Category Archives: digital home

Moving money around: questions to ask

Posted on by
1

If you are looking to transfer money to someone quickly, you have a lot of choices, including Zelle, Venmo, Wise (form. Transferwise), Paypal and Xe.com. But with choice comes learning what is involved in using each vendor, including getting answers to the following questions:

  • Can you move money internationally? Not with Zelle or Venmo, but the others offer this service. Zelle can only be used to move money between US bank accounts with US mobile numbers. Venmo also requires users to be physically in the US to complete their transactions. Paypal has the widest selection of currencies, claiming they are available in 200 countries (which is pretty much everywhere), and Xe claims 170 countries. Wise is available in 59 different countries.
  • What is the effective exchange rate for your funds? Exchange rates change constantly, and it is hard to anticipate when the best time to move your money can be. None of these services makes it easy to figure this out, and tack on various fees for particular circumstances. I say “effective” because each service quotes rates differently. For example, Xe and Wise both use “midmarket rates” which they are very clear about up front, and for both you can actually run a quote before you do the transaction and see the rate and the fees deducted. Paypal has a whole bunch of fees, terms and conditions that are explained here, and their rates are usually less favorable. Monito.com, another money transfer service, has a real-time rate comparison shopping tool that looks at several competitors (I am not sure how accurate it is, but it can be helpful).
  • How safe is it to use the service? A recent NYTimes article documents how Zelle has become the fraudster pipeline of choice, with banks making it difficult to resolve complaints or reimburse fraud victims.
  • Can you secure your account with MFA? Speaking of fraudsters, you should set up this additional authentication factor to protect your accounts and your transactions. Some services make this process easier than others.
  • How easy is it to use the service? Some of the services have really poor usability experiences, making the process a lot more difficult that they could be. Some only work with a mobile app, while others support both mobile and web platforms. Some of the services can move funds into your recipient’s bank account, others require your recipient to open an account on their platforms before they can access their funds.
  • How fast is the money moved? Everyone operates at different speeds, so if this is important, check the fine print on when the funds will actually be available.
  • What other services are offered? Some of the vendors (like Wise) have prepaid debit cards and multi-currency accounts that reduce fees. If you have to move money on a regular basis, you might want to check into these.

Here is one other alternative: using a brokerage account to move your money. I recently had to get funds to my daughter in Israel. She wanted dollars, not Shekels, but we both used Morgan Stanley to manage our investments. It was a simple matter to take money from my checking account, and deposit it in her brokerage account, and no fees were involved and the whole operation took a few minutes.

 

CSOonline: Understanding risk-based authentication

Posted on by
Reply

The last time I bought a suit was several years ago, in advance of my daughter’s wedding. Back in the 80s and perhaps 90s, I would wear a suit whenever I travelled or spoke at a conference. These days, not so much on either travel or suit-wearing. I actually bought two suits (whadda deal!) and I was pretty happy with the process until it came time to pay. My credit card was immediately declined. I certainly had plenty of credit limit (I think the total purchase was about $1000) but the algorithms used by my bank kicked back the transaction because it had been ages since I last bought a suit, or bought anything at a retail store for that amount of money.

This process to question my transaction is called risk-based authentication (RBA), and it has become quite common, particularly as criminals get better at compromising our accounts and as we continue to reuse our banking passwords that get phished and posted across the dark web. The banks have gotten better at investing in this tech so as not to have many false positive flags (such as my suit purchase) based on all sorts of factors. In my case, I probably still would have been challenged because I was at a location not close to my home and in a store that I hadn’t been in before. But the RBA can incorporate all sorts of other factors, such as the hardware you are using on your phone (if that is involved in the transaction), whether your typing cadence has changed (such as someone else using your computer or using a clone of your phone number), or a pattern of multiple purchases that were made earlier that day or from “impossible travel” where multiple IP addresses that are located at great distances use the same login credentials (of course, you have to be careful someone isn’t using a VPN here).

Speaking of impossible travel, back when I did travel internationally I had to remember to login to my banks and tell them where I was going. One time I forgot and my credit card dinner purchase was declined. Now most banks don’t need you to do this, thanks to better RBA.

The three credit bureaus (Experian, Equifax and Transunion) have all bought various RBA vendors over the years (41st Parameter, Kount and Iovation, respectively). Both Lexis/Nexis and Mastercard have their RBA tech too (ThreatMetrix and NuData Security). What is interesting about this group is that they handle millions of financial transactions each day, or each hour, so they can spot fraud trends more quickly. RBA has quickly grown from some wonky security tech into the more mainstream precisely for this reason.

This week I wrote a story for CSOonline where I take a closer look at 12 different RBA vendors’ offerings. I have studied these products for years, and am glad to see continued progress in their features and usability. One example is the latest offering from Ping Identity, called PingOne DaVinci. This is an identity orchestration tool that can be used to create automation routines using Visio-like flowchart diagrams. This is a big benefit, because setting up risk escalation scenarios using interlocking rule sets and policies can be difficult to debug.

Time for some privilege management

Posted on by
2

Working in infosec, we use the term “privilege access management” to refer to security tools that determine which users have what kinds of rights to access particular applications, devices and networks. But when I read this recent Protocol story (that is the name of the online pub, btw) about a tech writer who turned down a potential job with a software firm because they were using Teams (that is the name of the Microsoft software, btw), I had to stop and think about this.

This is what the Great Resignation has come to? Granted, I am not a big fan of Teams but heck, that would not be a dealbreaker when I would consider joining a company.  At least they aren’t using AOL IM, which was the messaging standard — even for corporations — back in 2006 when I wrote this story for the NY Times.

But still. I guess in these days where it is a job seeker’s market, you don’t have to check your privilege at the Teams web portal, to inelegantly coin a new phrase.

Back in the olden times — say the early 90s — people who wanted to use Macs had trouble getting them purchased for their corporate desktop or laptop of choice. Thankfully we have all moved on from that era. So I guess it was only a matter of time before someone, as misguided as the dude in the Protocol story, would vote with his feet or keyboard or whatever and seek employment elsewhere.”The vibes are off.” What, is he also a music critic?

Now, being a member of the tech writing community I am embarrassed about this. And unlike the Mac/Windows dichotomy of yore, we are talking about the software this potential privileged person will use to connect to his peers. And a collaborative piece of software: this is something that everyone has to use to derive value.

Remember how tech companies used to lure candidates by having free food prepared by on-site chefs, well tricked-out workout rooms, and snack closets that could compete with Trader Joes? Now I guess this means that companies will have to offer Slack safe spaces now (or whatever piece of software offends the next potential new hire). It is a sad day indeed for all of us.

Avast blog: How the IRS can do better with its digital identity program

Posted on by
Reply

The US’ tax collection agency, the Internal Revenue Service (IRS), has changed course with its short-lived identity verification system that was only recently implemented. Last November, the vendor ID.me was awarded a $86 million contract to provide the exclusive authentication for all online IRS accounts. Until then, the IRS had its own account authentication service that was based on credit reporting data. The older system was to be phased out this summer.

This week, things came to a head and the IRS decided to ditch their ID.me solution. I describe the chain of events, why ID.me was such a lightning rod, and what are some ways that they can gain some traction and show leadership in the decentralized identity space in my latest blog for Avast here.  

Avast blog: School cybercrime attacks are on the rise

Posted on by
Reply

You may have heard the term “script kiddies”, which usually refers to adults who hack into business networks. However, lately there has been a significant rise in cybercrime attacks from actual school-age children. A new report from the UK’s National Crime Agency has found the average age for DDoS hackers has dropped to 15, with some students being as young as nine years old. The issue is that DDoS attacks are easy enough for even a kid to carry out.

You can read my analysis of the trend and what the UK is doing to stem the tide here in a blog for Avast.

Is it time to consider web v3?

Posted on by
4

I am not so sure. For those of you keeping score at home, web v1 was the early days where we had web servers delivering static pages of mostly text, starting in the early 1990s and lasting until about 2003 or 2004. The next version was the dynamic web where we created our own content, and where we freely gave away our privacy and data so that we could post cat memes and dance videos to the now giants of Facebook /Apple/Amazon/Netflix/Google, otherwise called FAANG. (Facebook and Google have renamed themselves, but the acronym has stuck.)

But now it is time for a new iteration, and v3 attempts to create a more egalitarian internet, protected by encrypted tokens that can keep everyone’s identity and data private and secure. Say what? At least, that is the plan.

Whether or not you agree with this vision, it has largely been unrealized. Yes, there is a Web 3 Foundation, and you can see at that link a very complex tech stack that will consist of multiple protocol layers, much still TBD. For those of us that cut our teeth on HTML, CSS, and HTTPS, these protocols are pretty much unknown.

Scott Carey writes in Infoworld summing things up this way: “To access most Web3 applications, users will need a crypto wallet, most likely a new browser, an understanding of a whole new world of terminology, and a willingness to pay the volatile gas fees required to perform actions on the Ethereum blockchain. Those are significant barriers to entry for the average internet user.” I’ll say. If you have never had a crypto wallet, never used Rust or Solidity and don’t know what a gas fee is, you need to go to web3 study hall. You may not understand the tech behind it — I don’t fully understand all of these items — but that is the point. The decentralized web is being built on a series of protocols and there are a lot of gaps.

But let’s put aside all the new tech and answer a few basic questions.

What is the role of clients and servers? One of the first things you come to is needing to understand the difference between clients and servers. In the web1 and web2 worlds, there were browsers, and there were various servers (web, database, applications, payments, and so forth). It was a pretty clean separation of powers. Some of us were happy to never touch any kind of server, something that leads off Moxie Marlinspike’s “first impressions” blog post. I don’t agree with this position. I have been running my own web server for more than 25 years. I wouldn’t have it any other way. I like being “master of my domain” (which is more than just running my own server, such as being able to move it from one place to another across the internet, which I had to do last year when my ISP went out of business).

I think what Moxie meant to say is that most people don’t like configuring and maintaining their own servers. But that is why we have ISPs.

But look at the tech stack that we are promised with web3: that is a lot of tech to deal with. If we had resistance to configuring HTML and HTTP, imagine what amount of pain we will be faced when all this new stuff comes to fruition?

Lance Ulanoff writes that the vision for web3 is “more a combination of edgy new technology and a reaction to centralized control.” He goes on to discuss some of the early descriptions before the web3 term came into the popular lexicon, such as the semantic web that was tossed around back in 2006. He describes web3 being when we can control our interactions and have a universal identity across all systems. That’s nice, but so much of the current vision about web3 doesn’t really fill in the blanks about how this control will happen or how we can create these universal identities. Moxie says that we need to use cryptography rather than infrastructure to distribute trust. I completely agree. Ignoring the trust issues is dangerous — look how long it has taken us to resolve email trust issues, and those protocols were created decades ago.

But how this infrastructure play out brings us to my next question:

What is the role of peer-to-peer (p2p) technology? Remember Napster and peer file sharing of music and videos? Back then (roughly 2000-2005), everyone was digitizing their CDs, or stealing music from others, or both. Napster and LimeWire and the other apps created peer file servers on your hard disk, and you then shared your digitized content with the world. Sharing wasn’t caring, and lawsuits ensued. Now we just pay Netflix et al. and stream the content when we want to listen or watch something. Who needs possession of the actual bits?

But see what has happened here: we went from this idealized p2p world to today where just a few centralized businesses (like FAANG) run the show. This could be the fate of web3, and all this talk about a decentralized, egalitarian web could fall apart. Today’s crypto/NFT world depends on just a few centralized service providers, and the distinction between client and server in a fully decentralized p2p blockchain isn’t all that clear, as one of the Ethereum founders Vitaly Buterin points out. He says that there are various gaps in web3 which are bridged with the various API suppliers, such as Infura and Opensea. The issue that Moxie has is that many NFT and crypto advocates have just accepted the role of these API vendors without much thought about the implications. Moxie is worried that these vendors have a lot of control over things, and that there is the potential for the decentralized web3 to turn into a less efficient and less private version of today’s internet. Think of one nightmare scenario, where Facebook (or one of the other giants) has its own web3 servers, APIs, and alt-coins. The horror!

But you think crypto is cool, and there is money to be made. Now we get to the real meat of the matter. Forget about a more equal internet and singing kumbaya off into the sunset. Let’s talk about how high the various alt-coins are trading at – or not, depending on when you entered the market. Remember the internet bubble of 1999-2000, when domains were being bought and sold on little more than a pitch deck. That was Gold Rush v1, and all you had to do to participate was to buy a domain and flip it. (I am guilty of this, but I didn’t buy my domain to flip it. I just got lucky.)  You could argue that all you need now is to hold a basket of crypto coins — as some of you have done. But look at all the knowledge you have to collect to participate in this gold rush. Nevertheless, there is some cool stuff that is being built, as this blogger documents. This post basically rebuts a few of Moxie’s complaints while making Moxie’s point that this is very early stuff.

So go cautiously into the web3 night, and good luck learning about all the requisite tech that will be needed. And for those of you complaining about the decentralized and private web of the future, you might want to spend some time doing the basic blocking and tackling and eliminating duplicate passwords and implementing MFA logins now, because you’ll need something like them to get on the blockchain train. Or at least protect all those crypto funds in your wallet from being lost or stolen.

Time to fire your jerk boss

Posted on by
3

(An expanded piece has been published here that provides some additional thoughts from my sources.)

Whether you fire everyone on a group Zoom call or dump someone’s last paycheck on their lawn in oily pennies, there are lots of ways to be a jerk boss. What has happened thanks to Covid is that the tables are slowly turning and employees’ tolerance for the jerkiness is dropping quickly. This could be one reason why we have so many job openings. A recent NY Times article describes the situation.

Over my career, I’ve  had two exceptionally jerky bosses. One who fired me and one where I eventually quit. Let’s call them Boss A and Boss B. Both were men with oversize egos that you couldn’t help but trip over in your daily tasks. This resulted in a lot of “walking on eggshells” in the office so as not to set them off. Both had poor leadership skills, meaning that they didn’t understand how to motivate their employees other than giving them direct orders, often at high volumes. Neither could build a consensus – indeed often they tore them down, with one exception: Both were good at getting their staffs to rally around a common enemy – the jerk boss himself. Both men couldn’t tolerate a different point of view than their own and wouldn’t pass up a moment to intimidate where they could.

Boss A hired me and moved me across country to take my job, and then proceeded to give me all the responsibility and almost no authority to do it. It didn’t help that one of my direct reports was really working for Boss A as a spy: meaning he was telling my boss what I was doing wrong and other comments that I had about the boss. Eventually, he couldn’t tolerate my independence and fired me one day as I arrived in the office. Effective immediately. At least, I was fired face-to-face and not over the phone or some video conference.

Boss B didn’t respect any of his employees, and probably was one of the worst bosses that I have ever worked for. He would harangue them in public at ear-splitting volume. He would give two of his staff assignments that would guarantee one would come into conflict with the other, just to see who would reign supreme in an office version of “Iron Chef” or some other reality show. He had just one important skill: how to manage up, so that his superiors kept him running the operation even though his staff would come and go. Those of us who quit became “dead to him,” as he would say to our faces when we offered our resignations. One time, he was running a conference in St. Louis and I wanted to stop by and see some of my former colleagues. He proceeded to shout at me and told me that I wasn’t welcome to walk around the conference venue and made everyone feel uncomfortable. This was years after I had quit.

The Times article doesn’t touch on my own circumstances with one of my jerk bosses: leaving to work for my own business. I was surprised that this situation wasn’t even mentioned in the sources interviewed, and that disgruntled staffers took other corporate jobs – hopefully for non-jerky bosses.

health, mentor, emotions, psychologyI asked my friend Ximena Veliz, who is an emotional coach and mentor to people all over the world, about her clientele. She told me that by the time they come to her, all of them have decided to leave their current jobs thanks to jerk bosses, and she tries to help frame their circumstances, so they don’t make the same mistakes in the next job. The worst combination is women who work for women bosses, and that Covid has made things a lot worse, especially when companies are trying to switch back to in-person offices who have been operating remotely. “No one wants to go back to an office, no matter where they work.” Europeans are even more polarized about Covid, she told me: their population seems to be split down the middle with people who believe Covid isn’t real or not as much of a threat with people who do. That can make for some stressful workplace dynamics, to be sure.

What we need is a personality test to determine the jerky level of your boss to guide your own decision-making – and perhaps for those few jerks that are willing to reform their ways.

  1. Is there a mismatch of authority and responsibility? Rate the percentage of time that this happens, and to score in points divide this by ten. (0-10 points)
  2. How often does your boss take credit for your ideas? Give a 10 for always, 5 for only half of the time, or 0 for never.
  3. Is the volume knob permanently set at 11? Score 20 points for yes, 10 for more than half the time, or 1 for rarely.
  4. When you get together with your colleagues at breaks or lunch, how long does it take someone to start the gripe session about the jerk boss? Score 10 points for almost always or fewer points otherwise.
  5. Where do you get most of your motivation to do your job?
    1. From your own internal satisfaction (10)
    2. From your colleagues or people that report to you (7)
    3. From both a and b equally (5)
    4. Never have any direct praise from your boss (0)

If you scored 40 points or higher, leave that job now. Start thinking about your own business or where you want to live and work. In the 30s, time to brush up your LinkedIn profile and get a few recommendations. In the 20s, tough it out for now but keep your eyes open. Less than 10 points: you are blessed!

The tech stack of the disinformation triad: blogs, ads, and podcasts

Posted on by
4

A year ago we saw the fruits of disinformation writ large with the Capitol attack. Since then, I have thought alot about how this came about, and today I wanted to discuss what I will call the tech stack of the disinformation triad, and how blogs, ad exchanges and podcasts act as a self-reinforcing ecosystem. (And I include misinformation here as well.)

Most of the vitriol about disinformation campaigns have focused on the social media platforms removing or silencing various users. While these Tweets and Facebook posts are reprehensible, I don’t think we are focusing on the right place, and they don’t belong in the tech stack per se.

Each of the three elements plays an important role in the stack:

  • Blogs originate the disinformation content that draws in visitors. For best results, make your content more outrageous and more trolling. Steer clear of any actual facts too.
  • Ad exchanges place ads on these blogs (and other websites) that generate the cash to support the disinformation apparatus. These exchanges aren’t well known, aren’t well regulated, and make it easier for content creators to attract A-list brands to lend their websites an air of legitimacy. More on that in a moment.
  • Podcasts create the audio (and in some cases video) clips that are shared across social media and also drive visitors to the blog for further explanation. In some cases, podcasters originate disinformation through some off-the-cuff remark that gets taken out of context (or not). A recent NYTimes article cites research on how pervasive these podcasts have been at spreading disinformation.

Let’s look at who supplies these enabling technologies in the stack:

  • Blogs: WordPress, certainly. Medium and Substack should also be here. You can put up a basic blog in minutes at less than $10 a month now.
  • Ad exchanges. Here is a short test. Have any of you ever heard of the following brands: MGID, FreeWheel, Xandr, 33Across, and TremorHub. If you go to their various websites (I won’t link to them, sorry), you will find all sorts of euphemisms, such as “publisher monetization company,” or ” an integrated solution to unlock addressability and monetization” vendor. What they really are are networks of advertisers that take a commission to place ads on websites.
  • Podcasts. There are many underlying technologies to produce a good podcast: video and audio editors, streaming sites, search engines. But I would point towards Apple, Spotify, Stitcher, Google Podcasts and YouTube. What, you didn’t know Google indexes podcasts? Yep. And if you read the NYT article linked above, you will see that disinformation-laced podcasts that were banned on YouTube are still being promoted on Google Podcasts. No one said that Alphabet/Google has to be consistent.

We should, as the Watergate reporters did, follow the money. Cut off the cash supply, (as what happened in 2019 to one podcaster) and the other parts of the triad will have to regroup. One advocacy organization is trying to do exactly that. The problem is that the exchanges make various claims, such as they preserve privacy (by not using cookies) or police their advertisers, but don’t really deliver. And by being an intermediary between the brand and the web property that runs the ads, it makes it easier for everyone to say that disinformation-related ads were placed on the network in error or slipped through any trivial vetting process. Cue the Zuck apology tour highlight reel puh-leeze.

As you can see, the disinfo tech stack isn’t just the fault of social media platforms. Certainly, they have aided and abetted the spread of disinformation. But let’s get the cause and effect tech chain straight.

The Verge: How to recover when your Facebook account is hacked

Posted on by
1

Hopefully the day will never come when you find your Facebook account has been hacked or taken over. It is an awful feeling, and I feel for you for the world of hurt that you will experience in time and perhaps money to return your account to your rightful control. Let me take you through the recovery process and provide some proactive security pointers that you should follow to prevent this awful moment from happening, or at least reduce the chances that it will.

In this post for The Verge, I explain the three different scenarios (a friend borrows your account, someone uses your photo on a new account, or you truly have been hacked) and how you can try to get your social life back. It isn’t easy, it could cost you a lot of time and a bit of money, and there are steps you should take to protect yourself now that will reduce the chances that your account will become compromised — such as removing any payment methods that you may have forgotten about, as shown above.

And if you would rather listen to my descriptions, my podcasting partner Paul Gillin interviewed me on this subject in a recent 16-minute episode.

CNN Underscored: Review of the best USB-C charging blocks

Posted on by
Reply

With USB-C finally more-or-less standard across phones, tablets and laptops, and fewer and fewer manufacturers including chargers in the box with their products, a myriad of charging blocks have become available that promise to get your batteries topped up as quickly as possible.

To find the best USB-C charger for your devices, we tested 15 devices from respected manufacturers to find the best for your needs, whether you need to charge a phone, a laptop, or a bagful of accessories. My top pick was the PowerPort Atom III Slim — it has a single USB-C port, and is rated at 45W (there are older versions still on the market that are rated at 30W, so make sure you are getting the higher capacity unit). We liked the smaller footprint slim design, which combines a slimer unit (5/8” thick) with a folding power prong. These make fitting it behind furniture (or carrying in your travel bag) easier.

You can read my review of these chargers here for CNN’s Underscored site.