RSA blog: Understanding the trust landscape

Earlier this month, president of RSA, Rohit Ghai, opened the RSA Conference in San Francisco with some stirring words about understanding the trust landscape. The talk is both encouraging and depressing, for what it offers and for how far we have yet to go to realize this vision completely.

Back in the day, we had the now-naïve notion that defending a perimeter was sufficient. If you were “inside” (however defined), you were automatically trusted. Or once you authenticated yourself, you were then trusted. It was a binary decision: in or out. Today, there is nothing completely inside and trusted anymore.

I go into more detail in my blog post, Understanding the trust landscape here. I had an opportunity to  spend some time with Rohit at a presentation we both did in London earlier this year and enjoyed exchanging many ideas with him.

FIR B2B #117: Alternatives to Facebook

The short answer is yes, and we explore the various dimensions of The Facebook Problem in this week’s podcast. First we touch on the swirl of commentary about Zuck’s latest pronouncement that the company will combine Facebook Messenger, WhatsApp and Instagram into a single, unified product. Is there a business model in there somewhere, or is this just wishful thinking? Some analysts have already said that the era of Facebook’s News Feed is now officially over. We aren’t so sure, but we agreed that Facebook has become mostly a waste of time. There are some other business-oriented networks that we think have more value, including Reddit, Quora, LinkedIn, Alignable and Spiceworks. We’ve found all to be more fertile hunting grounds for business marketers. We also have advice about how to choose and test among those sites. 

We recorded this episode just before Brian Krebs revealed that Facebook exposed hundreds of millions of user passwords to more than 20,000 employees for years. It is certainly a sad state of affairs.

One final thought about Facebook: Reuben Arnold, Starbucks’ vice-president of marketing and product in EMEA, said he wants to  have deeper conversations with some of its customers and promote its brand using private groups and private accounts on social media channels. Maybe this is an alternative to just posting to the greater universe. We’ll see. 

But wait, there is more. We like this post about whether it’s time to go back to taking notes with pen and paper. How many of those people tapping away on their laptops during a meeting are doing something related to the meeting? You know the answer. Maybe it’s time to ban the laptops and aim for shorter meetings instead. 

We also discuss a recent news item about how execs from the UK-based convenience store Tesco are frustrated that the company is having to spend an increasing amount of money on ensuring its advertising doesn’t appear next to inappropriate content and believe publishers should foot more of the bill. It used to be that publishers protected their advertisers from this kind of embarrassment, but in a world dominated by algorithms, anything goes.  

Finally, there was a charming story earlier this month about a handwritten note to the CEO of Quantas from a 10-year-old boy who wanted to start his own airline. The airline posted the kid’s letter and a welcoming reply from CEO Alan Joyce, who commented, “Our competitors don’t normally ask us for advice, but when an airline leader reached out, we couldn’t ignore it.” The story is more than charming though: it is a lesson about how a light touch and a sense of humor can go a long way towards promoting your brand, in this case to the tune of nearly 30,000 retweets.

You can listen to our 19 min. podcast here:

The technology behind “Patriot Act”

If you have seen the Netflix show Patriot Act with Hasan Minhaj, you might have noticed the spectacular eye-popping set that is used for the show. And if you are a curious geek like me, you might want to know about the people responsible for building and operating it.

The show is a comedy vehicle for the Daily Show correspondent, and mixes a great deal of pop culture and news references in the goal of tackling a single topic each week. Minhaj is on stage for almost all of each episode. You first notice the stunning visual design of the set because it is the set. Minhaj stands on an LED floor that changes in synch with the screens that form the background of the show. This isn’t your grandfather’s PowerPoint, baby: images zoom in and out and video animations roll across the screens. There are catchy infographics that rotate and fade in, and all the other tricks that we have come to expect in the average Marvel or Pixar movie. Only it is a TV talk show. I think it is pure genius. After you watch this show, every other talk show looks dull as dishwater by comparison.

My interest here is also personal: as a professional speaker, what the team that produces this show is doing is showing how we can use technology to truly immerse an audience into a performance. It is as big a sea change as when I swapped out my black-only “foils” for color PowerPoint for my speeches. Only better.

I interviewed two of the folks that are responsible for the show. Granted, any show is a collaboration of many, many people, including a dozen different animators, designers, and pre-visualization specialists, not to mention all the writers and other usual TV production folks. If you aren’t familiar with pre-viz, as it is called, this is an interesting part of the entertainment universe. As more filming has gone digital, pre-viz folks become very important, because they give directors the ability to see exactly how a scene will look like in its final form before anyone has touched a camera. Think of it like a virtual scene — you can manipulate all sorts of stuff without having to actually build it in real life. I’ll get to why this is important in a moment.

I first spoke to Greg Bloxham, who is the computer operator for the show. That title doesn’t really do his role justice, which is critical to the whole operation. I then exchanged emails with Marc Janowitz, who is the Production and Lighting Designer for the show. Both guys have developed the look and feel and chose the technologies that are used each week.

If you are a fan of Minhaj’s standup, you probably have seen his Netflix special, Homecoming King. Janowitz was involved in that production, which really was a beta test of what the TV series is doing.  “Patriot Act is more like a deep dive into a particular subject that requires intense visual aids to help support the thesis. We had this desire to delve into a style of visual narrative that blends imagery, form and structure and helps to immerse the audiences in the material,” said Janowitz. And as I said earlier, the studio audience is immersed. “A big part of the design impetus for this show was to capture the energy of a live performance with an audience,” he said. Basically, they have turned the tired model of anchorperson-behind-a-desk on its head.

Bloxham spends two days a week on each episode, one day for basic rehearsals, the next day for more detailed rehearsals and then the live-to-tape final run through. He has had a long career in lighting and media design, starting with the Oprah show and then moving into doing live music events and other extravaganzas. “This was a field that was pretty obscure a few years ago, but is now getting to be more common,” he told me. If you remember Oprah, she had video screens around her studio, but not to the extent that Minhaj uses on his show, and certainly not to the extent that they are run in real time.

One of the reasons for the look and feel of the show has to do with Minhaj’s personal preferences. He is very involved in the pre-viz process, naturally, and also has a lot of opinions in how the final shows appear. “It is nice that he is so deeply involved,” Bloxham told me. The show takes a lot of collaborative work, because as you might imagine having such powerful tech means that writers can change things pretty much up to the last minute. He takes the content from the animators and then puts it all together so that they can run the visuals in real time during the actual performance. If you look carefully at any of the episodes, you’ll see the set lighting change colors in synch with what is shown on the video screens. “You can literally program things to move in time with each beat,” he said.

The gear that they use is the Disguise 4x4Pro, which is a specialty piece of hardware that is pretty much the gold standard in the industry and used in many concert venues to drive their complex lighting and visual effects. “The Disguise system is what allows the set to exist as a 3D immersive visual display and can map these different surfaces into a cohesive image,” said Janowitz. “The set design is composed out of multiple different styles and resolutions of LED video displays.’

This system costs tens of thousands of dollars, but what you’ll find inside is a couple of 16-core Xeon CPUs and 32GB of RAM, running Windows embedded 8.1. It outputs 4096×2160 video streams to the various LED screens that are part of the show’s set. “We are certainly pushing a lot of pixels,” Bloxham told me, although I was surprised that this is well within the reach of a typical high-end PC server. “The tech has gotten approachable,” he told me. Each summer he runs a boot camp in Vegas to teach video designers some of the tricks of his trade.  “Your average PC with a good graphics card can do a lot today.”

Actually they have two media servers, one for backup. “Tech always has a risk, and this way I can switch over to the backup system with just a push of a button,” said Bloxham. He has a control console board  that is custom built, and includes the lighting controls as well. Given the number of people involved in producing the show, paying for a second server is a wise investment.

So check out Patriot Act on Netflix and let me know what you think. I think years from now we will be talking about its influence, just as we wax on about The Sopranos today.

Where Moneyball meets addiction counseling

A startup here in St. Louis is trying to marry the analytics of the web with the practice of addiction counseling and psychotherapy. In doing so, they are trying to bring the methods of Moneyball to improve therapeutic outcomes. It is an interesting idea, to be sure.

The firm is called Takoda, and it is the work of several people: David Patterson Silver Wolf, an academic researcher; Ken Zheng, their business manager; Josh Fischer, their co-founder and CTO; and Jake Webb, their web developer. I spoke to Fischer who works full time for Bayer, and supports Takoda on his own time as they bootstrap the venture. “It is hard to put all the various pieces together in a single company, which is probably why no one else has tried to do this before,” he told me recently.

The idea is to measure therapists based on patient performance during treatment, just like Moneyball measured runs delivered by each baseball player as their performance measurement. But unlike baseball, there is no single metric that everyone has created, certainly not as obvious as RBIs or homers.

We are at a unique time in the healthcare industrial complex today. Everyone has multiple electronic health records that are stored in vast digital coffins; so named because this is where data usually goes to die. Even if we see mostly doctors in a single practice group, chances are our electronic medical records are stored in various data silos all over the place, without the ability to link them together in any meaningful fashion.

On top of this, the vast majority of therapists have their own paper-based data coffins: file cabinets full of treatment notes that are rarely consulted again. Takoda is trying to open these repositories, without breaching any patient data privacy or HIPAA regulations.

Part of the problem is that when someone seeks treatment, they don’t necessary learn how to get better or move beyond their addiction issues while they are in their therapist’s office. They have to do this on their own time, interacting with their families and friends, in their own communities and environment.

Another part of the problem is in how we select a therapist to see for the first time. Often, we get a personal referral, or else we hear about a particular office practice. When we walk in the door, we are usually assigned a therapist based on who is “up” – meaning the next person who has the lightest caseload or who is free at that particular moment when a patient walks in the door. This is how many retail sales operations work. The sole design criterion was to evenly distribute leads and potential customers. That is a bad idea and I will get to why in a moment.

Finally, the therapy industry uses two modalities that tend to make success difficult. One is that “good enough” is acceptable, rather than pursuing true excellence or curing a patient’s problem. When we seek medical care for something physically wrong with us, we can find the best surgeon, the best cardiologist, the best whatever. We look at their education, their experience, and so forth. Patients don’t have any way to do this when they seek counseling. The other issue is that therapists aren’t necessarily rewarded for excellence, and often practices let a lot of mediocre treatment slide. Both aren’t optimal, to be sure.

So along comes Takoda, who is trying to change how care is delivered, how success is measured, and whether we can match the right therapists to the patients to have the best treatment outcomes. That is a tall order, to be sure.

Takoda put together its analytics software and began building its product about a year ago. First they thought they could create something that is an add-on to the electronic health systems already in use, but quickly realized that wasn’t going to be possible. They decided to work with a local clinic here. The clinic agreed to be a proving ground for the technology and see if their methods work. They picked this clinic for geographic convenience (since the principals of the firm are also here in St. Louis) and because they already see numerous patients who are motivated to try to resolve their addiction issues. Also, the clinic accepts insurance payments. (Many therapists don’t deal with insurers at all.) They wanted insurers involved because many of them are moving in the direction of paying for therapy only if the provider can measure and show patient progress. While many insurers will pay for treatment, regardless of result, that is evolving. Finally, the company recognized that opioid abuse has slammed the therapy world, making treatment more difficult and challenging existing practices, so the industry is ripe for a change. Takoda recognizes that this is a niche market, but they had to start somewhere. “So we are going to reinvent this industry from the ground up,” said Fischer.

So what does their system do? First off, it uses research to better match patients with therapists, rather than leave this to chance or the “ups” system that has been used for decades. Research has shown that matching gender and race between the two can help or hurt treatment outcomes, using very rough success measures.

Second, it builds in some pretty clever stuff, such as using your smartphone to create geofences around potentially risky locations for each individual patient, and providing a warning signal to encourage the patient to steer clear of these locations.

Finally, their system will “allow practice offices to see how their therapists are performing and look carefully at the demographics,” said Fischer. “We have to change the dynamic of how therapy care is being done and how therapists are rated, to better inform patients.”

It is too early to tell if Takoda will succeed or not, but if they do, the potential benefits are clear. Just like in Moneyball, where a poorly-performing team won more games, they hope to see a transformation in the therapy world with a lot more patient “wins” too.

The rise of the online ticketing bots

A new report describes the depth of criminality across online ticketing websites. I guess I was somewhat naive before I read the report, “How Bots affect ticketing,” from Distil Networks. (Registration is required.) The vendor sells anti-bot security tools, so some of what they describe is self-serving to promote their own solutions. But the picture they present is chilling and somewhat depressing.

The ticketing sites are being hit from all sides: from dishonest ticket brokers and hospitality agents who scrape details and scalp or spin the tickets, to criminals who focus on fan account takeovers to conduct credit card fraud with their ticket purchases. These scams are happening 24/7, because the bots never sleep. And there are multiple sources of ready-made bad bots that can be set loose on any ticketing platform.

You probably know what scalping is, but spinning was new to me. Basically, it involves a mechanism that appears to be an indecisive human who is selecting tickets but holding them in their cart and not paying for them. This puts the tickets in limbo, and takes them off the active marketplace just long enough that the criminals can manipulate their supply and prevent the actual people from buying them. That is what lies at the heart of the criminal ticketing bot problem: the real folks are denied their purchases, and sometimes all seats are snapped up within a few milliseconds of when they are put on sale. In many cases, fans quickly abandon the legit ticketing site and find a secondary market for their seats, which may be where the criminals want them to go. This is because the seat prices are marked up, with more profit going to the criminals. It also messes with the ticketing site’s pricing algorithms, because they don’t have an accurate picture of ticket supply.

This is new report from Distil and focusing just on the ticketing vendors. In the past year, they have seen a rise in the sophistication of the bot owners’ methods. That is because like much with cybercrime, there is an arms race between defenders and the criminals, with each upping their game to get around the other. The report studied 180 different ticketing sites for a period of 105 days last fall, analyzing more than 26 billion requests.

Distil found that the average traffic across all 180 sites was close to 40% consumed by bad bots. That’s the average: many sites had far higher percentages of bad bot traffic. (See the graphic above for more details.)

Botnets aren’t only a problem with ticketing websites, of course. In an article that I wrote recently for CSOonline, I discuss how criminals have manipulated online surveys and polls. (Registration also required.) Botnets are just one of many methods to fudge the results, infect survey participants with malware, and manipulate public opinion.

So what can a ticketing site operator do to fight back? The report has several suggestions, including preventing outdated browser versions, using better Captchas, blocking known hosting providers popular with criminals, and looking carefully at sources of traffic for high bounce rates, a series of failed logins and lower conversion rates, three tells that indicate botnets.

FIR B2B Podcast #116: If AI is Becoming So Good, Why Are We Still Counting Clicks?

In this fast-paced episode my podcasting partner Paul Gillin and I offer five different news stories that bracket the B2B marketing world. First up is this piece about neural storytelling and how AI is attempting to create content with machine learning algorithms. This kind of technology has some important implications and not because it promises to replace humans. In the news recently is this story about the OpenAI text generator called GPT2. Its creators were afraid that its work could generate spam and fake news so effectively that they’ve chosen not to release the full-strength version to developers. That’s either a little unsettling or a great PR stunt.

Next is a story about how clicks are an “unreliable seismograph” for a news article’s value, combined with new research to back up that conclusion. We all seek out stories that amuse and entertain us, but a good news site contains a nice mix of the serious and the bizarre. As serious readers, we need to seek out stories of civic value, not just the latest celebrity clickbait. The article, which was prepared by Neiman Lab, also notes that the word “personalization” has become a big negative, because folks think this means “ads will follow your browsing forever” rather than customizing content for a reader’s taste and preferences.

We move on to a piece that is almost blindingly obvious, but a great checklist to help marketers understand how to influence the B2B decision-making processIt proposes five simple questions to ask your prospective customers, such as where they start their search for content, what kinds of information they look for and what sites they employ. Answering these questions takes just a few minutes and can be give marketers a useful starting point for a lead-generation campaign.

We also found this piece on Marketing Week that talks about a recent series of decisions by MasterCard to both eliminate text from their logo (as at left)  and use “sonic branding” to help with voice assistants and audio sound-enabled devices. This company is smart is getting ahead of the voice assistant phenomenon and figuring out branding in this new medium.

Speaking of audio, our final piece is a study that suggests that podcast ads outperform TV ads. The study found that the two are equivalent in terms of being memorable and resonating with audiences. Podcast advertising can be particularly effective when the host lends legitimacy by giving a personal pitch for the product, which is becoming the norm in that medium.

You can listen to our 14 and a half minute podcast here:

The Huawei telecom ban makes no sense

Color me confused about our 5G technology policy. Today I see this statement: “I want 5G, and even 6G, technology in the United States as soon as possible. It is far more powerful, faster, and smarter than the current standard. American companies must step up their efforts, or get left behind. I want the United States to win through competition, not by blocking out currently more advanced technologies.” That is from a recent set of tweets from our president. He is expected to sign an executive order banning Huawei equipment from domestic cellular carriers before next week. Not to be outdone, Congress is considering HR 4747 that would prevent government agencies from doing business with them.

Huawei seems to be the latest target of badly behaving tech companies, and it has gotten a lot of enemies. Last week our Secretary of State meet with several European leaders, telling them to not purchase any equipment from Huawei in building out their 5G cellular networks. He told them that this gear will make it more difficult for American equipment to operate there.

The fear is that Chinese will embed spying devices in their gear, interfering with communications. Chinese hacking attempts have dramatically risen over the past year, according to this new report from Crowdstrike. While the report didn’t identify Huawei as the source, they did find several hacking attempts aimed specifically at telecom vendors and their government customers.

The US isn’t alone in its fear of Huawei spying. Poland, Italy and Germany are all considering banning their gear from their newer cell networks. Last year, both South Korea and Australia enacted such a ban, and the UK began removing their equipment too. Huawei supplies Australian and UK 4G equipment and BT said last month that they will begin removing that stuff.  A recent news story in The Register stated that Huawei won’t be used to run any new British government networks, even though it will continue to be used in British landline infrastructure.

But is the Chinese government really using Huawei equipment to spy on us? Jason Perlow writes in ZDnet that chances are low, mainly because first there is no concrete proof, and second because it wouldn’t be in their best economic interests. Also, given that you can find Chinese semiconductors in just about everything these days, it would be nearly impossible to effectively ban them.

But there is another confounding reason that no one has mentioned, and that has to do with this law called CALEA. It spells out requirements for telecom suppliers and how they must provide access to government wiretaps and other law enforcement activities from their gear. So technically, not only is Huawei doing this, but all the other telecom vendors have to do so too. If you are with me so far, you see that Huawei is obligated to have this “backdoor” if they want to do business in the USA, yet we are criticizing them for having this very same backdoor! How this will play out in these bans is hard to realize.

A Huawei ban makes no sense. But it won’t stop government agencies from piling on at this stage.

FIR B2B episode #115: Social Media Adoption Over the Years – the Latest from the Annual UMass Survey

Nora Ganim Barnes, Chancellor Professor of Marketing and Director of the Center for Marketing Research at the University of Massachusetts Dartmouth.Today Paul Gillin and I talk to Nora Ganim Barnes, Chancellor Professor of Marketing and Director of the Center for Marketing Research at the University of Massachusetts Dartmouth, about her latest survey of corporate social media usage. Barnes has been surveying two distinct populations for the past 12 years – the INC 500 and the Fortune 500 – to ascertain what social media platforms they use, how they use them and how they measure results. Her students visit the websites of all 1,000 companies measured and augment the research with telephone interviews.

For the first time in nine years, more F500 are using blogs than the INC 500, and the increase has been substantial in just the past three years (see chart below), jumping from 21% in 2015 to 53% in the most recent survey. Clearly, the largest companies have reclaimed blogging and are using their blogs to tell stories and better craft their marketing messages.

Barnes found that Twitter occupies an odd place in the social media pantheon: it is well used (with 369 out of 500 companies running active accounts), but not considered very effective. Still, companies don’t abandon Twitter, perhaps out of fear of missing out or the possibility that they might need it at some point.

What has also changed is that 56% of INC 500 execs are now doing a better job of listening on social media, tracking online conversations about their brands and products with various monitoring tools. That is a big increase from last year, when it was about half that number.

This year Barnes’ research  found a big concern about privacy, which is probably not surprising given the numerous breaches and missteps by Facebook and others in this area. Privacy was executives’ second biggest concern behind social ROI.

Finally, her survey saw double the firms who have formulated a social media plan from last year.  Although the overall percentage is still less than a quarter of the total, that’s progress.

You can download the UMass surveys at the link above, both the current ones and in year’s past. They are a rich resource that all corporate marketing departments should carefully examine.

You can listen to our 21 min. podcast here:

CSOonline: How online polls are hacked and what you should do about it

The news in January about Michael Cohen’s indictments covers some interesting ground for IT managers and gives security teams something else to worry about: He allegedly paid a big data firm Redfinch Solutions to rig two online polls in then-candidate Donald Trump’s favor. To those of us who have worked with online polls and surveys, this comes as no surprise.

Researchers at RiskIQ found another survey-based scam that involves a complex series of steps that use cloned YouTube identities to eventually get marks to take surveys to redeem their “free” iPhones. Instead, the respondents get malware installed on their computers or phones. Security managers need to up their game and understand both the financial and reputational risks of rigged polls and the exploits that are delivered through them. Then they can improve their protective tools to keep hackers away from their networks and users. In this story for CSOonline, I talk about some of these issues and explain why businesses should use online polls and how to keep your networks safe from bad ones. 

Privacy, transparency, and increasing digital trust

There is a crisis of trust in American democracy.” So begins a new report from the Knight Commission on Trust, Media and Democracy organized by the Aspen Institute. It lays blame on our political discourse, racial tensions, and technology that gives us all more access to more commentary and news. “In 2018, unwelcome facts are labeled as fake.”

Part of the problem with trust has to do with the ease of cyber-criminals to ply their trade. Once relegated to a dark corner of the Internet, now many criminals operate in the public view, selling various pieces of technology such as ready-made phishing kits to seed infections, carders to collect credit card numbers, botnets and web stressors to deliver DDoS attacks, and other malware construction kits that require little to no technical expertise beyond clicking a few buttons on a web form. A new report from CheckPoint shows that anyone who is willing to pay can easily obtain all of these tools. We truly have witnessed the growth of the “Malware-as-a-service” industry.

This week I was in London participating in a forum for the Euro press put on by RSA. I got a chance to interview numerous experts who have spent their careers examining cybercrime and understanding how to combat fraud. It was a somewhat sobering picture, to be sure. At the forum, RSA’s president Rohit Ghai spoke about how the largest facet of risk today is digital risk, and how businesses need to better integrate risk management and cyber security methods. “This is a team sport, and security, IT, operations and risk groups all need to work together,” he said. “Our goal is not just about protecting apps or data, but about protecting our trust assets. We trust strangers to share our homes and cars because tech brings us together and drives the sharing economy.” We need to replace this trust system in the B2B world as Airbnb and Lyft have done for consumer-based businesses.

Ghai agrees with the conclusions of the Knight report that trust is at an all-time low. We have gotten so distrustful of our digital lives that we now have a new acronym, LDL, for let’s discuss live. But we can’t turn back the clock to the analog era: we need trust to fuel our future economic growth. He mentioned that to be trustful, “an ethical company should be doing the right thing, even if no one is looking at them at the time.” I liked that idea: too often we hear about corporations that are polluting our environment, denying any responsibility or worse, covering up the details when they get caught.

Part of the challenge is that cybersecurity is really a business problem, not a failure of technology. This is because “breaches and intrusions will occur,” says Ghai. “We have to move beyond the shame of admitting a data intrusion, and understanding its business impact. Our goal should be maintaining cyber wellness, not trying to totally eradicate threats.” Taking better care of customers’ privacy is also good for business, as numerous reports (such as this one from RSA) have concluded recently. Almost half of the consumers surveyed believe there are ethical ways companies can use their data.

Another issue is that what we say and what we actually do about maintain our digital privacy is often at odds with each other. In a 2017 MIT privacy experiment, they found that student participants would quite readily give up personal data for very small incentives, such as a free pizza. This dichotomy is even seen with IT security pros. A recent survey by Yubico found that more than half of those IT managers who have been phished have still not changed their password behavior. If they don’t change to improve their own security, who will?

The same dichotomy can be said about transparency: sadly, there are few companies who are actually as transparent as they claim, either through willfully misleading the public (Facebook is tops in this regard) or by just doing a poor job of keeping their IT assets under appropriate controls (the City of Atlanta or Equifax are two prime case studies here).

Where do we go from here? Security expert Bruce Schneier says that trust is fragile, and transparency is essential to trust. The Knight report carries a series of recommendations for journalists, technology vendor managers, and ordinary citizens, and I hope we can implement many or all of them to make for a better mutual and trusted future. They include being better at practicing radical transparency, for journalists to disclose information sources as a rule, and making social networks step up and take responsibility for protecting their users. All of us need to work together if we want to turn this around and increase trust.