whether or not you agree with this vision, it has largely been unrealized. Yes, there is a Web 3 Foundation, and you can see at that link a very complex tech stack that will consist of multiple protocol layers, much still TBD. For those of us that cut our teeth on HTML, CSS, and HTTPS, these protocols are pretty much unknown.

Scott Carey writes in Infoworld summing things up this way: “To access most Web3 applications, users will need a crypto wallet, most likely a new browser, an understanding of a whole new world of terminology, and a willingness to pay the volatile gas fees required to perform actions on the Ethereum blockchain. Those are significant barriers to entry for the average internet user.” I’ll say. If you have never had a crypto wallet, never used Rust or Solidity and don’t know what a gas fee is, you need to go to web3 study hall. You may not understand the tech behind it — I don’t fully understand all of these items — but that is the point. The decentralized web is being built on a series of protocols and there are a lot of gaps.

But let’s put aside all the new tech and answer a few basic questions.

What is the role of clients and servers? One of the first things you come to is needing to understand the difference between clients and servers. In the web1 and web2 worlds, there were browsers, and there were various servers (web, database, applications, payments, and so forth). It was a pretty clean separation of powers. Some of us were happy to never touch any kind of server, something that leads off Moxie Marlinspike’s “first impressions” blog post. I don’t agree with this position. I have been running my own web server for more than 25 years. I wouldn’t have it any other way. I like being “master of my domain” (which is more than just running my own server, such as being able to move it from one place to another across the internet, which I had to do last year when my ISP went out of business).

I think what Moxie meant to say is that most people don’t like configuring and maintaining their own servers. But that is why we have ISPs.

But look at the tech stack that we are promised with web3: that is a lot of tech to deal with. If we had resistance to configuring HTML and HTTP, imagine what amount of pain we will be faced when all this new stuff comes to fruition?

Lance Ulanoff writes that the vision for web3 is “more a combination of edgy new technology and a reaction to centralized control.” He goes on to discuss some of the early descriptions before the web3 term came into the popular lexicon, such as the semantic web that was tossed around back in 2006. He describes web3 being when we can control our interactions and have a universal identity across all systems. That’s nice, but so much of the current vision about web3 doesn’t really fill in the blanks about how this control will happen or how we can create these universal identities. Moxie says that we need to use cryptography rather than infrastructure to distribute trust. I completely agree. Ignoring the trust issues is dangerous — look how long it has taken us to resolve email trust issues, and those protocols were created decades ago.

But how this infrastructure play out brings us to my next question:

What is the role of peer-to-peer (p2p) technology? Remember Napster and peer file sharing of music and videos? Back then (roughly 2000-2005), everyone was digitizing their CDs, or stealing music from others, or both. Napster and LimeWire and the other apps created peer file servers on your hard disk, and you then shared your digitized content with the world. Sharing wasn’t caring, and lawsuits ensued. Now we just pay Netflix et al. and stream the content when we want to listen or watch something. Who needs possession of the actual bits?

But see what has happened here: we went from this idealized p2p world to today where just a few centralized businesses (like FAANG) run the show. This could be the fate of web3, and all this talk about a decentralized, egalitarian web could fall apart. Today’s crypto/NFT world depends on just a few centralized service providers, and the distinction between client and server in a fully decentralized p2p blockchain isn’t all that clear, as one of the Ethereum founders Vitaly Buterin points out. He says that there are various gaps in web3 which are bridged with the various API suppliers, such as Infura and Opensea. The issue that Moxie has is that many NFT and crypto advocates have just accepted the role of these API vendors without much thought about the implications. Moxie is worried that these vendors have a lot of control over things, and that there is the potential for the decentralized web3 to turn into a less efficient and less private version of today’s internet. Think of one nightmare scenario, where Facebook (or one of the other giants) has its own web3 servers, APIs, and alt-coins. The horror!

But you think crypto is cool, and there is money to be made. Now we get to the real meat of the matter. Forget about a more equal internet and singing kumbaya off into the sunset. Let’s talk about how high the various alt-coins are trading at – or not, depending on when you entered the market. Remember the internet bubble of 1999-2000, when domains were being bought and sold on little more than a pitch deck. That was Gold Rush v1, and all you had to do to participate was to buy a domain and flip it. (I am guilty of this, but I didn’t buy my domain to flip it. I just got lucky.)  You could argue that all you need now is to hold a basket of crypto coins — as some of you have done. But look at all the knowledge you have to collect to participate in this gold rush. Nevertheless, there is some cool stuff that is being built, as this blogger documents. This post basically rebuts a few of Moxie’s complaints while making Moxie’s point that this is very early stuff.

So go cautiously into the web3 night, and good luck learning about all the requisite tech that will be needed. And for those of you complaining about the decentralized and private web of the future, you might want to spend some time doing the basic blocking and tackling and eliminating duplicate passwords and implementing MFA logins now, because you’ll need something like them to get on the blockchain train. Or at least protect all those crypto funds in your wallet from being lost or stolen.

Avast blog: Beware of a new and dangerous RDP exploit

The often-exploited Remote Desktop Protocol (RDP) is once again in the news. This time, it has a new attack vector that was discovered by researchers and subsequently patched earlier this month by Microsoft. Given that all versions of Windows for the past 10 years – for both desktop and server – need to be patched, you should put this on your priority list, especially since this new problem can be easily exploited. In my latest post for Avast’s blog, I describe what this new challenge is about and ways that you can minimize any potential expoits.

TheVerge: Ways to securely share files in the cloud

The Verge has put together a solid collection of articles on how to deal with the not-so-new realities of working from home, They had me write a piece on how to share your work files and you can read it here. The days when we were all connected to the same shared drive or local network folder are now quaint memories. But today’s sharing files will take some careful planning, particularly if you want to do so as securely as possible.

In my article, I cover the various methods that are available, from sharing a file attached to an email or instant message to using public cloud services like Dropbox to using Google Workspace and Microsoft OneDrive. But the best solution is a group of business-related cloud services that I summarize in this chart.

Vendor Monthly pricing Max. file upload Free trial period Application integration
Egnyte $20/user 100 GB 15 days Extensive
SecureDocs $250 for unlimited users Unlimited 14 days Limited
ShareFile/Citrix $50 for unlimited users 100 GB 30 days Extensive
SugarSync $55 for 3 users 300 GB for web clients 30 days Limited

Avast blog: Introducing a business guide to tackle credential stuffing attacks

One of the biggest threats facing both large and small businesses alike goes by the moniker credential stuffing. In these attacks, the bad guys count on our reuse of passwords across two or more logins, and once they find a user name/password that works, they try to use that information to break into our other accounts. Akamai, in its latest State of the Internet report, says that it has seen over 193 billion credential stuffing attacks in 2020. These attacks can cost billions of dollars annually, when adding up the cost of remediating the problem, handling all the user calls for password resets, and changing other operations. The office of New York Attorney General Letitia James has found thousands of posts containing login credentials that had been tested in credential stuffing attacks. In order to combat credential stuffing attacks, James’ office recently released a business guide.

You can read more about ways to fight credential stuffing attacks in my latest post for Avast’s blog here.