Aiding Ukraine in the modern web era

I want to tell you two stories to counter-balance the seemingly endless ones about the horrors of war we have seen coming from Ukraine. I am doing this not to blunt the tragedies that millions have and are continuing to experience, but to show you that there are many people who have taken action and done something to help others. I am sure there are many other stories of hope and would urge you to share them here if you feel so inclined.

The first story is a group of hundreds of librarians and others who have banded together with the sole purpose of Saving Ukrainian Cultural Heritage Online, which coincidentally is their actual name. They have saved more than 25TB of scanned documents, artworks and many other digital materials from thousands of websites of Ukrainian museums, libraries and other archives. The group was founded by a few dedicated individuals such as Anna Kijas, a music librarian at Tufts University, who saw a looming disaster in February as the country’s buildings were being systematically bombed out of existence, and began making digital copies of various archives. She was joined by Quinn Dombrowski, an academic technology specialist at Stanford University, and Sebastian Majstorovic, a digital historian based in Vienna.

You might think that the Internet Archive Wayback Machine already does this, but it doesn’t crawl very deeply. For my own website, many of the saved copies just include the home page or one or two other pages. The team harnessed a couple of other web scraping tools and began search Google Maps to go literally block-by-block to find physical museum collections. They developed workflows and scripts and distributed them via a Slack channel and shared documents to keep things organized.

My second story concerns the video channel Yes Theory. This is a group of three guys that have traveled together for several years doing very entertaining and sometimes meaningful videos. The trio combined forces with Adventurers for Change and have raised more than half a million euros from 8000 contributors to support Ukrainian refugees. Their video describes how they set up offices at a co-working space in Warsaw to coordinate their volunteers, who came from all over the world to help them purchase basic staples and get them to the Ukrainian border. The group began operations at the end of February.

What these two stories have in common was a ground-up organization that wouldn’t have been possible in the pre-web era. Using email lists, messaging groups, social networks, crowdfunding and other tools, they not only got their message out and recruited volunteers but were able to keep overhead costs low and be on the ground helping people almost immediately. Both relied on existing channels and groups that were together for other purposes, rather than tapping into existing relief efforts such as Doctors Without Borders or various UN-backed programs. Both did more than just ask for money, and had to develop their infrastructure quickly and figure out the daunting logistics to put everything in place. When you think about all the ways that technology is being used for evil purposes, it is great to read about these two efforts.

Ranking the world’s democracies

This morning I was watching the live coverage of the meeting of six foreign ministers in the Israel Negev. It was a remarkable experience because of the venue, the nature of the broadcast itself and the way it was being reported, and the global context of the meeting.

Before I can explain the situation, let’s take a short quiz. Here are six countries (not the same list as the ministers). Put them in order from most to least democratic. Use any metric you’d like. USA, Rwanda, Laos, Moldova, Norway and Qatar. Don’t peek at the end of the essay for the results quite yet. I will give you one hint: we are not the top country, by a long shot.

So why am I writing about this today? The Negev Summit, as it was billed, covered the ministers from USA, Morocco, UAE, Bahrain, Egypt and Israel. Some of the men were in Israel for the first time in their lives, which was interesting in and of itself. It was notable who was not there:  the leaders of Jordan and Palestine were meeting in the West Bank as a bit of counter-programming. What was different (apart from the actual meeting itself) was the location: the last home of David Ben-Gurion, who was the founder of the modern Israeli state.

That is how I have thought of him ever since I was a pre-teen attending Hebrew school. He is well-regarded by many Israelis and there are several things that carry his name today, including the Tel Aviv airport where every tourist to Israel and the West Bank arrives and a university in Beersheva that I have been to numerous times and where my son-in-law got both of his college degrees. If you drive another 45 minutes south of the university, you will get to the Negev town of Sde Boker, which is where the summit took place. There is a kibbutz and it is also near a Bedouin camp, and also not too far from Israel’s only nuclear “research” reactor.

Anybody who thought at the end of 2020 that things could not get worse for the world’s democracies has been proven wrong, says the Economist’s Intelligence Unit in their latest “Democracy Index” report. The overall index hit a new low since it first began its tabulations in 2006, largely thanks to a variety of government-imposed tracking and monitoring tools of their citizens caused by the pandemic. The report goes into lots of detail about how they scored each of 167 countries on 60 different metrics such as electoral processes, civil liberties, and government functions. These are rolled up to classify each county into one of four categories:

  • Full democracies,
  • Flawed democracies
  • Hybrid democratic and autocratic regimes
  • Authoritarian regimes

My six-country quiz contains countries in each category. And here is another hint: we are not a “full” democracy by the Economist’s definition. Sad to say. They figure out the segments based on examining the various components of freedom, such as: freedom from want and the satisfaction of material needs; political and religious freedom; democratic rights and equal treatment for all citizens; equality of opportunity and the avoidance of stark economic and social inequalities. One of the things that interests me is that there are various shades of authoritarianism. The World Population Review counts 52 countries and describes them as one of five different types, based on how a dictator grabs and maintains their power. This could be through the use of the military, a monarchy, a force of personality, a single political party, or some combination. The various dictators are listed and linked to by name.

Another group that tracks these issues is Freedom House’s annual “Freedom in the World” report. It scores countries by overall freedom, internet freedom, and democracy scores. They use a definition for electoral democracy which includes:

  1. A competitive, multiple party political system,
  2. Universal adult suffrage,
  3.  Regularly contested elections conducted on the basis of secret ballots, reasonable ballot security and the absence of massive voter fraud, and
  4. Significant public access of major political parties to the electorate through the media and through generally open political campaigning.

Going back to the Negev Summit, I should mention that I was watching it on Al Jazeera’s English channel, which as I said was doing a live broadcast wrapping up the summit. This is the channel which is owned by the Qatar government, which is considered an authoritarian regime because of its leader. But Qatar is on the upswing: the report shows a steady increase in their index since it began. I have been watching more of their coverage because they do a really good job of reporting from all sorts of places around the world (they had two reporters at the summit, for example).  At one point, the analyst from the channel being interviewed mentioned how Ben-Gurion was also the leader of many attacks on the Arab residents in the early years of Israel’s independence, a point of view that I hadn’t previously considered.

Ok, now time for the list, from most to least (with their rankings from the Economist report, where the lower number means more democratic):

  1. Norway (1)
  2. USA (26)
  3. Moldova (69)
  4. Qatar (114)
  5. Rwanda (127)
  6. Laos (159)

Avast blog: Watch out for browser-in-the-browser attacks

A man-in-the-middle (MITM) attack consists of a victim, a website the victim would like contact with (such as a bank), and the attacker. The attacker inserts themselves between the victim and the targeted website with the intention to steal personal information such as login credentials, or bank account and credit card numbers. MITMs have consistently been an active development strategy for hackers.

There are several different types of these attacks, including ones that involve running software on a webpage that can infect your computer through your browser. One of them is gaining traction (from the attackers) and is what one security researcher calls browser-in-the-browser. The idea here is that a hacker can write some JavaScript code to present a pop-up window that is another phishing phony to lure you into typing your account information. Look at the two screens reproduced above: it is hard to figure out which is real and which is a threat.

I wrote about this for Avast’s blog here. One way to prevent this exploit is to use a secure browser (such as one from Avast or Brave).

CNN: The best VPNs for 2022

CNN had me review a bunch of VPN services for their Underscored site. I looked at 11 different products. I don’t have to tell you why you should use a VPN. But no product can 100% handle the trade-off among three parameters: anonymity, or the ability to move online without anyone knowing who you are; privacy, or the ability to keep your own data to yourself; and security, or to prevent your computers and phones and other gear from being compromised by a criminal. You can’t do all three completely well unless you go back to pen and paper and the Pony Express. Using a VPN will help with all three aspects, and some are better than others at balancing all three.

My two favorites were Mullvad.net and IVPN.net. Both use a novel idea to ensure that they don’t know anything about you — when you download their software, you are assigned a random string of characters that you use to identify yourself. No email necessary. If you don’t want to use your credit card, you can pay via alt-coins too. Consider this a “single-factor” authentication. That means no password is required once you have entered your code, it is unlikely that anyone can guess this code or find it on the dark web (unless you reuse it, which you shouldn’t), and there is little chance anyone could connect it back to you even if they did manage to get a hold of the code in a breach.

Both vendors don’t have the largest server networks (that title is shared by Hotspot Shield, Private Internet Access, ExpressVPN and CyberGhost). But each of these are owned by corporate entities that play fast and loose with your private data (Aura and Kape Technologies). If you want to spend more time understanding the privacy issues, check out Yael Grauer’s excellent analysis for Consumer Reports Digital Lab here.

Not on my recommended list is the VPN that I have been using for the past several years — ProtonVPN (shown above). I am of two minds here. On the plus side, I have a fond spot in my nerd heart for Proton, the Swiss company that was an early proponent of encrypted email. But the VPN product is slower, more expensive, harder to use and more of an “OG” VPN that requires emails and credit cards to subscribe. Yael’s report also mentions some privacy difficulties with the service, as well as those well-advertised services mentioned above that have leaked data or aren’t as transparent as they claim to be.

If you leave home, you need to run some kind of VPN. Period.

Moving money around: questions to ask

If you are looking to transfer money to someone quickly, you have a lot of choices, including Zelle, Venmo, Wise (form. Transferwise), Paypal and Xe.com. But with choice comes learning what is involved in using each vendor, including getting answers to the following questions:

  • Can you move money internationally? Not with Zelle or Venmo, but the others offer this service. Zelle can only be used to move money between US bank accounts with US mobile numbers. Venmo also requires users to be physically in the US to complete their transactions. Paypal has the widest selection of currencies, claiming they are available in 200 countries (which is pretty much everywhere), and Xe claims 170 countries. Wise is available in 59 different countries.
  • What is the effective exchange rate for your funds? Exchange rates change constantly, and it is hard to anticipate when the best time to move your money can be. None of these services makes it easy to figure this out, and tack on various fees for particular circumstances. I say “effective” because each service quotes rates differently. For example, Xe and Wise both use “midmarket rates” which they are very clear about up front, and for both you can actually run a quote before you do the transaction and see the rate and the fees deducted. Paypal has a whole bunch of fees, terms and conditions that are explained here, and their rates are usually less favorable. Monito.com, another money transfer service, has a real-time rate comparison shopping tool that looks at several competitors (I am not sure how accurate it is, but it can be helpful).
  • How safe is it to use the service? A recent NYTimes article documents how Zelle has become the fraudster pipeline of choice, with banks making it difficult to resolve complaints or reimburse fraud victims.
  • Can you secure your account with MFA? Speaking of fraudsters, you should set up this additional authentication factor to protect your accounts and your transactions. Some services make this process easier than others.
  • How easy is it to use the service? Some of the services have really poor usability experiences, making the process a lot more difficult that they could be. Some only work with a mobile app, while others support both mobile and web platforms. Some of the services can move funds into your recipient’s bank account, others require your recipient to open an account on their platforms before they can access their funds.
  • How fast is the money moved? Everyone operates at different speeds, so if this is important, check the fine print on when the funds will actually be available.
  • What other services are offered? Some of the vendors (like Wise) have prepaid debit cards and multi-currency accounts that reduce fees. If you have to move money on a regular basis, you might want to check into these.

Here is one other alternative: using a brokerage account to move your money. I recently had to get funds to my daughter in Israel. She wanted dollars, not Shekels, but we both used Morgan Stanley to manage our investments. It was a simple matter to take money from my checking account, and deposit it in her brokerage account, and no fees were involved and the whole operation took a few minutes.

 

CSOonline: Understanding risk-based authentication

The last time I bought a suit was several years ago, in advance of my daughter’s wedding. Back in the 80s and perhaps 90s, I would wear a suit whenever I travelled or spoke at a conference. These days, not so much on either travel or suit-wearing. I actually bought two suits (whadda deal!) and I was pretty happy with the process until it came time to pay. My credit card was immediately declined. I certainly had plenty of credit limit (I think the total purchase was about $1000) but the algorithms used by my bank kicked back the transaction because it had been ages since I last bought a suit, or bought anything at a retail store for that amount of money.

This process to question my transaction is called risk-based authentication (RBA), and it has become quite common, particularly as criminals get better at compromising our accounts and as we continue to reuse our banking passwords that get phished and posted across the dark web. The banks have gotten better at investing in this tech so as not to have many false positive flags (such as my suit purchase) based on all sorts of factors. In my case, I probably still would have been challenged because I was at a location not close to my home and in a store that I hadn’t been in before. But the RBA can incorporate all sorts of other factors, such as the hardware you are using on your phone (if that is involved in the transaction), whether your typing cadence has changed (such as someone else using your computer or using a clone of your phone number), or a pattern of multiple purchases that were made earlier that day or from “impossible travel” where multiple IP addresses that are located at great distances use the same login credentials (of course, you have to be careful someone isn’t using a VPN here).

Speaking of impossible travel, back when I did travel internationally I had to remember to login to my banks and tell them where I was going. One time I forgot and my credit card dinner purchase was declined. Now most banks don’t need you to do this, thanks to better RBA.

The three credit bureaus (Experian, Equifax and Transunion) have all bought various RBA vendors over the years (41st Parameter, Kount and Iovation, respectively). Both Lexis/Nexis and Mastercard have their RBA tech too (ThreatMetrix and NuData Security). What is interesting about this group is that they handle millions of financial transactions each day, or each hour, so they can spot fraud trends more quickly. RBA has quickly grown from some wonky security tech into the more mainstream precisely for this reason.

This week I wrote a story for CSOonline where I take a closer look at 12 different RBA vendors’ offerings. I have studied these products for years, and am glad to see continued progress in their features and usability. One example is the latest offering from Ping Identity, called PingOne DaVinci. This is an identity orchestration tool that can be used to create automation routines using Visio-like flowchart diagrams. This is a big benefit, because setting up risk escalation scenarios using interlocking rule sets and policies can be difficult to debug.

Time for some privilege management

Working in infosec, we use the term “privilege access management” to refer to security tools that determine which users have what kinds of rights to access particular applications, devices and networks. But when I read this recent Protocol story (that is the name of the online pub, btw) about a tech writer who turned down a potential job with a software firm because they were using Teams (that is the name of the Microsoft software, btw), I had to stop and think about this.

This is what the Great Resignation has come to? Granted, I am not a big fan of Teams but heck, that would not be a dealbreaker when I would consider joining a company.  At least they aren’t using AOL IM, which was the messaging standard — even for corporations — back in 2006 when I wrote this story for the NY Times.

But still. I guess in these days where it is a job seeker’s market, you don’t have to check your privilege at the Teams web portal, to inelegantly coin a new phrase.

Back in the olden times — say the early 90s — people who wanted to use Macs had trouble getting them purchased for their corporate desktop or laptop of choice. Thankfully we have all moved on from that era. So I guess it was only a matter of time before someone, as misguided as the dude in the Protocol story, would vote with his feet or keyboard or whatever and seek employment elsewhere.”The vibes are off.” What, is he also a music critic?

Now, being a member of the tech writing community I am embarrassed about this. And unlike the Mac/Windows dichotomy of yore, we are talking about the software this potential privileged person will use to connect to his peers. And a collaborative piece of software: this is something that everyone has to use to derive value.

Remember how tech companies used to lure candidates by having free food prepared by on-site chefs, well tricked-out workout rooms, and snack closets that could compete with Trader Joes? Now I guess this means that companies will have to offer Slack safe spaces now (or whatever piece of software offends the next potential new hire). It is a sad day indeed for all of us.

Avast blog: How the IRS can do better with its digital identity program

The US’ tax collection agency, the Internal Revenue Service (IRS), has changed course with its short-lived identity verification system that was only recently implemented. Last November, the vendor ID.me was awarded a $86 million contract to provide the exclusive authentication for all online IRS accounts. Until then, the IRS had its own account authentication service that was based on credit reporting data. The older system was to be phased out this summer.

This week, things came to a head and the IRS decided to ditch their ID.me solution. I describe the chain of events, why ID.me was such a lightning rod, and what are some ways that they can gain some traction and show leadership in the decentralized identity space in my latest blog for Avast here.  

Avast blog: School cybercrime attacks are on the rise

You may have heard the term “script kiddies”, which usually refers to adults who hack into business networks. However, lately there has been a significant rise in cybercrime attacks from actual school-age children. A new report from the UK’s National Crime Agency has found the average age for DDoS hackers has dropped to 15, with some students being as young as nine years old. The issue is that DDoS attacks are easy enough for even a kid to carry out.

You can read my analysis of the trend and what the UK is doing to stem the tide here in a blog for Avast.

Is it time to consider web v3?

I am not so sure. For those of you keeping score at home, web v1 was the early days where we had web servers delivering static pages of mostly text, starting in the early 1990s and lasting until about 2003 or 2004. The next version was the dynamic web where we created our own content, and where we freely gave away our privacy and data so that we could post cat memes and dance videos to the now giants of Facebook /Apple/Amazon/Netflix/Google, otherwise called FAANG. (Facebook and Google have renamed themselves, but the acronym has stuck.)

But now it is time for a new iteration, and v3 attempts to create a more egalitarian internet, protected by encrypted tokens that can keep everyone’s identity and data private and secure. Say what? At least, that is the plan.

Whether or not you agree with this vision, it has largely been unrealized. Yes, there is a Web 3 Foundation, and you can see at that link a very complex tech stack that will consist of multiple protocol layers, much still TBD. For those of us that cut our teeth on HTML, CSS, and HTTPS, these protocols are pretty much unknown.

Scott Carey writes in Infoworld summing things up this way: “To access most Web3 applications, users will need a crypto wallet, most likely a new browser, an understanding of a whole new world of terminology, and a willingness to pay the volatile gas fees required to perform actions on the Ethereum blockchain. Those are significant barriers to entry for the average internet user.” I’ll say. If you have never had a crypto wallet, never used Rust or Solidity and don’t know what a gas fee is, you need to go to web3 study hall. You may not understand the tech behind it — I don’t fully understand all of these items — but that is the point. The decentralized web is being built on a series of protocols and there are a lot of gaps.

But let’s put aside all the new tech and answer a few basic questions.

What is the role of clients and servers? One of the first things you come to is needing to understand the difference between clients and servers. In the web1 and web2 worlds, there were browsers, and there were various servers (web, database, applications, payments, and so forth). It was a pretty clean separation of powers. Some of us were happy to never touch any kind of server, something that leads off Moxie Marlinspike’s “first impressions” blog post. I don’t agree with this position. I have been running my own web server for more than 25 years. I wouldn’t have it any other way. I like being “master of my domain” (which is more than just running my own server, such as being able to move it from one place to another across the internet, which I had to do last year when my ISP went out of business).

I think what Moxie meant to say is that most people don’t like configuring and maintaining their own servers. But that is why we have ISPs.

But look at the tech stack that we are promised with web3: that is a lot of tech to deal with. If we had resistance to configuring HTML and HTTP, imagine what amount of pain we will be faced when all this new stuff comes to fruition?

Lance Ulanoff writes that the vision for web3 is “more a combination of edgy new technology and a reaction to centralized control.” He goes on to discuss some of the early descriptions before the web3 term came into the popular lexicon, such as the semantic web that was tossed around back in 2006. He describes web3 being when we can control our interactions and have a universal identity across all systems. That’s nice, but so much of the current vision about web3 doesn’t really fill in the blanks about how this control will happen or how we can create these universal identities. Moxie says that we need to use cryptography rather than infrastructure to distribute trust. I completely agree. Ignoring the trust issues is dangerous — look how long it has taken us to resolve email trust issues, and those protocols were created decades ago.

But how this infrastructure play out brings us to my next question:

What is the role of peer-to-peer (p2p) technology? Remember Napster and peer file sharing of music and videos? Back then (roughly 2000-2005), everyone was digitizing their CDs, or stealing music from others, or both. Napster and LimeWire and the other apps created peer file servers on your hard disk, and you then shared your digitized content with the world. Sharing wasn’t caring, and lawsuits ensued. Now we just pay Netflix et al. and stream the content when we want to listen or watch something. Who needs possession of the actual bits?

But see what has happened here: we went from this idealized p2p world to today where just a few centralized businesses (like FAANG) run the show. This could be the fate of web3, and all this talk about a decentralized, egalitarian web could fall apart. Today’s crypto/NFT world depends on just a few centralized service providers, and the distinction between client and server in a fully decentralized p2p blockchain isn’t all that clear, as one of the Ethereum founders Vitaly Buterin points out. He says that there are various gaps in web3 which are bridged with the various API suppliers, such as Infura and Opensea. The issue that Moxie has is that many NFT and crypto advocates have just accepted the role of these API vendors without much thought about the implications. Moxie is worried that these vendors have a lot of control over things, and that there is the potential for the decentralized web3 to turn into a less efficient and less private version of today’s internet. Think of one nightmare scenario, where Facebook (or one of the other giants) has its own web3 servers, APIs, and alt-coins. The horror!

But you think crypto is cool, and there is money to be made. Now we get to the real meat of the matter. Forget about a more equal internet and singing kumbaya off into the sunset. Let’s talk about how high the various alt-coins are trading at – or not, depending on when you entered the market. Remember the internet bubble of 1999-2000, when domains were being bought and sold on little more than a pitch deck. That was Gold Rush v1, and all you had to do to participate was to buy a domain and flip it. (I am guilty of this, but I didn’t buy my domain to flip it. I just got lucky.)  You could argue that all you need now is to hold a basket of crypto coins — as some of you have done. But look at all the knowledge you have to collect to participate in this gold rush. Nevertheless, there is some cool stuff that is being built, as this blogger documents. This post basically rebuts a few of Moxie’s complaints while making Moxie’s point that this is very early stuff.

So go cautiously into the web3 night, and good luck learning about all the requisite tech that will be needed. And for those of you complaining about the decentralized and private web of the future, you might want to spend some time doing the basic blocking and tackling and eliminating duplicate passwords and implementing MFA logins now, because you’ll need something like them to get on the blockchain train. Or at least protect all those crypto funds in your wallet from being lost or stolen.