Dave Hearst Saves Lives by Delivering Blood for the Red Cross

Most everyone is familiar with American Red Cross blood drives. But collecting the blood is just one part of the operation. After processing, the right blood products must be delivered to the right hospitals at the right time, and that requires a lot of logistics. To get the job done, the Red Cross depends on volunteers to transport these donations. One of the most reliable and enthusiastic volunteers is Dave Hearst, who began volunteering in May of 2018 after hearing about the need for drivers while making his own regular blood donation. I interviewed him for a profile for the Red Cross here.

Like Hearst, I also volunteer as a blood driver for our local chapter. It is very rewarding work. We save the chapter more than $1M in transportation expenses annually.

Who is Maria Ressa?

What if you built an online news site from the ground up, ironically starting from a simple Facebook Groups page. You grew to hire dozens of editors and became the antagonist of the President as you investigated various criminal activities of his administration, including calling out various fake news proclamations by government officials. Then to silence your efforts, the  government used a new cybersecurity law to (again ironically) indict and ultimate find you guilty with a six-month jail sentence. Oh, and there were death threats and various Presidential proclamations and attacks along the way.

Maria A. RessaYou might be trying to figure out which American news source I am talking about, but it is the website Rappler, The site was founded nearly ten years ago by Maria Ressa, who just shared the Nobel Peace Prize (and has numerous other awards including a Fulbright).  Ressa’s Rappler has exposed a variety of Philippine government corruption scandals and various financial dirt and called attention to the anti-drug campaign that has resulted in the murder of thousands of supposed drug dealers.

Her arrest warrant was issued in 2019 was created due to one seemingly innocent action by Rappler: making a small spelling correction to an 2012 article that made it fall under the law’s purview. Ressa faces numerous other pending legal cases too.

Ressa’s plight was documented in an excellent PBS Frontline piece not too long ago. Called A Thousand Cuts, it shows how hard she worked to reveal the perfidy of her government, and the peril that she faced for running an investigative news operation. I am glad the Nobel committee has recognized her efforts and hope that all the attention will eventually overturn her unjust criminal charges. The world needs more people like her to bring sunlight into the real criminals running her government.

Red Cross blog: Volunteer serves Red Cross at home and abroad through his high-tech skillset

Over the years, David Sewell has worked for many different Red Cross departments, including a shelter worker and a damage assessment worker. With this history, it is no surprise that he has done about 40 different deployments all across the country. He now has two positions with the Red Cross where he is both the Disaster Services Technology Chief and a member of the international Information Technology and Telecommunications disaster response roster. As part of these assignments, he manages between 40 and 60 volunteers across the western part of the U.S. and puts in roughly three hours per day on Red Cross activities.

You can read my profile of his activities for various Red Cross chapters here.

Bob Metcalfe on credit, gratitude, and loyalty

For Bob Metcalfe, many things come in triples. His most successful company was called 3Com is one example. I met up with him recently and he told me, “You will be happier if you give and enjoy but not expect credit, gratitude, or loyalty.” Before I unpack that, let me tell you the story of how Bob and I first met.

This was in 1990 and I was about to launch Network Computing magazine for CMP. I was its first editor-in-chief and it was a breakout job for me in many respects: I was fortunate to be able to set the overall editorial direction of the publication and hire a solid editorial and production team, it was the first magazine that CMP ever published using desktop technology and it was the first time that I had built a test lab into the DNA of a B2B IT publication. Can you tell that I am still very proud of the pub? Yeah, there is that. Bob was one of our early columnists, and he was at the point in his career where he wanted to tell some stories about the development of his invention of Ethernet. We had a lot of fun getting these stories into print and Bob told me that for many years those first columns of his had a place of honor in his home. Bob went on to write many more columns for other IT pubs and eventually became publisher of Infoworld.

In addition to being a very clever inventor, Bob is also a master storyteller. One of his many sayings has since been enshrined as “Metcalfe’s law” which says a network’s effect is proportional to the square of its users or nodes. He is also infamous for wrongly predicting the end of the Internet in an Infoworld column he wrote in December 1995.  He called it a “gigalapse”  which would happen the next year. When of course it didn’t come to pass, he ate the printed copy of his column.

Oh well, you can’t always be right, but he is usually very pithy and droll.

Let’s talk about his latest statement, about credit, gratitude and loyalty. Notice how he differentiates the give and take of the three elements: with Bob, it is always critical to understand the relationship of inputs and outputs.

Credit means being acknowledged for your achievements. “The trick is to get credit without claiming it,” says Metcalfe. Credit comes in many forms: validation from your peers, recognition by your profession, or even a short “attaboy” from your boss for a job well done. I can think of the times in my career when I got credit for something that I wrote about: a fine explanation of something technical by one of my readers, or spotting a trend that few had yet seen. But what Bob is telling us is to put the shoe on the other foot, and give credit where and when it is due — output, rather than input. It is great to be acknowledged, but greater still if we cite those that deserve credit for their achievements. Going back to Network Computing, many of the people that I hired have gone on to do great things in the IT industry, and I continue to give them props for doing such wonderful work and to their contributions to our industry.

Gratitude is getting positive feedback, of thanking someone for their efforts. Too often we forget to say thanks. I can think of many jobs that I have held over the years where my boss didn’t give out many thank yous. But it is always better to give thanks to others than expect it. Credit and gratitude are a tight bundle to be sure.

Finally, there is loyalty. The dictionary defines this in a variety of ways, but one that I liked was “faithful to a cause, ideal, custom, institution, or product.” Too often we are expected to be faithful to something that starts out well but ends up poorly. Many times I have left jobs because the product team made some bad decisions, or because people whom I respected left out of frustration. If you are the boss, you can’t really demand loyalty, especially if you don’t show any gratitude or acknowledge credit for your staff’s achievements. “Loyalty is what you expect of your customers when your products are no longer competitive,” says Metcalfe.

I would be interested in your own reactions to what Bob said, and if you have examples from your own work life that you would like to share with others.

The end of IBM/Lotus Notes

Last week, IBM sold off its Domino/Notes software business unit to HCL. While you probably haven’t heard of them, they are a billion dollar Indian tech conglomerate. Sadly, this represents the end of one era for Notes. It certainly has had a long and significant life span.


“Notes’ longevity is amazing,” says David DeJean, who co-wrote one of the first books about it back in 1991. “What other corporate software product has had that kind of run? Notes’ success started with its chameleon-like ability to go into a company and work the way the company worked. It let companies computerize their operations at their own pace. Other software packages have been the software of “No” where Notes was almost always the software of ‘Sure.’”

I was present at its conception in the late 1980s, when Ray Ozzie had the idea for what was then an unknown software category that was labeled at the time as groupware. It was the first time that a PC software program could be used to connect multiple computers in a meaningful way, and be used to create applications that leveraged the group. DeJean recalled that these apps were at the heart of what made Notes work: “During a crucial moment in the computerization of the enterprise in the 1990s, Notes applications proliferated like rabbits. It was very easy for companies to get into Notes, and very hard to get out.”

When Notes came out. I was working as an editor at PC Week. My colleague Sam Whitmore told me that “it took us a while to get our brains around the idea of its replication feature. Most of us found it redundant to email.” That was its biggest challenge, and well into its middle age Notes’ biggest competitor continued to be ordinary email. Many of my press colleagues carried a long-standing hatred for it. Nevertheless, Whitmore also recalls that “Lotus appreciated how technical we were, that we understood what Ray Ozzie was bringing to the world. Perhaps because of this, Lotus offered PC Week a lot of money to produce a special report on Notes.”

I had first-hand experience using Notes when I worked at CMP in the early 2000’s when I was an editor at VAR Business and also at EETimes. The CMP IT department had written quite a few Notes applications for various editorial and sales tracking purposes, again showing how extensible it could be.

This is something that many of its critics didn’t really understand, both then and now. One of its earliest customers was  PriceWaterhouse, now PwC. Sheldon Laube was running the IT operation there and made the decision to purchase 10,000 copies of Notes back in 1990. He told me that this “started a transformation at the firm. Notes was truly the first personal computer software product that changed the nature of how people used PCs. Until Notes came along, PCs were personal productivity tools, with the majority of uses being spreadsheets, word processing and presentations. Notes created a social use for personal computers and enabled teams of people, spread across geographies, to communicate, collaborate and share information in a way which was not possible previously. It was the tool that moved PCs and networks onto every desk in every office of PW around the world.”

This is an important point, and one that I didn’t think much about until I started corresponding recently with Laube. If you credit Notes as being the first social software tool, it actually predates Facebook by more than a decade. Even MySpace, which was the largest social network for a few years (and had more traffic than Google too), was created in the early 2000s.

Notes was also ahead of its time in another area. “Notes was a precursor to both the web and social media,” says Laube. “It was all about easily publishing and sharing information in a managed way suited to business use. It is the ease of management and the ability to control information access within Notes securely which allowed its rapid adoption by business.” Laube reminded me that back then, information security was barely recognized as necessary by IT departments.

This isn’t completely an accurate picture, mainly because Notes was focused on the enterprise, not the consumer. Notes “mixed email with databases with insanely secure data replication and custom apps,” said David Gewirtz in his column this week for ZDnet. He was an early advocate of Notes and wrote numerous books and edited many newsletters about its enterprise use. “It was enterprise software before enterprise software was cool.” He wrote about how Notes had elements of Salesforce, Dropbox, Atlassian, Zendesk and ServiceNow — years before any of these products were even invented. Another aspect of Notes that doesn’t get much attention is its integrated group calendars and contacts. Now we take these elements for granted — until they don’t work — and expect them in many communications tools. Back in the early 1990s, this was a rare feature. Scott Mace, who runs the site CalendarSwamp, remembers complaining about how hard shared calendars were back in the late 1990s, and how Notes was an early standout then.

Notes has gone through many transitions in its long life: After IBM acquired it, Big Blue extended the software to Domino, which combined Notes with web services and eventually was used to provide a managed hosting solution as well. Ozzie told me that  Notes was in essence an amazingly powerful applications server with captive clients. This differed from the web model, where web clients were free and Netscape and others made money from selling their own application servers. IBM added the web server because they had to: Ozzie said if they hadn’t, Notes would have died quickly in the web era. Instead, it still flourishes.

Another thing that doesn’t get much attention is that IBM believed so much in Notes that it made it its corporate communications standard for many years. One of their reasons — and a major motivation for many other customers — is that Notes offered an end-to-end encrypted email system, something that wasn’t common at the time.

Even so, IBM was a poor fit for Notes because it was too slow to innovate. While having a web front-end solved one big problem for Notes (its very thick client software), it wasn’t enough to compete against the world of open source and the rich software development of the web. As the web took over the software world, Notes became more of an anachronism, and more nimble solutions (including one product called Nimble, btw) became more attractive to corporate software developers. Ozzie said, “Shame on IBM for losing the corporate email market” to Microsoft and then Google. He reminded me that back then, we had different email systems that couldn’t connect with each other, even within the same office.

Betsy Kosheff, who did PR for Lotus back when it was sold to IBM, told me, “IBM had no business doing software innovation. That point was very obvious right from the acquisition. It’s not their fault – IBM is just not designed that way. I imagine their India-based buyer will be looking for more operational efficiencies. They’re probably not looking for the next big idea, which is what was so much fun about Notes and being part of that product in the early days. I’m not saying you can’t possibly create an entrepreneurial division with exciting innovations from within a larger company. I’m just saying they didn’t do it at IBM and probably not at any other billion dollar IT company.”

Ozzie reminded me that when Lotus was sold to IBM, they were in a head-to-head battle with Exchange. Microsoft had the edge because they owned the operating system and had majority share with office applications. IBM could offer a broader software portfolio that could attract customers.

Was Notes too early for its time? Ozzie says no: “I am just pleased that things have continued to evolve in collaboration tools.There are still things related to human interaction, such as distributed trust and managing overload that we first learned in Notes that have yet to be embraced by anything in the enterprise social world.”

Jon Callas on joining the ACLU

I have known Jon Callas for many years, tracking back to when he was part of the PGP Corporation and bringing encrypted email to the world. He has been a long-time security researcher who has been part of the launch teams at Silent Circle and Blackphone. Recently he has moved from Apple to the ACLU, where he is a technical fellow in the Speech, Privacy and Technology Project.

I spoke to him last week and caught up with what he is working on now, and thought you might be interested. His job now is to help the mostly legal team at ACLU to understand the technical issues, especially from someone who has been deeply steeped in them over the years. “Technology is such a part of the modern world that we need more people to understand it,” he said. One of his focus areas is the recent changes in Australian encryption laws. He is still trying to figure out the implications, and so far he views this bill as more guiding government assistance than actual intervention. The bill also raises more questions than it answers, such as how does a developer secretly insert code into a system that has tracking or build version controls? He is also watching the revelations around the Facebook document trove that was released this week by British lawmakers. (Here is the backstory and ProtonMail’s comments on the law is here.) “Clearly, there are contradictions between what Facebook management said they were and weren’t doing and what was mentioned in these documents,” he said. When I asked him what he what do if he were CTO of Facebook, he just laughed.

One other area of interest is how to understand how the government is acting to curb freedom of speech, and what is going on at our borders. “The government quite reasonably says that they can look inside your suitcase when you cross into our country. That I understand, but shouldn’t your electronic devices be treated differently from what else is in your suitcase? There are many answers here, and we need to have legal and policy discussions and understand exactly what problems we are trying to solve.”

We also spoke about the recent actions by Google employees protesting their Chinese-specific search engine. “I find it encouraging that tech people are looking at the consequences of what they do and where this technology is going to be used and what it all means,” he said. Now, “we are more in tune with privacy concerns. People are thinking about the ethics and consequences of what they are doing. They want to have a part in these discussions. That is what a free society should do.”

Brian NeSmith, providing SOC-as-a-Service with Arctic Wolf Networks

Brian NeSmith is the CEO of Arctic Wolf Networks, which was started back in 2012.  They provide Security Operations Center-as-a-Service. I have known him for decades when he started a quirky company called Cacheflow that eventually became part of Blue Coat where he was also CEO. I asked him a few questions.

Q: What has changed in enterprise infosec compared to when you first started at AWN six years ago?

Back when we started the company breaches were smaller with little lasting damage.  The stakes are much higher profile now. We started the company before Target, Equifax and Petya, major attacks that put cybersecurity on the evening news. Nowadays cybersecurity is a boardroom topic, and a company’s brand and business are affected by how good their security is.

Q: How does a SOC-as a S differ from just a MSP who sells managed SOC services?

SOC-as-a-service provides experienced security analysts doing real security work.  MSPs selling managed SOC services are usually just managing the infrastructure or forwarding alerts, but they are not doing the actual security work. The pressing issue in our industry today is how we detect and respond to threats and not just managing the infrastructure more cost effectively.  SOC-as-a-service provides that, and managed SOC services from an MSP does not.

Q: What portion of the resources you monitor are on premises vs. cloud of your current customers? How has that changed from six years ago?

The portion of cloud resources we monitor has been steadily increasing over the past six years.  But the largest resource we monitor in most companies is still the employees and their endpoints.  Many people view people as the weakest link in the chain, and we find that still to be the case.  Most security incidents are still due to some sort of human error or mistake even when they have the best security products in place.

Q: You ran Blue Coat through some very turbulent times, when it was first called CacheFlow. How have web apps changed from those early days and will enterprises ever feel secure deploying them?

It is a completely different world today than when I first started leading CacheFlow.  There is not a company out there that does not rely on a web app to operate or serve their customers.  If they have not, companies do not have a choice but to embrace web apps, so they need to figure out what is needed to feel secure deploying them.

Q: Is ransomware or fileless malware more of a threat today from your POV?

I don’t think they are any more of a threat than other types of malware.  Ransomware is different in that it can literally bring your business to a halt.  That is very different from traditional malware.  When it comes to fileless malware, the increased danger comes from how openly information is on how to exploit these.  We have seen malware become commercialized so you can literally purchase the malware you want to use and even get technical support.  This means that anyone can become a hacker, and it will result in more attacks.

A new way to do big data with entity resolution

I have this hope that most of you reading this post aren’t criminals, or terrorists. So this might be interesting to you, if you want to know how they think and carry out their business. Their number one technique is called channel separation, the ability to use multiple identities to prevent them from being caught.

Let’s say you want to rob a bank, or blow something up. You use one identity to rent the getaway car. Another to open an account at the bank. And other identities to hire your thugs or whatnot. You get the idea. But in the process of creating all these identities, you aren’t that clever: you leave some bread crumbs or clues that connect them together, as is shown in the diagram below.

This is the idea behind a startup that has just come out of stealth called Senzing. It is the brainchild of Jeff Jonas. The market category for these types of tools is called entity resolution. Jonas told me, “Anytime you can catch criminals is kind of fun. Their primary tradecraft holds true for anyone, from bank robbers up to organized crime groups. No one uses the same name, address, phone when they are on a known list.” But they leave traces that can be correlated together.

Jonas started working on this many years ago at IBM. He is trying to disrupt the entity resolution market and eventually spun out Senzing with his tool. The goal is that you have all this data and you want to link it together, eliminate or find duplicates, or near-duplicates. Take our criminal, who is going to rent a truck, buy fuel oil and fertilizer, and so forth. He does so using the sample identities shown at the bottom of the graphic. Senzing’s software can parse all this data and within a matter of a few minutes, figure out who Bob Smith really is. In effect, they merge all the different channels of information into a single, coherent whole, so you can make better decisions.

Entity resolution is big business. There are more than 50 firms that sell some kind of service based on this, but they offer more of a custom consulting tool that requires a great deal of care and feeding and specialized knowledge. Many companies end up with million-dollar engagements by the time they are done. Jonas is trying to change all that and make it much cheaper to do it. You can run his software on any Mac or Windows desktop, rather than have to put a lot of firepower behind the complex models that many of these consulting firms use.

Who could benefit from his product? Lots of companies. For example, a supply chain risk management vendor can use to scrape data from the web and determine who is making trouble for a global brand. Or environmentalists looking to find frequent corporate polluters. A finservices firm that is trying to find the relationship between employees and suspected insider threats or fraudulent activities. Or child labor lawyers trying to track down frequent miscreants. You get the idea. You know the data is out there in some form, but it isn’t readily or easily parsed. “We had one firm that was investigating Chinese firms that had poor reputations. They got our software and two days later were getting useful results, and a month later could create some actionable reports.” The ideal client? “Someone who has a firm that may be well respected, but no one actually calls” with an engagement, he told me.

Jonas started developing his tool when he was working at IBM several years ago. I interviewed him for ReadWrite and found him fascinating. An early version of his software played an important role in figuring out the young card sharks behind the movie 21 were taking advantage of card counting in several Vegas casinos, and was able to match up their winnings all over town and get the team banned.  Another example is from  Colombia universities who saved $80M after finding 250,000 fake students being enrolled.

IBM gets a revenue share from Senzing’s sales, which makes sense. The free downloads are limited in terms of how much data you can parse (10,000 records), and they also sell monthly subscriptions that start at up to $500 for the simplest cases. It will be interesting to see how widely his tool will be used: my guess is that there will be lots of interesting stories to come.

Security Intelligence (IBM) blog: Space Rogue, A Security Rebel Turned Pen Tester

Cris Thomas, who also goes by the pseudonym Space Rogue, is the global strategy lead at IBM X-Force Red. I recently spoke with him to discuss his work as a penetration testing specialist, his role as a cybersecurity activist in the late 1990s. In 1998, Thomas and other members of attacker think tank L0pht Heavy Industries testified to Congress. L0pht is infamous for developing a series of hacking tools, such as Windows NT password crackers and a website called Hacker News Network. The white-hat hacking group also took on numerous consulting projects over the years and was recently back in DC to talk about what has changed, and what hasn’t, in terms of infosec. My interview with Thomas can be found in IBM’s Security Intelligence blog.

Security insider: Ben Rothke, Nettitude Group

Ben Rothke is a Principal Security Consultant at the Nettitude Group and is a CISSP, CISM and PCI QSA. He has over 15 years of industry experience in information systems security and privacy. He is the author of Computer Security: 20 Things Every Employee Should Know, and authors The Security Meltdown blog for CSOonline.

I first met him in Israel on a tour of infosec companies and he always has something thoughtful and interesting to say. Given his tenure, it isn’t surprising that his first major security issue that he can recall was a misconfigured firewall that was letting a whole lot of Internet traffic in. It took him a few hours to figure out the correct configuration. As he said, “everything old is new again when it comes to information security!”

Since he does a lot of PCI compliance work, his go-to tool is Ground Labs Card Recon tool for cardholder data discovery. He also uses tools from Skyhigh Networks and the native AWS security services as well. “The native AWS controls do go a long way to help configure and debug security configurations of their cloud services.” Another tool that he personally uses is Norton Mobile Security to protect his mobile devices. He also uses LastPass for managing his password collection. “I was concerned when they had their breach about putting all my eggs into one basket, so yes, you have to be prepared for that.”

“Nowadays you pretty much know when someone is trying to social engineer you,” he says. You can tell when you get an odd Facebook message or some dopey email, such as someone’s wallet has been stolen while on a trip and you haven’t heard from that person in ten years.” But the attackers have the odds in their favor: “All it takes is a couple of folks to click on the bait and they are living the high life.”

Over the last 18 months he has personally seen three different ransomware cases. For two of them, “they had good backups and ignored the ransom demands and were fine,” he said. The clients were able to reimage their machines and went about their business. However, with one client, “they had no leverage and had to pay the $600 ransom and learn from it. But now they have good backups, they took the attack as a wakeup call.” We commiserated on the fact that “you can’t have too many backups. Now that we have the cloud, it is easier, you can have a huge amount of data backed up without any tapes anymore.”

“Sometimes I see clients that have some rivalry between two different IT divisions,” he says. “It is like the competition between the police and fire departments. But they have to work together, and try to avoid finger pointing, and let them work it out and work together and understand each other’s point of view. Some companies are integrated better than others.” He says there isn’t any real magic to this integration. “It is more of a culture issue. If you are part of the same team, and guys are sitting near each other on the same floor, it is easier for one person to hand off to another and interact with them and build mutual trust.”

Part of the challenge is that everyone needs to be operating “from the same playbook, and understand the same collection of systems. After all, they are all supporting the same business goals and understanding the same endgame,” he says. “The challenge is that it takes a good executive at the top, whether that be a CIO, CTO or a CISO, for everyone to work well together and for this harmony to trickle down. Without this leadership, the conflicts trickle down too.”

You can subscribe now to my Inside Security newsletter and get information such as this interview and updated security news delivered regularly to your inbox.