You probably won’t expect a series on appropriate use of technology to appear on the English Al Jazeera channel, but that is what I am going to tell you about in today’s post. I have been watching a lot more of their news coverage, looking for a place to obtain some “other” news than the continuing political fascination that our American stations offer up these days. So check out the series, entitled All Hail The Algorithm, where you can find links to the five episodes here.

The series is the work of Ali Rae, a British producer for the channel. She travels the world in search of algorithms that have gotten out of hand. While some episodes are a bit uneven, she does a great job of interviewing primary sources including  researchers, tech vendor representatives, and rights and privacy advocates to present a very interesting hour or so of TV.

The first episode is all about trusting the decisions encoded in algorithms. Rae highlights the Australian welfare system and how its algorithm disputed payments made over many years. Computers automatically sent dunning letters to thousands of citizens, called robo-debt.

The second episode, which focuses on Facebook’s abuses, is the weakest, and most of you have probably already read enough about troll farms which have harvested likes and retweets.

The third episode covers the abuse of social media bot networks and how bad actors, under the pay of various political parties, are flooding these networks with incendiary posts that literally enflame passions and have caused all sorts of trouble around the world. This one struck home for me: we have seen (to coin a phrase) the growth of intolerance of people on both sides – both liberals and conservatives – to try to block freedom of expression. Many of the resulting demonstrations and protests are generated by social media ads and misrepresentative posts.

The fourth episode is about the potential abuse of biometrics. The vast majority of British schoolchildren now have their biometric data recorded for easier access to their lunches and libraries. And the UN is using biometrics to make it easier for refugees to access food and money supplies in the camps. The issue here is that once you give up your biometric data, you have no control over how it is used, and more importantly, abused. While the UN representative interviewed in this episode says they are trying hard to prevent security breaches, it is only a matter of time. Actually, last week’s Biostar 2 breach is a good example of how this could go horribly wrong. Millions of users of their “smart locks” now have their biometric data leaked online, something they can’t easily change unlike a password or a PIN. As Rae points out, the biometrics tech is being developed faster than any regulatory efforts, and the lack of transparency by the biometric vendors is alarming.

The last episode is about UI designers, privacy policies, tracking cookies and informed consent. Again, for many of you, this has been covered extensively but Rae interviews a couple of sources that have a few new things to say.

Overall, I learned a few new things from the series and think it is worth your time to watch all of them. Take a gander at what Rae has put together and feel free to share your comments here.

Those of you in tech have probably used or heard of Citrix. The company has been around for decades and sells a variety of products, including remote desktops and network security. It is ironic that they experienced a security breach across their internal corporate network: the breach began last October and was only discovered in March. A series of internal business documents were stolen as a result of this breach. Think about that for a moment: if a network security company can’t detect hackers living inside their network for months, how can mere mortals do it?

The company recently concluded its investigation and to its credit has been very transparent about its process. They hired FireEye to analyze its logs and have since updated their endpoint protection with its product. This post describes what Citrix is doing to tighten its security, and how it has put together a committee to help govern security going forward. That is great. The post concludes by saying, “we live in a dynamic threat environment that requires a culture of continuous improvement.” Very true.

But what I want to call your attention to is how this breach initially happened, and that is through an attack called password spraying. This is a very simple attack: you start with a list of login IDs and pair them with a series of common passwords until you find a pair that works. The link above has suggestions of how to use common tools to help determine your own exposure, and if you are new to this term you should spend some time learning more about it.

But even if you aren’t part of a corporate IT department, it is high time for you to change your own personal password policy. It is likely that you are using a common password somewhere across your many logins. This isn’t the first time I have made this recommendation. But if a IT vendor that sells security products can get attacked, it means that anyone is vulnerable. And if your password can be easily found (such as in Troy Hunt’s HIBP database), then you need to be concerned. And you need to start by using a password manager and change your passwords to something complex and unique enough. Now. Today.

I was visiting an industrial firm this week and had a chance to walk around their shop floor to see their equipment. It was a mix of high and low tech, machines that cost several thousands of dollars sitting alongside some very primitive pieces of hardware. Unfortunately, these primitive things were PCs running Windows XP.

Now, I have a fond spot in my being for XP. Just playing that startup sound sends chills up my spine (well, almost). I spent a lot of time running it for various tests that I got paid to do back in the day when IT pubs paid for that sort of thing. I had a stack of VMs running various situations, along with a couple of real PCs that had different versions of XP that I maintained for years. It was only with some reluctance that I eventually gave them up. Since then I have rarely run any XP on anything, because it has been superseded by several newer (and supported) versions of Windows. It appears I am not alone: XP is still around: according to this report, it can be found on 3% of total PCs on consumer desktops, and I am sure that number doesn’t include those in industrial and embedded environments such as I witnessed this week. BTW, Microsoft ended support for XP five years ago, although earlier this year it did create a patch to fix the Bluekeep flaw for XP.

The XP PCs that I saw were used by the firm to control some of their pricey industrial machines. I have no idea the network infrastructure at this shop, nor how much protection was put in place to continue to use XP in their environment. But it almost doesn’t matter: if you have XP, you are basically hanging a sign outside your virtual door that says, “come on in and hack me.” It is just a matter of time before some bad actor finds and exploits these PCs. It is like leaving a jar of honey out. This post written to help consumers use XP more safely recommends, “stop using IE or go offline.” That is harder to do than you might think.

Most likely, replacing this equipment with a more modern version of Windows isn’t all that simple. The machinery has to be tested, and probably has code that needs to be rewritten to work on the newer Windows. And you will say, that is the entire point, and you would be right. But the firm isn’t going to stop using XP, because then they would be out of business. So they are in between a rock and a hard place, to be sure.

So here is a simple security test that you can try out in your business. How many endpoints do you have that are still running XP? Just take a census, using whatever automated tool you might have. Now walk around and see if you can find a few others that are hidden inside industrial equipment, or a printer server, or some other likely location. Do you have the right network isolation and protections in place? Can you do without an internet connection to these PCs? Why did your automated scanners fail to identify these devices? Can you get rid of them completely, or is the vendor still insisting on using XP for their equipment? I think you will be surprised, and not in a good way, what the answers are.

And for those of you that are running XP at home, do yourself a favor and take a trip this weekend to MicroCenter (or whatever is your local computer store) and buy yourself a new computer, and dispose of your old one (after first removing your hard drive). And if needed, conduct an appropriate memorial service to bid this OS a fond farewell.

Those of you of a certain age might remember a print ad campaign for the Blackgama fur company that ran for many years, beginning in the 1960s with this image of Lauren Bacall wearing one of their mink coats.

4 R

I am riffing on this theme after visiting the National Cryptologic Museum outside the NSA offices in suburban Maryland this week. I remembered the ads because of my overall experience with the museum, and its relationship between its physical plant and the online and other publications that the historical arm of the NSA has produced.

As long-time readers recall, last summer I visited Bletchley Park in the UK. It was a great day spent at the complex and I learned a lot. Sadly, the NSA’s museum was a disappointment. And it made me realize that what makes a great museum when you first go to the actual building is part of what makes for a great online museum experience. Unfortunately, the NSA museum has neither.

Many of the world’s greatest museums have played catch-up when it comes to their websites. This is more than getting their catalogs digitized, then getting them redone with higher resolution or newer imaging technologies. It is more than organizing their collection for visitors, academics and other specialists that want to search them for their own research or just personal interests. It is also more than having something that is visually attractive to leverage the latest curatorial trends.

These great museums have also had to embrace technology in their actual buildings, something that I first wrote about for the NY Times when I visited the Abe Lincoln museum in Springfield, Ill. back in 2008. At that visit, I got to see first-hand a variety of things that are normally used in theatrical productions or rock concerts, such as spotlights, one-way mirrors and sophisticated sound systems to tell the story about Lincoln’s life and times. From this piece, I wrote for HPE’s blog about how the best code developers are learning to hone their craft and improve their user experience from these innovative museum designers. For example, augmenting the visuals with other sensory experiences, understanding the consequences of context switching when it comes to tell your story and so forth.

That is why the NSA museum stands out, but not in a good way. It is a subject that is near and dear to my heart, cryptology and its origins and use in the modern era. Check. It is located near the NSA, an interesting place in its own right. Check. It has plenty of classic stories about some key developments, going back to the Revolutionary War and how codes and encryption played a role in the birth of our country. Check. It has several Engima units on display, showing the evolution of the machine that you can actually touch. Check. It is dull as dishwater and has exhibits that looked like they were created back when the Apollo program was in its heyday. Big fail.

The best part of the museum wasn’t any of the exhibits but a tour that I happened upon led by a docent. Turns out he was a former Russian linguist that worked for the NSA for many years. His stories were great, and he answered all my questions with interesting personal insights (and correctly, I might add). I only wish he had a better physical plant to show his visitors.

For example, one exhibit is about how the Soviets bugged our buildings in Moscow. It begins with this object that is on display in the museum: it looks like a nicely crafted wooden replica of the US government seal. It was given to then U.S. Ambassador Averell Harriman back in 1945 as a gift from Soviet children. It hung in the Ambassador’s residence for seven years, until a bug was found inside the carving. While what is shown is a replica, you can open a special hinge that was installed by the museum so you can see where the bug was located.

This story was a nice precursor to a major operation that took place in the 1970s called The Gunman Project. At that time, we found out the Soviets had increased their bugging program and put technology into 16 different IBM typewriters in our Moscow embassy offices to record the documents that were being prepared. I saw the Great Seal replica (and engaged with opening and closing it) at the museum, I took home a pamphlet about Gunman that I read avidly on the flight home. I tried to find an online copy of this document, I did find the text here. The document was nicely produced and I learned a lot from it. Now contrast that information with this link to another Gunman story, this one produced by two private Dutch crypto enthusiasts. It actually is a much better explanation, and even with the pictures included in the original NSA pamphlet, this latter piece is 1000% better and more engaging.

So if you are interested in the history of crypto, my suggestion is to forgo the actual visit. The NSA is working on building a new museum, but that could take years. In the meantime, read some of the supporting materials on their website or better yet, check out other entries at the online Crypto Museum. Second, if you are going to design a new museum, think of how the online and actual physical presence have to work together to build the best visitor experience.