Becoming master of your internet domain (updated)

If you are starting a new business, you have to pick the right name. There is a lot that goes into figuring out what is “right” — including is the name unique, is it memorable, is it descriptive of what your business does and provides, and so forth. But one thing many startups ignore is how the name will play out across the internet and its various manifestations. Becoming master of your domain (ok, you know I was going there, sorry) isn’t easy, and it has gotten a lot harder.

When I first got my domain (strom.com), the internet was still shiny and new, and largely undiscovered large tracts of land ripe for the picking. Getting my domain took a matter of minutes, and didn’t cost me anything. Then the land speculators moved in, and we have the mess that we are in now. Why didn’t I pick strom.net or for that matter davidstrom.com while I was at it? Don’t know (My full name is in use by a photography firm now.) I did manage to flip a domain that I owned for all of a day or so and made some coin, but that nothing like being-able-to-retire kind of dough. Sigh.

I have said for years that the best domain names are aurally-pleasing, meaning that you can say them to someone and they can remember the name and more importantly, remember how to spell it without you having to spell it out for them. (If you have to insert hyphens or extra letters, that spells trouble.) But that is just the first part of your domain.

When I wrote about this topic back in 2006, the number of top-level domain extensions — the second part of the domain after the dot — were limited: besides the usual stuff of .com, .net and .org to choose from, we could also select various country-specific extensions such as .uk and .fr. Since then, ICANN, the standards body that sets the rules, has introduced hundreds of extensions, from .store to .xyz to .info to business-specific ones like .travel. I have owned for many years webinformant.tv, which was a fan favorite for a while (the extension refers to a South Pacific island which has reaped some small rewards), just like the countries of Anguilla and a territory in the Indian Ocean have done for .ai and .io respectively.

But the domain name is just one aspect of your internet identity. There are also social networks, where you want to coordinate what you use for your domain name with the user account that will be part of any future communications. Given the millions of user accounts on these services, that is a much harder name space to find something that hasn’t already been taken.

This means you need a better search tool, and there are several places you can go. No single tool does it all — are you surprised?

My favorite and initial go-to for this research is Knowem.com. It allows you to search through 500 popular social networks, along with over 150 domain extensions, and the entire USPTO Trademark database. You can quickly figure out what has been taken, and what is still available. The domain extension search is focused on the country-specific ones, which it arranges by continent. It only shows you whether or not a domain is available.

Second best is Google’s own domains.google — this allows you to search 300 domain extensions if you want to find something a bit more unusual. It also shows you the current market rate for a particular available name, which may or may not be accurate, depending on which registrar you end up using to buy the domain. For example, both strom.tech and strom.store are each available for $1000/year. I will give both a hard pass.

If you want to do further research on just the domains, I would also use  Domainchecktools.com. It provides deeper research into about-to-expire domains, which again may or may not be accurate. Some of this info can be obtained from the internet command whois, which shows you sometimes who owns a particular domain and when it was purchased and when it expires.

Then there is the entire world of whether or not to use a domain broker to hold your cash until the domain record is transferred over to you and which registrar to use to handle your domain and whether that should be the same as the ISP that will handle your actual web and email services. I prefer to have separate entities just in case I want to move the domain independently with the actual content, but will leave that for another day.

A reader’s guide to Twitter’s supposed demise

I asked last November if we were witnessing the end of Twitter, and point out that the company has become more town dump than town square. Let’s review what has happened at Twitter and what we have learned about its internal operations since then. The short answer: things are worse, but not necessarily in ways that were anticipated when Elon took the company private.

Yes, there have been some notable service outages, which is to be expected given how most of its engineering staff has quit or been fired over the past several months and because one of its major data centers was shuttered. But for the most part, the service is still running. That’s great, and we could credit Elon for perhaps picking the right people to keep the lights on. (This is why I use the “supposed” adjective in the title of this piece.)

There is this behind-the-scene story about what has happened post-Elon at Twitter in New York Magazine, taken from reporting from former employees’ interviews, and well worth reading. In summary, it was complete chaos. There is also another Washington Post piece that summarizes three primary source documents: First is the Jan.6th committee’s “Purple team report” draft that was never adopted by the full committee (and that the Post has published here.) The other two documents are transcripts of testimony of two former Twitter staffers taken by the committee last fall: one by “J Johnson” (a pseudonym) who was an engineer and part of a safety policy review team and one by Anika Navaroli who was a senior safety policy domain specialist with a legal and free speech background. I will return to these documents in a moment.

One of Elon’s major rallying cries has been to attempt to neutralize the bots. This isn’t a new problem: I first wrote about the problem with bots and their abuses of Twitter more than 10 years ago. I saw my own follower count plummet right after his takeover – whether that was people terminating their own accounts or through any bot cleansing I can’t really say. Clearly, this was never much of a priority at Twitter beforehand.

Another Elon focus was to reinstate previously banned users, most notably our former president who had nearly 88M followers when he was kicked off on January 8, 2021. Part of the reinstatement is that you can now review all his tweets — he has not posted anything since his reinstatement. (There is also this archive of his entire tweet corpus, including deleted tweets for your own reference.)

Before I dive into the Jan. 6 documents, I should mention one other historical note. Last summer, after the revelations of Mudge’s tenure at the company, I wrote about some of its major infosec operational failures. Ironically, Mudge was fired in January 2022 for poor performance and ineffective leadership, something which seems to be the new normal for post-Elon Twitter.

The Mudge report provides context for the great failures of social media to moderate their most dangerous and hateful content, which is documented in the Jan. 6 committee’s Purple team report which outlines these failures as it relates to that fateful date at the Capitol. The draft document was supposed to be included as an appendix to the full committee report but only made it as far as a draft. It covers more than a dozen different social media properties and how they wrestled with their content moderation policies, “terrified of the backlash they would get if they followed their own rules and applied them to Trump,” as Johnson testified. “My safety policy team colleagues were still very unclear about what we should be doing. Twitter leadership were aware of the risks we raised, but they didn’t do anything to help address those risks and concerns. They were reluctant to intervene and block these tweets.” Instead, the social networks helped amplify these messages. The Purple draft report shows just how hard it is to turn this around: the tools are blunt-force instruments at best.

Using language such as “locked and loaded” or “Be there, it will be wild” or the debate comment “stand back and stand by” concerned the moderation teams, who consistently raised alarms at how these words were being amplified across their network. Johnson testified: “There was never, to my knowledge, leadership convening a meeting and saying, Violence has broken out. You have the green light to take it all down. That never happened.”

Navaroli testified: “I do not remember ever seeing any threat model or threat analysis leading up to the election. Del Harvey was the executive in charge of Twitter’s content moderation and security teams. Navaroli said Harvey didn’t understand the need for policies to limit Trump’s speech, or the urgency to put them in place prior to the election of Nov. 2020, or that there was a gap in coverage of existing Twitter policies. Navaroli called it magical thinking, and that Harvey refused to take any potential threats seriously. This continued into 2021, when she eventually left the company.

Her testimony highlights the lack of any content analysis tools at Twitter: she used the same public search function on Twitter’s website like any of us. “All we had were hammers, and we needed scalpels, something more nuanced.” She also mentions that “Trump was a unique user who sat above and beyond the rules of Twitter. His tweets weren’t deleted, which is what happened with other world leaders,” (think Maduro of Venezuela or Bolsonaro of Brazil). She concludes that Trump and Twitter had a symbiotic if not parasitic relationship, and that Twitter bears the responsibility for Trump’s incitement to violence was posted and amplified. “I believe that January 6th was planned, orchestrated, and carried out on the Twitter platform within and right in front of our eyes using plain language and hashtags. And Twitter, in my eyes, bears the responsibility for hosting and promoting incitement to violence that led to the loss of life on January 6th.”

What does this mean for the future of Twitter? Here are a few of my thoughts:

  • Content moderation will continue to be hard, especially at the intersection of on and offline activities.
  • The legal environment is in a state of flux, with new cases before the Supreme Court as I wrote about last fall on Avast’s blog.
  • The social media landscape is complex and the interactions among the players are not well documented. Users of one network who are banned move quickly to others where they can ply their hate and incite violence. Coordination across platforms doesn’t exist.
  • There is little operational transparency of the social network operators. The Jan. 6 committee staffers got a lot of information as part of their work, some of which can be seen by the public, but most of it hasn’t yet been published. The Purple team draft raises lots of issues, and has numerous recommendations. Whether any will ever be implemented is anyone’s guess, but chances are slim that most won’t.

The end of meetings could be upon us

Last week Shopify’s COO Kaz Nejatian sent a memo to its employees saying it would cancel previously scheduled meetings of more than two people, according to CNN. “No one joined Shopify to sit in meetings,” he wrote. True, that. Larger meetings of 50 or more would only be allowed on Thursdays. This couldn’t have come at a better time: as companies have shifted to more remote workers, they also have to do a better job at meetings, and often that means less is more.

We have grown to become meeting-dependent. Part of the reason is the ubiquity of group communications tools such as Microsoft Teams and Salesforce Slack. Of course, we have always had these tools in the past (remember Notes and Groupwise?) but the tools have gotten better. Ironically, this means meetings can proliferate and the potential for abuse increases. We’ll see where Shopify ends up in a few months and whether they are successful at taming the meeting monster. I recall back in the 1990s, Computer Associates used to turn off their corporate email system for several hours during the workday so employees could focus on their real work. That strategy didn’t age well, to be sure.

A survey of Microsoft Teams usage data found that since February 2020, users saw a 252% increase in their weekly meeting time and the number of weekly meetings has increased 153%. You can see the trends over the past couple of years in this chart below.

Microsoft found that people are becoming more intentional about taking breaks, avoiding double booking, and establishing meeting-free work blocks, along with having shorter and more ad hoc meetings according to their Outlook calendar data studied as part of this report. All of these things are great, and perhaps a Shopify shock to the overall culture has some chance of success.

As I said, it is about time. I have written about this subject for more than a decade, including this blog post from 2012 about how to be more effective at scheduling them and the various meeting calendaring software products that should be used. (Not email!) Adam Enfroy has this comparative review of these tools.

But for the software to be effective, you have to change the culture. Entrepreneur.com has these important takeaways here, including promoting small talk for cementing personal connections, having someone be in charge of the agenda and then keeping things on track, and setting expectations up front. Some other recommendations come from an HR consulting firm and include:

  • Figure out in advance the meeting type (stand-up daily huddle, weekly tactical session, longer strategy session) and make sure everyone’s expectations line up accordingly.
  • Keep in mind one goal is to have a passionate meeting with some healthy conflict to air differences. The meeting leader should be deliberate about eliciting different speakers.
  • Dig deep for any buried conflicts and try to resolve them during the meeting.

40 Years of Email

Email and my own working life have been closely intertwined. I started using email in 1983 and over the years I have used more than three dozen different systems and sent thousands of messages and probably deleted millions of questionable ones too. So I thought I would put together some important milestones of my own usage, mapped against some significant historical email developments and show you how email has changed from those early days.

For the first 15 or so years, email use in business was a rarity. Few companies had any external connectivity, which meant users had to connect via modems back to the main office. Now we take internet and Wifi for granted.

  • 1983: Started using both MCIMail, one of the first global systems that was available to the public (the Internet was not yet available to the average worker) and a conferencing system called EIES. One job I had back then was to write automated scripts for processing messages between the two at a small software firm.
  • 1984: At an insurance company, I used an IBM mainframe email product called DISOSS for internal communications.
  • 1986: Used 3Com’s 3+Mail for internal communications at PC Week. This was one of the early LAN-based email programs. We thought we were hot stuff because we could hook up our remote offices around the country to it, something now taken for granted.
  • 1987: Wrote my first column for PC Week about hotels, modems, and email. Today the problem still remains, just replace Wifi and VPNs for the modems.
  • 1988: Managed my first remote team with editors reporting to me from California, Denver, Texas and other places. Email connectivity made this all possible.
  • 1989: Covered the launch of Lotus Notes, one of the first collaborative software tools, and lobbied Ziff Davis, where I worked, to start using it in place of 3+. They eventually did a few years’ later. Compuserve and MCIMail begin offering Internet gateways to their users on an experimental basis.
  • 1990: I started Network Computing magazine, where we routinely used Internet email addresses for our writers in their bylines. We used Network Courier LAN-based email, which was the precursor to Microsoft Exchange and Outlook. This was also my first entry into Internet-based email: we were able to communicate with anyone using a gateway that was maintained by UCLA.
  • 1991: Began to chart ways to send emails between two formerly disparate  systems, using various gateways. The rise of Soft-Switch, which at its height could connect more than 50 different systems. They were eventually acquired by Lotus. Again, something taken for granted now. Also the year that Phil Zimmermann released PGP for email encryption. To get around US security laws, he soon published its source code as a printed book.
  • 1992: I was one of the first wireless email users of a product called RadioMail, which File:RadioMail HP100 Setup circa 1995.jpg - Wikimedia Commonseventually became the BlackBerry. It worked with a one-pound radio and a one pound HP palmtop.
  • 1993: Obtained my first Internet domain name, strom.com, for free from Network Solutions by requesting it from them via email. Before then, private businesses couldn’t really become masters of their own domains easily.
  • 1994: Groupware was the big deal back then, and Novell’s Groupwise was one of the best. Too bad that it withered away, along with the rest of Novell. This was also the year that AOL began offering an Internet gateway so its users could communicate with each other. It was far from perfect: for example, the early Mac AOL clients couldn’t read attachments from Internet senders.
  • 1995: Began the first of a series of weekly email newsletters called Web Informantusing a collection of Unix scripts. Still writing them, using a hosted Mailman server by Pair.
  • 1996: Experimented with Intermind’s push technology for notifications instead of sending emails for my newsletter. Didn’t last very long. Push pooped out quickly.
  • 1997: Gave up my laptop and used borrowed computers when traveling. That didn’t last very long either. Did have the very early smartphone from AT&T that used broadband (well, it wasn’t all that broad) cellular data called CDPD, the precursor to what we all use today on our phones. This was the year that Apple acquired NeXT and incorporated its email software into various Apple operating systems.
  • 1998: This was an important year for me and was the year that I co-wrote my email book with Marshall Rose, the inventor of the POP protocols. The book covered the more popular email programs at the time, which included Lotus cc:Mail (extinct), Netscape Messenger (extinct but replaced by Thunderbird you could say), Eudora Pro (still very much alive with this open source project),  Compuserve (not extinct but should be), AOL (ditto), and Microsoft’s Outlook Express (which has gone through various evolutions and still exists with its Office/365 products). Penn Jillette, of Penn and Teller fame and an early email user, wrote our forward to our book. Out of that research is this Web page that I haven’t touched since then that shows the state of email encryption interoperability. Luckily, it has gotten better, sort of.
  • 2001: Was a regular user of Lotus Notes, which by then had been purchased by IBM, while working back at CMP.
  • 2002: Wrote about Michael Dell’s bandwidth separation anxiety here, probably one of the first of many popular instances of cutting off email.
  • 2004: At the annual VIP economic forum love fest gathering in Davos, Bill Gates proclaimed: “Two years from now, spam will be solved.” Right. Not even close on that one Bill.
  • 2005: Began using Mozilla’s ThunderBird as my regular email client. Here is a story about the trials then.
  • 2006: Switched hosting my various email domains over to Google Apps. For free. Began using Gmail as my regular email client, although it wouldn’t talk IMAP for another year. Also the year that the concept of “email inbox zero” was introduced.
  • 2008: Reminisced about ten years after my email book in my post here. Vint Cerf wrote this then too about ten years of using the Internet.
  • 2009: First of many “email is dead” articles in WSJ and elsewhere analyzed here.
  • 2011: The latest in a series of days without email proposed to make some obscure point.
  • 2017: Better email authentication protocols (DKIM, SPF, DMARC) come into wider use. As I wrote about at the time, becoming master of your email domain is incredibly difficult to implement, still true to this day.
  • 2018: IBM sells off Lotus Notes to an Indian conglomerate. That link will take you to why Notes was so significant in its heyday.
  • 2019-2022: Helm is released, an interesting dedicated email server appliance. It closed its doors at the end of 2022, victim to supply chain issues and IMHO, a bad collection of features.
  • 2022: Google begins charging me for my domain for the first time since I began using their email service.
  • 2023: Yes, I still try to have less than ten messages at the end of each day in my inbox. Encrypted email remains for the most part ignored by the general public, even as phishing continues to rise. Some things never change.

Book review: Drinking Games by Sarah Levy

My stepson died last year of throat cancer, brought on by years of alcohol and tobacco abuse. I say this because I thought this was going to be a hard book to read — part memoir, part 12-step navigational handbook, part Big Thoughts. That doesn’t sound like I liked the book, but I did, and thought Levy spoke to me about my stepson and his various demons that he fought and lost. She fought and has won, but it was a hard fight, filled with many missteps and disastrous mistakes.
Alcohol abuse isn’t pretty. Those of us who have been touched by it can’t really understand why it happens to the people we love, and our feeble attempts at trying to help are often doomed from the start. Levy’s book shows how she had the strength of character to fight back — and while she had many years of dismal failures, eventually she figured out a plan. It may not be the plan that you can get behind, but like I said, the navigational aspects of this book are useful guideposts. Even if you are lucky not to have someone you know with these circumstances, I think you will find this book interesting, engaging, and at times pretty darn funny. Highly recommended.

Book review: Sam by Allegra Goodman

Sam: A Novel by [Allegra Goodman]In this novel by Allegra Goodman, we follow the life of Sam during 15 or so years of her young life as she grows up in a dysfunctional family with a special-needs younger brother and her single mother who is trying to make ends meet working two low-end jobs. Sam is a talented rock climber: the story takes place on Boston’s North Shore and we see her grow into some prowess as she develops her climbing abilities and strength. Sam is an interesting character: nothing comes without a lot of pain and hard work, which makes her accomplishments all that more satisfying, both to her and to the reader. The family dynamics: the kids have two different but deadbeat dads that come in and out of the narrative. I really enjoyed the plot, characters, and situations as Sam grows up, finds love and adventure. Highly recommended.

Do you need a disposable email address

How many times a day are you asked to provide your email address for something that just generates more inbox junk and adds you to some marketer’s list? If you are getting tired of these email come-ons, you need a disposable email address. The idea is simple: instead of providing your “real” email, you create something that will still forward messages, but gives you some control over how these messages appear in your inbox.

Now, you could use the email filtering feature of your mail software to prevent these messages from ever darkening your inbox, but a more elegant way is to make use of one of the “disposal email service providers” (as I call them) to help you out. The way these providers work is that you set up an account on their service, and start using a special alias to flag the origin of the mail.Before you dive into this product category, realize that there are dozens of semi-shady providers, such as Emailondeck or E4ward.com. These have lots of limitations, such as only offering a single alias with very short forwarding lifetimes (such as an hour, which renders them useless for newsletter subscriptions), or don’t allow you to create your own alias, or have paid accounts that only accept BTC. The ideal provider allows you to set up your own alias and keeps the mail flowing as long as the company is in business. Also, some providers don’t protect any replies to the forwarded email, so your real underlying address is now available.

Here are three providers you should check out: DuckDuckGo’s @duck.com, 33Mail.com, and Yahoo.com. All three are available for free (and the latter two also offer paid plans) and work reasonably well. My favorite is 33Mail, which I have been an avid user of their free account for many years now and have set up dozens of aliases. The setup process is nothing: you just start using “something@youraccount.33mail.com” and the service takes care of getting the message forwarded to your real email. The forever free version has unlimited aliases, which is handy because it shows you the alias used at the top of your message, in case you want to send all inbound mail using that alias to the bit bucket. You can sign into the web portal of your account and view the transaction log shown here as well as the status of the various aliases that have been used to forward mail to you, and those emails that you have blocked. The free account does come with bandwidth limits, which I have never come close to reaching. There are several pricing tiers that remove this along with other restrictions and support other customizable settings.

DuckDuckGo takes a somewhat different tack from 33Mail — they do their work inside a browser extension and they support a wide range of them, including Brave, Chrome and Edge. You’ll need that extension to manage the various configuration features. If you are already using DDG as your search engine or for its other privacy-enhanced tools, then it is worth checking this tool out. Here is a list of its features and FAQs. One downside of DDG is that it doesn’t use aliases, which means you have to filter messages on your own.

Finally, there is Yahoo. Remember them? Remember both of their massive data breaches back in the day? Well, it has been years since I used them for anything other than a spam collector, and the free version immediately begins placing ads in the form of a rolling series of messages at the top of your inbox. (You can remove these if you upgrade to a paid plan.) You can setup three aliases (what Yahoo calls “keywords”) on your account, using this menu shown here. It isn’t as convenient as 33Mail, and of course you need a Yahoo email address for this to work.

Keeping up with Covid misinformation policies

About a month ago, Twitter removed its policies blocking Covid misinformation. This has led to the spread of various flights of fancy, many of which are dangerous if taken seriously. We all know why this was done and by whom. I have written about this topic before in 2020 in this blog post that I urge you to review. Sadly, the situation has gotten worse.

Today in the NYTimes is an article about how misinformation continues to spread across social media. This prompted me to examine the Covid policies of various social media platforms. Let’s take a look at them.

Interestingly, Facebook has the most specific policy set here, running to more than 4,000 words. They address specific false claims (I won’t repeat them here but it is a depressingly long list) and how the content can create potential harm to its users in the real world. The aim is to “reduce the distribution of content that does not violate our policies but may present misleading or sensationalized information about vaccines in a way that would be likely to discourage vaccinations.” That is an important point. One thing that I didn’t like was the way the policies were presented, with web links to other policies (such as bullying and hate speech) that are relevant but making it hard to track and digest.

YouTube has its policies here. Not quite 1500 words, it still goes into specific details about what content isn’t allowed. Again, I am not going into any details but some of this stuff — as with Facebook’s recitation — is just bonkers. Also in the policy is a description of the consequences if you do post this content. That is perhaps the most useful element: three strikes within 90 days and your channel is “terminated.” None of the other platforms have this spelled out.

TikTok has the least helpful information here. Their community guidelines pages has no mention of Covid, and this link (which is really more of a press release) is short on specifics.

Whether or not you agree with how and what the social platforms should do about Covid misinformation, the fact remains that vaccines — especially the Covid ones — save lives, and have lessened the impact of those who have gotten the virus. And spreading false claims about what can protect you from disease is just another way for things to “go viral,” sad to say.

A10 Networks blog: How to Defeat Emotet Malware

One of the longest-running and more lethal malware strains has once again returned on the scene. Called Emotet, it started out as a simple banking Trojan when it was created in 2014 by a hacking group that goes by various names, including TA542, Mealybug and MummySpider. Emotet malware is back in the headlines and continues to be one of the most significant threats facing companies today. In this review for A10 Networks, I describe what it is and how it works and how to defend against it using a combination of network and security tools.

Emotet Malware Timeline

Avast blog: A Bruce Schneier reader

Bruce Schneier’s work has withstood the test of time and is still relevant today.

If you’re looking for recommendations for infosec books to give to a colleague – or even to catch up on some holiday reading of your own – here’s a suggestion: Take a closer look at the oeuvre of Bruce Schneier, a cryptographer and privacy specialist who has been writing about the topic for more than 30 years and has his own blog that publishes interesting links to security-related events, strategies and failures that you should follow. In my blog post for Avast today, I review some of his books.