Book review: The Spectacular

The best recommendation that I can give to a work of fiction is the feeling I get when I finish the book that I haven’t read a novel. With this book The Spectacular chronicling the lives of three generations of women, I felt like I was reading real reporting about what happened to each of them and had to check to make sure that it really was fiction. The three women are all flawed in interesting and complementary ways: grandma has adjustment problems as an immigrant from Turkey, mom doesn’t want to be a parent initially and leaves her daughter in grandma’s care to go find herself, and the daughter has so many issues that drive the narrative that to document them here would spoilt the book. The author tackles some very real issues: gender identity, understanding how to live with others, finding your calling and your passions, etc. I really enjoyed this book, even as a white cis male. There are many familiar chords that were struck while reading its pages, and I wanted to meet these three women in real life when I was done. Highly recommended. I have read an earlier work by Zoe Whittall and would recommend her earlier works as well.

Is someone hiding their servers in your data center?

Christopher Naples is on track to become the second most infamous person for bringing his own computer gear to work illicitly. He was recently charged with using more than 40 devices to mine Bitcoin and other cryptocurrencies, connecting them to his office computer racks. Naples is (was) an IT supervisor for the Suffolk County Long Island government. His gear was placed under raised floors and inside unused power panels, clearly to avoid obvious detection. The crypto mining gear generated so much heat that the HVAC folks had to rebalance their systems to cool everything off, costing the county thousands in added electrical power.

His case will now be heard by the courts, and I wish them well in being able to sort out the situation. Mining, or creating new crypto value, is a very energy-intensive operation because it uses very high-end computing gear that draws power. There have been some estimates that the total power consumed by all the worlds’ Bitcoin users is more than the demand by Finland, which has 5.5M people.

I think the case against Naples is pretty solid: this was gear that he was using to enrich his own personal gain. The reason why I say his second place entry in this unique category is because of the case of Aaron Swartz, a computer scientist who ten years ago hid his server in a MIT closet. Swartz was unhappy that an online academic research consortium called JStor was charging for copies of articles to private citizens but granting free access to certain academic users. Hence the location. Over the course of several months, he managed to download millions of articles to his server, which eventually tripped a network monitor and brought a huge federal case of 13 felony charges against him. He killed himself shortly before he was to begin serving a long jail term. (Carl Malamud, who worked with Swartz, documents the situation nicely here.)

A case could be made that Ed Snowden deserves to be on this list somewhere: he did bring USB thumb drives to his office to download various NSA secret documents, although he didn’t leave any gear in his office closet. Unlike Swartz and Naples, his frantic document copying tactics weren’t detected by his employer, which is more ironic given the nature of the NSA and presumably the various scans and network checks that should have been in place to detect this massive effort.

What Swartz, Snowden and Naples to some extent prove is the value of intrusion detection, particularly as it relates to exporting data to a remote network. Of course, now that many of us are working remotely, this brings up special challenges to detect these massive data exports when they are part of the normal operations and not something fishy going on.

You might think that hiding your personal servers at work could be solved by moving more resources into the cloud. But this just makes finding these illicit servers a lot harder to find. There are a number of tools that can specifically search for non-sanctioned servers, but you still need IT staffers to keep track of things.

9/11, 20 years after

Like Billy Joel once sung, I am in a New York state of mind this week. Thinking about where I was 20 years ago, watching the towers collapse from a vantage point in my town in Long Island. Thinking about the two friends that lost their lives that day, Mark Bingham and Tom Kelly. There are certainly plenty of TV programming to choose from this week, as Deadline summarizes.

By way of background, I have spent half of my life living in Long Island: born in Bay Shore, grew up in Levittown and Merrick, then went to college, only to return for a year to live in the pre-gentrified Brooklyn before leaving to go to grad school. Eventually I came back in my 30s to live in Port Washington, where I raised my daughter, served on the local school board, and established my own business. Port Washington lost about a dozen people on 9/11, which was less than its neighboring community Manhasset did on that day.

For most of the last 20 years, I have been living in the Midwest. Every so often, I miss the hustle and bustle of NYC. This is one of those times. This was going to be a tough anniversary. Covid, cancer, travel restrictions, floods and tornadoes in New Jersey! It does seem like End of Days.

I have been watching the NatGeo/Hulu series on what happened that particular day. It is an amazing piece of journalism, linking images of many of the heroes caught on film in 2001 with contemporary interviews. One of them is an interview with Bingham’s mother and highlights his role in thwarting the hijackers of United 93, and how proud she is of him. The series shows the level of heroism from both those who survived and those who perished. We see the firefighters trying to figure out how to save lives but losing their own. It is a hard film to watch, but it gave me hope in humanity and highlighted some of the day’s heroes.

Now, the notion of what constitutes a hero has been somewhat devalued in the past 20 years, but these were folks who put themselves in harm’s way and considered the plight of others before themselves. One guy was buried under the rubble of one of the collapsed towers with someone else. He first helped free that person, who immediately fled, leaving the first guy to fend for himself. You see him today all healthy and hale, then what he looked like back in 2001, all bloody and torn up from trying to squeeze through the pile of concrete and glass.

As many of you know, I have volunteered as a freelance journalist for my local Red Cross chapter, profiling some of the many volunteers who have given far more time and service towards helping others during many disasters. This week you can read my profile of Mickey Shell (and numerous others) when he went to NYC to help out after 9/11. It was the first time he visited the area from his home in Poplar Bluff, Mo. He is a mental health professor who gave comfort to the survivors, and learned how to navigate the complexities of the NY subway system as part of his deployment.

With 9/11, we came together as one – mostly. Sure, there was the attack on an Indian restaurant in Port Washington by some local louts. They didn’t quite get that Sikhs (who owned the place) wore turbans too and had nothing to do with the 9/11 hijackers, Arabs, or the middle east for that matter. Not much has changed today — we have attacks on various Asians that had nothing to do with transmitting Covid. There will always be haters. And now we have thousands of Afghan refugees that arrived in our airports over the past few weeks to try to assimilate, protect, and give opportunities for a new life. Let’s hope there are still some heroes to go around.

Red Cross blog:Mickey Shell works as Red Cross disaster mental health volunteer at 9/11

I interviewed Arkansas-based Red Cross volunteer Mickey Shell as part of a package of stories about where other volunteers were after the 9/11 disaster. To give you an idea of the scope of the organization’s services, more than 57,000 Red Crossers from across the country served more than 14 million meals and snacks, opened dozens of shelters for people who were left stranded, and connected some 374,000 times with people to provide emotional support and health services.

Avast blog: Instagram bans are now being sold as crime-as-a-service

Cybercriminals are expanding their “services” by offering to ban an Instagram user for the low, low price of $60. This was recently reported by Motherboard, whose research showed that anyone on Instagram can harass or censor anyone else. The notion is actually pretty clever, because the same criminals (and their close accomplices) can then offer a “restoration” service to the victim for several thousands of dollars.

Instagram has a support page that walks you through how to protest a disabled or banned account. It isn’t very good. In my post for Avast’s blog, I mention the issues and what you can do to harden your Instagram account.

China fights inhumane 996 work practices

Last week China’s Supreme People’s Court and the Ministry of Human Resources and Social Security issued a set of ten new legal cases (what we would normally think of as judicial rulings) about how to treat workers’ rights in labour disputes. The ten cases (documented here in Chinese) cover mostly workplace overtime disputes. Before I can describe these cases, we need to talk about what is called 996 schedules.
Chinese companies are infamous for setting very high working hours: the numbers refer to the “usual” workday running from 9 am to 9 pm, six days a week. As Protocol discusses, this schedule has been tacitly approved by the government for years, and even promoted by such mainstream business owners such as Jack Ma (who called 996 workers a blessing for his company Alibaba) and Richard Li, who derided those that didn’t as slackers.
Microsoft and GitHub Workers Support 996.ICUThe 996 practice got to be so well known that two years ago it got its own Github project, now supported by more than 500 contributors. Called 996icu, its name means if you work 996 hours, you will end up in a hospital’s ICU. The project has badges and banners for supporters of more reasonable working hours, lists of companies that have more balanced work rules and tips to help workers fight 996 conditions. The project’s readme file states “This is not a political movement. We firmly uphold the labor law and request employers to respect the legitimate rights and interests of their employees. We want to create an open source software license that advocates workers’ rights.”
The 996 situation changed with the cases cited by the courts last week. Given a series of high-profile deaths by overworked and overstressed employees, a growing movement among Chinese Millennials to have more of a work/life balance and a concern by the central government about a shrinking labor force (China’s population growth is slowing), it was time for some clarification and to try to stamp out 996 practices. The ten cases define a “standard” 44 hour workweek and 8 hour work day. how to resolve pay disputes, and other employment matters.
The rulings have already brought about changes for smartphone maker Vivo, which scrapped its six-day work weeks the day after the cases were published. Legal scholars predicted that worker complaints would be given more credence by the court system. Still, some social media reaction was skeptical, so we’ll see what happens. But it certainly is a step in the right direction.

CSOonline: How to find the right testing tool for Okta, Auth0, and other SSO solutions

If you have bought a single sign-on (SSO) product, how do you know that is operating correctly? That seems like a simple question, but answering it isn’t so simple. Configuring the automated sign-ons will require understanding of the authentication protocols they use. You will also need to know how your various applications use these protocols—both on-premises and SaaS—to encode them properly in the SSO portal. It would be nice if you could run an automated testing tool to find out where you slipped up, or where your SSO software is failing. That is the subject of this post. You can read more on How to find the right testing tool for Okta, Auth0, and other SSO solutions on CSOonline here.



NokNok blog: Next level metal credit cards

I got my first metallic credit card from Apple a few years ago. I thought it was more a curiosity than anything else. Soon after, my wife got a metallic card from Chase. American Express and Discover have both been making metal cards for years as well. Now, thanks to a partnership between NokNok and CompoSecure, you will see new types of cards that have something besides their outer skin to offer consumers: the ability to include authentication tokens and cold cryptocurrency wallets. You can read more in my blog post for NokNok here.

Avast blog: Protect your online store against Magecart attacks

Shopping cart malware, known as Magecart, is once again making headlines while plying its criminality across numerous ecommerce sites. Its name is in dishonor of two actions: shopping carts, and more specifically, those that make use of the open-source ecommerce platform Magento. Magecart malware compromises shopping carts in such a way that credit card data collected by the cart is transmitted to cybercriminals, who in turn resell this information to other bad actors. In my blog for Avast, I review some of the more notable attacks over the past several years and catalog the confluence of trends that have made Magecart a popular threat vector.

In addition to some suggestions on how you can strengthen your ecommerce storefront, here are a few other tips  to try to prevent this from happening to your website:

  1. Use this browser-based tool from Trustwave to check if your site has been compromised, along with other tips listed in the blog post to help you investigate your web storefront code.
  2. Use isolation tools such as this one from SourceDefense to better control access rules and prevent malicious script injections.
  3. Finally, whatever website server software you use, make sure you apply updates as soon as possible. Magento users who were compromised by early attackers delayed these updates and the attackers found these outdated versions and took advantage of them. The software vendor lists current patches and also has a free vulnerability scanning tool too.

Wanna email your governor? Good luck!

One of the simplest methods of communication with the top executive in your state is anything but. This week I tried to find the email address for my governor, Mike Parson, but all I got was a lousy web form on the state website. Yes, I could fill out the form, but I wanted to track our correspondence (wishful thinking, I know) through my email client. Alas, it was not meant to be.

This turned into A Project. Turns out many states aren’t so transparent about their email addresses. Surely they must use email to conduct state business. But finding out these actual addresses well, that is another matter.

Yes, almost every governor’s office phone number is easily discoverable from numerous online sources. And part of me wanted to call each one and ask what the appropriate email address is, just to hear the staffer sputter or put me on hold. You can go to this document, maintained by the National Governors Association, which lists both phone numbers and postal addresses for all of them, including territories. There is a separate document that links to various social media addresses. But email? Nope. You can see the data here for the first few lines:



(NGA, you might want to spend the minutes it might take to add another column to this document and become useful to those of us who want to use email.)

A quick check of several nearby states shows Missouri isn’t alone in relegating constituent queries to a web form: the state websites of Illinois, Kentucky, Iowa and Maryland also just have these forms on their governors’ pages, with no mention of their chief executive’s actual email address. That’s annoying. I tried to decode the underlying HTML of the forms, but I wasn’t smart enough to suss it out.

This reminds me of a story that I wrote many years ago, at the dawn of the internet era. I was searching for computer tech support information, and back then we didn’t have Google and most vendors barely had FTP servers, let alone websites that had this information. But that was the 1990s. Those that had email responders didn’t really staff them for timely answers either. That article btw is notable in how many companies have gone to dust (Lycos? Compuserve? Memories.)

There is a source of governor emails, and it comes from an odd place: Rick Halperin, a history professor at Southern Methodist University. Not wanting to link to an outdated document, I emailed him and asked if he keeps the document up to date. Within minutes he replied (thanks Rick! Governor staffers, please note.), saying thanks for reminding him and yes, link away. So there you have it. To paraphrase that infamous cartoon, on the internet, everyone knows you are a dog if you work for a state government.

Now I am under no expectations that my governor — or any other — is actually going to read his or her emails. Or that anyone will actually respond with anything other than a form letter. But if you want to comment on this piece, I will take the time to write back.