Avast blog: The citizen’s guide to spotting fake news

Truth and facts are hard to come by these days. Most of us want to understand what is true and what is not. What’s more, we want our kids to understand the difference between fact and fiction. But sifting through our social media — and even ordinary news reports — does require some work. I have put together some resources in this blog post to help you discriminate the truthiness (as Stephen Colbert might have said) of what you find online.

The sheer amount of disinformation, lies, conspiracy theories — call them what you will — is staggering. In this post for Avast’s blog, I review how we got here, how you can start to figure out whether something is true or false online, and what should be your own strategies for becoming more skeptical of what you read online.

Family isolation protocols: don’t judge

In this time of sheltering-in-place and self-imposed isolation, we have to learn to be kinder and less judgmental to each other. One of the biggest issues for families is agreeing on your own “isolation protocol,” for lack of a better description. Most of the stuff that I have read include suggestions such as from Britain’s NHS here. Or articles on what activities to do now that the kids are home. But I haven’t seen that much discussion about how you formulate your own protocol. Given my interest in Internet protocols, this seems a natural point for me.

It is just my wife and me at home. You would think that the two of us would be able to figure out some common ground for exactly how much isolation we should be doing. But it is a harder problem than that. There are two dimensions to this. First is that the ground is shifting. As the virus spreads, scientists are learning more about its transmission and its lethality and changing their own recommendations. That means building into the family protocol the ability to be updated to reflect these changing conditions. Or if one of you becomes more concerned about a particular activity, for example. As I said, things are changing rapidly.

The second dimension is that all of us, even long-married couples, come to this virus from different perspectives. What we need is to make some consensus decisions. We do this all the time, and it part of our daily lives. Only, instead of what are we having for dinner or who is going to clean the bathroom, they become decisions that involve the potential life and death of the family members themselves. Maybe that is too dire a description, but you see what I mean.

Let me give you some examples of the potential points around assembling your own protocol:

  • When should we wear a mask, if at all? (See the link above for the latest CDC recommendation.
  • Is takeout food acceptable under specific circumstances?
  • How often do we shop for groceries and other supplies? Do they require delivery?
  • When one of us returns from being outside our apartment, what is the cleansing and transition process?
  • How often should we go to the office?
  • What about continuing or beginning any volunteer activities?
  • Do we have a cellphone cleansing policy, and who enforces it?
  • What about how to disinfect the mail and newspapers?
  • Is anyone other than the family allowed inside our apartment and if so under what circumstances?

These all seem like pretty petty issues, but in the time of Covid, they could be life and death, quite literally. If you want your family to survive this crisis, you need to come to agreement on these policies and be willing to concede to your spouse’s POV. I have heard stories about those medical workers who have to sleep over the garage or in someone’s RV rather that spend their time inside the family manse.

I was talking to a friend of mine who has a father who is in his late 70s and still goes to work at his office. She tried talking to her dad and getting him to stay home but was unsuccessful. Another friend who is 80 had all of his grandchildren over to their house for dinner not too long ago. This person recently had heart bypass surgery.

Here is the thing. You can’t judge what someone else’s protocol may be, however inelegantly expressed or however much you disagree with their position. Everyone has to come to terms with this pandemic on their own terms and reach their own comfort level. Now I realize how frustrating it can be to deal with a family or friend who has a different position on what social isolation means, and perhaps doesn’t disinfect as much (or as more) as you do. It isn’t up to us to judge. You have to be you, to quote a common phrase. But you and your family should have some discussion about this and at least agree on some of the basic principles as I listed above.

Maximizing the benefits to your family of web conferencing and video chat

More of us are now working from home, and more of our kids are having to finish their school year from home too. That presents all sorts of opportunities and problems, and at the center of both are web conferencing and video chat technologies. Understanding how they are used and setting up basic rules, figuring out your collection of tools, and setting up separate work/school areas in your house will determine if your family will be productive and if you can survive your “sheltering in place” during this COVID crisis.

Even Bill Gates is spending most of his time on video conferencing (check out this interview with TED’s head honcho where he plugs Microsoft Teams several times during the first few minutes).

I have been using a variety of conferencing systems over the years, and help produce a several-hundred person webinar for the American Red Cross monthly. Here are some tips from these experiences.

 1. Each family member needs to establish their own “broadcasting protocol,” for lack of a better term. If Mom is online, does that mean that Dad can’t interrupt the call? Or that the kids can’t wander in for a visit? The old rules of not having a child interrupt your work meeting no longer apply. I put together a podcast with Paul Gillin about some of these old rules last fall here.)

The number of memes showing various family members caught in states of undress have certainly proliferated. Clearly, set some ground rules about what, when, and what to wear when on a video call, or when video is and isn’t appropriate. Figure out where each family member is going to be using as their “studio” so that everyone can have their own space. A friend of mine has noticed that all the professional news anchors who are now broadcasting from their homes has given him a chance to view their room designs. It certainly isn’t “design on a dime” but it at least injects some new interest in their broadcasts.

Another thing that I have seen in the past couple of weeks is a more relaxed use of the video conference. “Sharing” dinner over a conference call link in lieu of being at the same dining table. Celebrating a work milestone with drinks from everyone’s home office, rather than in person at the local bar or conference room. Doing homework together over a conference line. You get the idea. Be creative and figure out what works for your situation.

2. Video is nice, but having solid audio is key. That brings up my next point. I don’t want to minimize the importance of video. As you know, I mostly work alone in my office. In the past weeks I have wanted to connect more via video, to see my family and friends. Video is an important connector in these times of crisis. But if your audio gear is subpar, you need to address that now. No one wants to listen to bad audio. Your laptop’s audio gear might not cut it, and if you are going to be doing a lot of conferences, invest $50 to $100 in a decent external USB mic.

3. Understand you’ll need some minimal production values, for both personal and work purposes. Have an agenda, have a conference call leader, prepare the presentation ahead of time, set up a call sheet of who speaks when. And check your audio setup to make sure folks can hear you clearly. These things are also important for calls to family and friends too. While having a “coffee talk” freestyle type of meeting is nice, once the novelty of seeing everyone wears off, you should make the calls more structured. Also, if you are going to share your screen, prepare it ahead of time: don’t have everyone looking at your email inbox or have your messaging client pop-ups enabled during your session.

4. Use calendar invites with care. Google’s calendar invite automatically adds its own Hangout link: that is great if that is what you want to use, but it is confusing if you have some other tool in mind. Remember that some other automatically generated invites (such as from Zoom) don’t automatically adjust for time zone differences. And speaking of which, start your meetings on time, please.

5. No single tool will work for every family member, or even every situation. We are fortunate that we have so many products that are available, and many of them are free of charge: Zoom, Webex, Facebook Messenger, Facetime, Google Hangouts/Meet/Duo, WhatsApp and Skype are just a few of the services. If you look at this list (and there are dozens more products that I didn’t mention), they come to the party from different places: video telephones designed for 1-on-1 calls, video-enhanced text messaging, video collaboration tools designed for supporting sharing stuff (files, URLs and chats), video-enhanced social networking and video training tools that are designed for a somewhat different collaboration.

Figure out what works for you, based on your prior experience, what your contacts/peer groups are using and if your business already supports one of these for work-related calls. Zoom has been in the news a lot because it is very easy to setup (including these simple recording features shown here) and because a lot of schools are setting up distance learning classes using it. But if you want to run meeting longer than 40 minutes with more than two people, you’ll need the paid version, or try out Webex, which has a free tier for this situation. Also, if you are concerned about Zoom’s cavalier attitude towards privacy, you may want to choose something else.

So it is possible that your kids might use Facebook Messenger/Whats App, you will use Zoom and your spouse will use the office’s Microsoft Teams. That’s okay. Realize that each family member is coming from a different experience and comfort level with these tools. Remember that our kids have grown up with various digital products but may not be used to using them productively under present circumstances. You may want to monitor their use, depending on their age and what kind of parent you are too.

Video calls now have a heavy lift and have to support your work life and your family’s social life. As we spend more time at home, we need to stay connected with loved ones and work colleagues and figure out how to become more productive.

Support your local restaurant

I live in a very urban part of St. Louis for a reason: it is walkable, it is vibrant, it is near a wonderful park and transit. All of that has changed in the past two weeks.All of these advantages now have to be examined under a different lens.

Like many of you, we are staying home. When we do go out for a walk, it is a bit eerie: the streets are empty. Street parking — which used to be an issue especially weekend evenings — is copiously now available. Meeting other pedestrians used to be under the midwest code: you nod and say hello as you pass. Now we hold our breath and hope that we have enough room on the sidewalk to “socially distance” ourselves.

The dozens of restaurants that were at the core of our community are mostly under lockdown. The ones that are closed have small signs in their windows, hastily printed. The few that are open are only for carryout, under orders of the city. I want to support the ones that are still doing business, even though it is a risk: do I trust the sanitation and health protocols that the restaurateur has adopted in these post-COVID times? Many of these places are run by people I have gotten to know over the years living here. My wife and I eat out frequently. Not anymore.

Still, I feel that I need to do something. So I started looking into how to make it easier for customers to get their meals from the local restaurants. If you are willing to take this risk — and there are many of you that might not even go here — there are three main issues:

First, many local restaurants have terrible websites. One of our favorite places has been in business for decades and is about a three-minute walk from our apartment. It has a single page website with a phone number. No online menu. No online anything, really. Others just have Facebook pages, which aren’t much better. I realize that there are many places which are not tech-savvy. But still, there are many restaurants who are. Take for example this group of local places (none of which sadly is in my neighborhood). They have a very nice website. But that is just first hurdle.

Second, I want to be able to purchase my carryout food online. Here is a complicating factor. There are two typical ways that a restaurant does this: either through a food delivery provider (you can select a pickup option if you don’t want the food delivered) or via the restaurant’s point-of-sale (POS) vendor. In our neighborhood, there are at least five different delivery vendors:  DoorDash, UberEasts, Postmates, GrubHub and FoodPedaler (the latter being a hyper-local St. Louis startup that has concentrated in our neighborhood and downtown). Some restaurants have setup accounts with multiple delivery vendors. But many of the places don’t have any accounts with any of these services.

The problem isn’t just technology. The restaurant has to be setup with a place for the pickup orders, or have the workflow for how the delivery provider is going to interact with its staff. These days where interpersonal interaction is scrutinized, that means being extra careful with sanitation.

One way to simplify matters in these dire times is to present just a few choices. That is what Grace Meat + Three has done with their online ordering. You just have two menu choices.

Third, I want to purchase a gift card to provide an interest-free loan to my favorite places. This can be done in one of several ways. The easier way is to use a gift card with one of the food delivery vendors mentioned above. The second method is by using gift cards that are associated with a POS vendor. Clover (shown here), Toast and Square are the three POS vendors that are most often found around here. The rub is that the restaurant has to enable this option, and not everyone has set this up.

Another method of obtaining gift cards is to make use of one of the E-Gift service providers. (Everything is a service nowadays, so why not gift cards?) There are two that I found: Yiftee and TheGiftCardCafe. The latter vendor is waiving its setup fee for new accounts, which is a nice gesture.

Some restaurant websites have direct links to gift card purchases, but most don’t. Usually they are found on the bigger national chains’ websites, which is not where I want to go at the moment. And one local chain listed gift cards on their website home page, but the link brought me to a page saying that it hasn’t been setup yet. FAIL!

One effort has already begun, called CurbSideSTL. It is a good first attempt and does a decent job of listing who is still open and how to order and obtain food. But it lacks direct links to gift cards and online delivery services. I realize that involves a lot more work, but given how quickly things are evolving, it would be more helpful with these links.

So, where does that leave us? If you own a local restaurant, I will give you some help to at least get your carryout menu posted online. If you have a POS system and haven’t gotten online ordering or gift cards setup, I can do this for you. My price is a free meal. Now more than ever, we have to make it easier to do business online.

RSA blog: Renaissance of the OTP hardware token

Few things in infosec can date back to the early 1990s and still be in demand today, but such is the case with  one-time password (OTP) hardware key-fob tokens. Despite numerous security analysts predicting their death, hardware OTPs have withstood the test of time, and lately, are undergoing a renaissance with a newfound interest among security managers. There has been a spate of newer, dare I say smarter, hardware tokens in the past couple of years from Yubico and OneSpan, along with wider support for FIDO standards as well.

In this month’s blog for RSA, I look at this evolution, why the hardware token remains relevant, and some of the current trends in multi-factor authentication (MFA).

Beating the odds: how STEM women succeed

{:name}I recently read Kelly Simmons and Patty Rowland Burke’s Beating the Odds: Winning Strategies of Women in STEM. I have known Patty for decades, first meeting her when she worked at Regis McKenna back in the go-go days when PCs were first coming into businesses. They have written a business book for everyone, especially those men that have filled tech companies with their toxic “good ole boy” bro culture. It takes the unusual approach of talking to several dozen women who have succeeded in STEM careers and studied the common elements of why they have done well while others have failed. Spoiler alert: it mostly isn’t their fault, and the hard part will be fighting this culture to affect real change.

Many younger people, both women and men, don’t remember how bad things were in the 1980s and 1990s, when corporate events included pretty raunchy moments. (I will spare you the details, but you can probably imagine.) Unfortunately, we haven’t really progressed much from these days. I remember when I was in engineering school in the 1970s, having a woman in any of my classes was a rarity. Having more than one per class didn’t happen. Sadly, while there are more women in STEM now, it still isn’t anywhere near where it could be. And where it should be.

One tech CEO — presumably male — told a female engineering manager this: “every company needs someone who is the API between the business and the technical. That’s really hard to find, and not often valued in Silicon Valley.” That is a good point, and I have often found myself in this API role in many of my writing and consulting efforts.

“One woman jokingly described the anxiety she felt in the workplace as ‘like being Jamie Lee Curtis in a Halloween movie, you never know when the guy in the mask with the knife will show up.”

Granted, many women appear at first glance to be less technical and suffer from impostor syndrome. This is usually defined at paranoia that you are a fraud and don’t deserve to be in a position or credited any of your accomplishments. But this isn’t exclusive to women. When I took my first job as the Editor-in-chief at CMP to start Network Computing magazine, I suffered from impostor syndrome myself. I had never started a publication, never held the EIC position, and hadn’t hired many staffers or even knew how to produce a publication. Fortunately, I had a great set of mentors at CMP to help me learn these things and the magazine is still around today, albeit in an online format. I went on to run several other publications as a result of this training.

This reminds me of another Jamie Lee Curtis movie — True Lies — where she doesn’t have impostor syndrome but manages to save the day and win Arnold back (who plays her spying, lying husband). Anyway, back to the book.

It dives into a very important area that I haven’t seen much of in other business books. “We have learned what makes successful women tick, why some of them persevere to lead major technical organizations and teams, and why others drop out in frustration. A senior technical women should not be an astonishing exception.”

The book is also filled with plenty of suggestions to help technical women succeed. One important aspect is to develop male allies and role models. The lack of these prevents many women from pursuing STEM careers. These include men who aren’t enlisted in the “boys club” network and  can support technical women in the company. This can also counter the feelings of aloneness and feeling of “otherness” that can cause frustration and lead many women to resign their positions.

Another helpful idea is to set up a form of reverse mentoring, where younger women are mentors to senior managers to help them better understand their experience and points of view. This is particularly helpful to root out work processes and routines that were designed for all-male environments, and have become so embedded in tech companies. Just search for Uber’s early history if you need further convincing.

So read this book. Send a copy to your manager, and make him read it as well. Only by changing one dinosaur at a time can we evolve as a species. And perhaps be more inclusive to not just women but other under-represented people in STEM too.

FIR B2B podcast #135: TIPS FOR TRANSITIONING TO A HOME-BASED WORKFORCE

As the coronavirus spreads throughout the world, businesses are being faced with setting up policies and procedures to enable everyone to work from home (WFH). Doing this presents several challenges, some of them brought on by new demands on your IT department and some by demands of a new way of working that you may not have anticipated. A good reference point for the complexities involved is this Twitter thread about what Slack did to move to 100% WFH model. In this podcast, Paul and I draw upon their own decades-long experience as sole business owners. Among our advice:

  1. Think about printing, email and sharing files and the IT services that will be needed to support that activity. Be careful about SaaS services such as Dropbox; if users aren’t trained property they could expose your corporate data unintentionally.
  2. Make sure your infosec is up to par. A VPN isn’t just the only thing you need to worry about it. Is your home router secured with an appropriate password? Do you encrypt your network traffic across the Internet? Has your laptop been screened for malware? These and other questions need to be addressed before rolling out any work-from-home solution.
  3. Does your staff have the right tools? Just because everyone has a laptop doesn’t mean anything, particularly they’re used to having multiple monitors and great audio/video gear. You may have to purchase additional accessories to make your staff productive.
  4. Make sure your staff has a separate workspace that is isolated from the rest of the house. You want to minimize distractions and unplanned family “visits” during the workday.
  5. Get a good mic (I use the Blue Snowball, Paul uses a Logitech wireless). You should be able to get something decent for $50-$100.
  6. Standardize on a video conferencing supplier (we both like Zoom at the moment, although there are privacy issues you might want to consider) and make sure all your gear provides solid audio quality when you use it.
  7. Make sure your home bandwidth is sufficient. Pay attention to upload speeds, because these can impact your latency and video quality.
  8. Learn new video conferencing etiquette, review our previous podcast on some of our tips here.
  9. Set up a shared scheduling tool for everyone to use and standardize on a corporate instant messaging tool, too.

Listen to our 15 min. podcast now:

Avast blog: Primary update: Voting issues in Los Angeles and Iowa

Last week Super Tuesday brought many of us to the polls to vote for our favorite candidate for President. And while voting went smoothly in most places, there was one major tech failure in Los Angeles, which saw the debut of new voting machines. Let’s compare what went wrong in LA with the earlier problems seen during the Iowa caucuses.

In our earlier blog, I brought you up to date with what happened with the Russians hacking our 2016 and 2018 elections. But the problems witnessed in Iowa and LA are strictly our own fault, the result of a perfect storm of different computing errors. For Iowa, the culprit was a poorly implemented mobile vote count smartphone app from the vendor Shadow Inc. For LA, it was a series of both tech and non-tech circumstances.

I go into details about each situation and what we’ve learned in this post for Avast’s blog.

In search of better browser privacy options

A new browser privacy study by Professor Doug Leith, the Computer Science department chair at Trinity College is worth reading carefully. Leith instruments the Mac versions of six popular browsers (Chrome, Firefox, Safari, Edge, Yandex and Brave) to see what happens when they “phone home.” All six make non-obvious connections to various backend servers, with Brave connecting the least and Edge and Yandex (a Russian language browser) the most. How they connect and what information they transmit is worth understanding, particularly if you are paranoid about your privacy and want to know the details.

If you aren’t familiar with Brave, it is built on the same Chromium engine that Google uses for its browser, but it does have a more logical grouping of privacy settings that can be found under a “Shields” tab as you can see in this screenshot. It also comes with several extensions for an Ethereum wallet and support for Chromecast and Tor. This is why Brave is marketed as a privacy-enhanced browser.

Brave scored the best in Leith’s tests. It didn’t track originating IP addresses and didn’t share any details of its browsing history. The others tagged data with identifiers that could be linked to an enduser’s computer along with sharing browsing history with backend servers. Edge and Yandex also saved data that persisted across a fresh browser installation on the same computer. That isn’t nice, because this correlated data could be used to link different apps running on that computer to build an overall user profile.

One problem is the search bar autocomplete function. This is a big time saver for users, but it also a big privacy invasion depending on what data is transmitted back to the vendor’s own servers. Safari generated 32 requests to search servers and these requests persist across browser restarts. Leith proposed adding a function to both Chrome and Firefox to disable this autocomplete function upon startup for those who have privacy concerns. He also has proposed to Apple that Safari’s default start page be reconfigured and an option to avoid unnecessary network connections. He has not heard back from any of the vendors on his suggestions.

So if you are a privacy-concerned user, what are your options? First, you should probably audit your browser extensions and get rid of ones that you don’t use or that have security issues, as Brian Krebs wrote recently. Second, if you feel like switching browsers, you could experiment with Brave or Authentic8’s Silo browser or Dooble. I reviewed two of them many years ago; here is a more updated review on some other alternative browsers done by the folks at ProtonMail.

If you want to stick with your current browser, you could depend on your laptop vendor’s privacy additions, such as what HP provides. However, those periodically crash and don’t deliver the best experience. I am not picking on HP, it is just what I currently use, and perhaps other vendors may have more reliable privacy add-ons. You could also run a VPN all the time to protect your IP address, but you will still have issues with the leaked backend collections. And if you are using a mobile device, there is Jumbo, which helps you assemble a better privacy profile. What Jumbo illustrates though is that  privacy shouldn’t be this hard. You shouldn’t have to track down numerous menus scattered across your desktop or mobile device.

Sadly, we still have a lot of room to improve our browser privacy.