Avast blog: An elections security progress report

Twelve Tuesdays from today, the US national elections will take place, and infosec professionals are doing their best to adapt to changing circumstances brought on by both the pandemic and the tense cyber-politics surrounding them. More states are expanding mail-in voting and planning the necessary infrastructure to distribute and process  paper ballots. State elections officials are also deploying better security measures, banding together to form the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC). Membership in the  information sharing and analysis center has grown considerably since the 2018 election.

In this blog post for Avast, I review what is going on with election security since we last covered the topic during the March primaries. There have been numerous events in the past week that have brought new context to the intersection of technology and our elections. And I also mention several presentations given at Black Hat and DEFCON that bring us up to date on what is happening with election security.

If you are unemployed, start rebuilding your personal brand

I am very fortunate: I have worked for myself for decades and have a great collection of clients that keep me busy with plenty of freelance writing assignments. But because our economy is in rough shape, there are lots of folks who are out of work right now. This made me think back to the time in 2006 when I got fired from my last full-time gig, running the editorial operations of the various Tom’s Hardware websites.

It wasn’t the first time I went to work and was told to pack up my things and leave that same day. It is a horrible feeling: you think you are worthless, that you will never work again. That you have failed. I was scared that I wouldn’t be able to make my mortgage payments. I had moved across the country to take that job, and now what was I going to do?

Unlike the astronauts, failure is an option. I wrote about this many years ago, where I described some of my numerous failures in my career, such as my books that didn’t sell or websites that weren’t successful at attracting interest.

I thought of this because I am reading an interesting book by Lauren Herring, Take Control Over Your Job Search. It is all about helping you to find a new job — not that I need to or want to make changes to my current situation mind you. I am very happy with being a full-time freelancer, and thankful that I can work for such great clients. But if you are less fortunate, or if you know someone who has gotten stuck with unemployment, this book might be worth picking up. Lauren is the CEO of a coaching/recruitment firm here in St. Louis.

Sure, there are a lot of job-search books out there. This book has some intersections with three sources: that seminal job searching book What Color is Your Parachute, Elisabeth Kubler-Ross‘ stages of grief and the mindfulness work by Jon Kabat-Zinn. But what I found interesting in Herring’s book is that she addresses the biggest issue of today’s unemployed: your emotional state of mind. Yes, you can fill out all of the Parachute’s exercises and have a sparkling resume. You can meditate daily and figure out whether you are in denial or still bargaining with your newfound unemployment. But if you approach your virtual interviews with a lack of confidence, or too much confidence, or can’t even leave your house without a boatload of fear, you won’t get anywhere. “The ability to notice, understand, and process your emotions is more critical to success and happiness today more than ever before,” she writes.

Herring describes how to respond to ten different emotions (that’s the multi-step Kubler-Ross stuff) of grief, anger, and frustration with ways to respond to them and Parachute-style exercises to get you to discover your own state of mind and ways that you can move through the paralysis towards more positive outcomes (a la mindfulness). Along the way you will be using a group of what she calls your “super team” of supporters to help you role play and arrive at better outcomes and write journal entries of your reactions. “The goal of this book is to replicate the live experience of working with a career coach as best as possible,” she writes.

Take fear, for example.To fight it, she cites several case studies of the jobless that she or her company has coached. “Potential employers can sense your fear about your job search,” which as you might imagine doesn’t bode well to get callbacks or offers. And if you find yourself taking rejection personally and feeling resentful, you need to reset these feelings. For example, you should do some research and find out if you have your facts straight.

One of the more interesting aspects is shaping your personal brand, which is something that I have written about several times, and part of some of my own career coaching presentations. Your brand needs to come through in all your digital elements: LinkedIn profile, your resume and so forth. “This is one of the most uplifting tactics your can do during your job search,” she writes, and a good way to counter some of the negative emotions you are experiencing. Being clear on your brand is a great way to define your next job, and to ensure that your performance once you get that job will measure up to the expectations of you and your manager too. It is great advice for folks who have jobs and want to move ahead too.

One missing element from this book is some specific strategies in these times when we are working from home. While some of her methods can be easily modified and she does mention things like virtual interviews, I think the topic deserves its own special chapter. Perhaps she’ll include this on her website as a supplement.

Avast blog: How to use multi-factor authentication for safer apps

Multi-factor authentication (MFA) means using something else besides your password to gain access to your account. There are many ways to do this – some, such as texting a one-time PIN to your phone are less secure than others, such as using a $25 Google Titan security key (shown here) or the free Authy/Twilio smartphone app. The idea is that if your password is compromised (such as a reused one that has been already leaked in another breach), your account is still secure because you have this additional secret to gain access. Is MFA slightly inconvenient and does it require some additional effort to log in? Typically, yes.

After the Twitter hacks of last month, I took some time to review my own security settings, and found them lacking. This just shows you that security is a journey, and you have to spend the time to make it better.

I go into more details about how to best use MFA to make your social media accounts better protected, and you can read my blog post for Avast here for the step-by-step instructions.

Network Solutions blog: Cost-effective ways to improve your network bandwidth

As more of us work from home, we need to ensure more consistent and better bandwidth connections. By better bandwidth, we mean one or more of three cost-effective methods that can be used to boost your Wifi signal, reduce network latency, and improve your wireless throughput. To figure out which method or methods will work the best for you, there are some simple tests you can perform before you go shopping for new gear, including a new home router or a better Internet provider connection plan. You should periodically test your network bandwidth and throughput to ensure that you don’t have any bottlenecks, and don’t be afraid to change your provider to get something better.

You can read my blog for Network Solutions here.

Turkish tactics with blocking social media

Today in our Congress, the four executives of Big Tech (Cook, Zuck, Bezos and Pinchai) will testify about their business practices. (You can watch this live or on demand here.) I have written previously about Apple’s issues with running its App Store here. ProtonMail’s Andy Yen has nicely summarized things from his perspective — as a vendor that is trying to make a living selling encrypted mail services. If you want a longer exposition, today’s NY Times has this handy reference piece that reviews the major issues.

Sorry to hit you with so many links but I wanted to get all that down. Who knows if Congress will act to fix things with Big Tech, but in the meantime we have gotten a preview with a potent counter-example. This week the Turkish government has issued new laws that are aimed at regulating all social media platforms with more than 1M daily users — meaning Facebook (including its WhatsApp and Instagram networks), Pinterest, Twitter, Telegram and YouTube. Basically, everyone.

The regulations call for each vendor to operate a local office in Turkey and store all Turkish data in a local data center. You can imagine the potential for abuse right there. The staff of each office will also be responsible for blocking content requests from the government, and need to respond within two days or risk huge fines. The new law is supposed to go into effect October 1. For several years, Turkey has been blocking all Wikipedia content — and only lifting this restriction in January. And they have been after Netflix as well, resulting in four productions closing up. Ironically in the US, Netflix has received a boatload of Emmy nominations this week. The Times cites one statistic that the government last year blocked more than 400,000 websites.

I wanted to see for myself what actually has been going on with Turkey, and I went to the various “transparency reports” produced by the Big Tech vendors. No doubt in today’s testimony these reports will be cited several times. The reason why I put them in quotes is because figuring out any meaningful information from these reports isn’t easy, as you might suspect. Each of the Big Four vendors has a different format (innovation is alive and well) that makes it difficult to compare them to each other. But to save you the effort, here are a couple of spreadsheet fragments so you can see for yourself. The quick summary: Turkey is certainly at the top (Twitter) or nearly so of the most requests to block content. For Twitter, as you see in this spreadsheet, the two columns account for removal requests by the courts (which could be politically motivated) and government-based requests, which you can see add up to more than 6,000, roughly a third of the total removal requests sent to Twitter over last year.

Facebook has a similar spreadsheet, and Russia tops their list, but Turkey is in the top 15. Here are  Google’s page of statistics for Turkey. Overall, since 2009, the Turkish government has submitted more than 12,000 requests to remove items. But it is hard to compare them with other countries unless you bring up the separate pages, and when you do that you see different ways to display the data by country that make any comparison impossible. Apple’s page on Turkey can be found here. Again, the design of this report makes it hard to compare countries, but it looks like Germany is the top place to remove content, no matter which metric you use.

Turkey is far from an open democracy, as I am sure you realize. My point here is that while this recent legislation is poorly designed (and will no doubt be challenged and could be modified before it actually takes effect), it should serve as a warning for our government to try to do the right thing, however you want to define that. I wish our Congress a lot of luck, especially trying to do this in an election year. In the meantime, have fun trying to interpret all these numbers and making sense of them.

Network Solutions blog: Tools and tips for best practices for WFH network printing

Now that more of us are working from home (WFH), one of the key technologies that can cause problems is surprisingly our networked printers. Hackers target these devices frequently, which is why many IT departments have taken steps to prevent home laptops from connecting to them. In my latest blog post for Network Solutions, I suggest several strategies to help you understand the potential threats and be able to print from home securely, including what IT managers can do to manage them better and what users can do to avoid common security issues.

Avast blog: Your guide to safe and secure online dating

Recently, information from five different dating sites have leaked millions of their users’ private data. The sites cover users from the USA, Korea and Japan. On top of this, a variety of other niche dating apps (such as CougarD and 3Somes) had data breaches of their own that exposed hundreds of thousands of users’ profiles in May, including photos and audio recordings. This latter event occurred thanks to a misconfigured and open Amazon S3 storage bucket. Thankfully, the owner of the account quickly moved to secure it properly when they heard from security researchers. We haven’t heard much about dating site breaches since private data from some 30M Ashley Madison users were posted online in 2015.

In this time of the pandemic when more of us are doing everything we can online, dating remains a security sinkhole. This is because by its very nature, online dating means we eventually have to reveal a lot of personal information to our potential dating partners. How we do this is critical for maintaining both information security and personal safety. In this post for Avast’s blog I provide a bunch of pointers on how to do this properly and provide my own recommendations.

Tales of IT bottlenecks in these Covid times

Having worked in IT for several decades, it is always interesting how past tech choices have come back to thwart us, showing weaknesses in our infrastructure and how the word legacy is often used pejoratively in our field. Consider the lowly fax machine, which many of us have not thought about in years.

In the early 1990s if my memory serves me, we had plug-in modem cards for PCs that also supported sending and receiving faxes. These were eventually replaced with technologies that could be used to transmit faxes across the Internet. (That link is woefully outdated and many of those vendors have gone away. Sorry! But at least you have some historical record to understand the context.) Why am I talking about faxes?

The NY Times recently posted this story about how the fax machines located in many public health offices is the latest bottleneck in our response to the pandemic. There is a photo included in the post of a pile of faxes taller than I am produced by one of these machines, located in a Houston office. This shows how we can have all the latest and greatest digital technology we want, but then things break with something that we have since forgotten about, like the fax machine. Humans will have to review all these faxes and try to sort things out, often re-enter the data and search for missing elements, such as details on the actual patient who is tested.

As someone who has had my own health challenges (although not Covid-related, at least not yet and hopefully not ever) over the past few months, I have come across a few digital bottlenecks myself. At my last hospital visit, I had to wait around for more than hour for my appointment for a very frustrating reason: my appointment wasn’t entered correctly “into the system” and the only way I could be seen and treated was for the staff to get hold of someone at Epic support to clear my appointment and then have it re-entered. No one at the hospital IT department could do this, apparently. Epic is the electronic medical record (EMR) provider of my hospital and for reference their motto is “the patient at the heart.” Yes indeed.

Let me tell you another digital bottleneck that I experienced. I was very careful to pick my treatment with a doctor that had experience with the particular surgery that I required and that I could communicate with readily using the Epic messaging portal, which they brand as MyChart. Often he answered my inquiries within minutes after I posted them to the portal. As a result, I have gotten very familiar with the MyChart portal and have used it frequently during my treatment over the past several months.

I have learned over the years that doctors who are digital natives, or at least comfortable with the technologies that I use (email and the web), are those doctors that I want to treat me. But when I had complications from surgery that required other doctors to get involved in my treatment, I was really at their mercy. Often all I had was a phone number that would page someone on call, if I had a problem that needed help in off-hours. I wasn’t prepared for that at all. It was frustrating because I went from a position where I was quite comfortable with the level of communication with my primary surgeon to going back to the pre-Internet1960s-era tools for my care. It was almost as if we were faxing each other.

These problems and bottlenecks have a simple root cause — we as a country have made some bad decisions on how patient data is stored, protected, and disseminated years ago. While it is true that few of us could have foreseen the pandemic, these past decisions have had a long shadow. In our rush to spread blame about what is happening with the virus now, some of these past decisions could have been made differently to lessen the impact today.

When fax tech was going out of style in the late 2000’s, I wrote this post for Baseline Magazine about some of the lessons learned from the fax machine. There are four important ones that bear repeating:

  • Interoperability matters.
  • Simplicity matters.
  • Real-time communication matters.
  • Privacy matters.

If we examine the fax breakdown during the pandemic, we can see these four lessons are still very much relevant. I ended my column by saying, “So the next time you have to build a new application, consider the lowly fax machine and what it does right. Take these lessons to heart, and you will have a leg up on building better and more useful applications.” Maybe we can finally learn these lessons to be prepared for the next pandemic.

The Facebook civil rights audit is a mixed bag

For more than two years, a team of civil rights activists have been examining Facebook’s actions under a microscope. They have issued various interim reports: this week they produced their final report, which evaluates how well Facebook has done in implementing their extensive recommendations. The short answer: not very well.

The report covers a wide scope of activities, including eliminating hate speech, policing posts that are threatening democratic elections and the collection of US Census data, changes in advertising policies and algorithmic bias, inciting violence, and policies promoting diversity and inclusion. It would be a tall order for many tech companies to resolve all of these issues, but for business the size and scope of Facebook, I would expect to see more coherent and definitive progress.

At first glance, Facebook seems to be trying — maybe. “Facebook is in a different place than it was two years ago,” as the report mentions. The company has begun several initiatives towards making amends on some of their most reprehensible actions, including:

  • Setting up better screening of posts that encourage hate speech or promote misinformation or harassment. The auditors mention that while there have been improvements during the study period, specific recommendations haven’t been implemented.
  • Prohibiting ads that mention negative perceptions of immigrants, asylum seekers or refugees.
  • Creating new policies prohibiting threats of violence relating to voting and elections outcomes.
  • Expanding diversity and inclusion efforts, although in interviews with Facebook staff the auditors feel there is still plenty of room for improvement and could do a lot more.
  • Eliminating explicit bias in targeting housing, employment and credit application ads by age, gender or Zip code.
  • Making changes to its Ad Library to make it easier and more transparent for researchers to search for bias and to determine if Facebook is making progress in implementation of these policies.

But when you read the entire 90-page report, you get to see that while the company has moved (and is continuing to move) towards a more equitable and appropriate treatment, they have just begun to move the needle. “It is taking Facebook too long to get it right.” they state.

Megan Squire, a CS professor at Elon University, wrote to me with her reaction. “The report highlights the same kinds of inconsistencies and persistent failures to act that I have experienced as a researcher studying the hate groups. These groups still routinely use Facebook’s platform to recruit, train, organize, and plan violence. Onboarding civil rights expertise is something they have yet to do in the white supremacist and domestic terror space, but I hope they strongly consider something like this in the future.” Squire refers to hiring civil rights specialists to round out various teams. The final report mentions this hiring in several contexts, but doesn’t touch on it when it comes to the sections on fighting hate speech and improving Facebook’s content moderation.

One thing that occurred to me as I was reading the report is how many of the issues mentioned have to do with the actions of our President and his campaign staff. Many of his statements, on Twitter and Facebook and in his campaign advertising, violate the auditors’ recommended actions. They auditors mention a trio of Trump posts in May which contained false claims on mail-in voting and an attempt at voter suppression. The posts were removed by Twitter but left online by Facebook. “These political speech exemptions [justifying keeping them online] constitute significant steps backward that undermine the company’s progress and call into question the company’s priorities,” the auditors say. “For many users who view false statements from politicians or viral voting misinformation on Facebook, the damage is already done without knowing that the information they’ve seen is false.” The auditors mention civil rights advocates’ claims that Trump’s content is “troubling because it reflects a seeming impassivity towards racial violence.”

The auditors specifically address this, saying “powerful politicians do not have to abide by the same rules that everyone else does, so a hierarchy of speech is created that privileges certain voices over less powerful voices.” They mention how Facebook has reined in anti-vax proponents but ironically has been “far too reluctant to adopt strong rules to limit misinformation about voting.” They go on to state, “If politicians are free to mislead people about official voting methods (by labeling ballots illegal) and are allowed to use not-so-subtle dog whistles with impunity to incite violence against groups advocating for racial justice, this does not bode well for the hostile voting environment that can be facilitated by Facebook in the United States.”

Facebook has tried to blunt the auditors’ criticism, saying that from January to March 2020, they removed 4.7M pieces of hate speech-related content, which is more than twice what was removed in the prior three months. That’s progress, but just the tip of the hate-speech iceberg. Earlier this week, Zuck once again promised to address the auditors’ issues. And last week, the company announced they are trying to still lock down API access to private data, after yet another revealing breach of private user data was discovered. Clearly, they could do a better job.”Facebook has a long road ahead on its civil rights journey.” I agree. It is time we see progress over promises.

Fighting online disinformation and hate

The past month has seen some interesting developments in the fight against online disinformation and hate speech. First was the K-Pop campaign that diluted the impact of white nationalists by filling the various social media channels with fan videos using their hashtags. The K-Pop fans were also initially credited for buying up tickets to the Trump Tulsa rally. While we know only about six thousand people attended the rally, it is hard to state with any certainty who really got those tickets in the end.

This is an effective way to blunt the impact of hate groups, because you are using the crowd to counter-program their content. What hasn’t worked until now is forcing different social media platforms to ban these groups entirely. This is because a ban will only shift the haters’ efforts to another platform, where they can regroup. As a result many new social platforms are popping up that are decentralized and unmoderated.

Megan Squire, a computer science professor whom I am distantly related, has studied these hate groups and documents how their members know how to push the limits of social media. For example, one group uses You Tube for its live streaming and real-time comments, then deletes the recorded video file at the end of their presentation and uploads the content to other sites that are less vigilant about their hate speech moderation.

Part of the problem is politics: tech companies are viewed as supporting mostly liberal ideologies and target conservative voices. This has resulted in a number of legal proposals. Squire says that these proposals are “naive and focused on solving yesterday’s problems. They don’t acknowledge the way the social media platforms are actually being gamed today nor how they will be abused tomorrow.”

Another issue is how content is recommended by these platforms. “The issue of content moderation should focus not on content removal but on the underlying algorithms that determine what is relevant and what we see, read, and hear online. It is these algorithms that are at the core of the misinformation amplification,” says Hany Farid, a computer science professor in his Congressional testimony this past week about the propagation of disinformation. He suggests that the platforms need to tune their algorithms to value trusted, respectful and universally accepted information over the alternatives to produce a healthier ecosystem.

But there is another way to influence the major tech platforms: through their pocketbooks. In the past month, more than 100 advertisers have pulled their ads from Facebook and other social sites. CNN is keeping track of this trend here. Led by civil rights organizations such as the NAACP and the ADL, the effort is called Stop Hate for Profit. They have posted a ten-point plan to improve things on Facebook/s various properties. It has been called a boycott, although that is not completely accurate: many advertisers have said they will return to Facebook in a few weeks. One problem is that the majority of Facebook business is from smaller businesses. Still, it is noteworthy how quickly this has happened.

Perhaps this effort will move the needle with Facebook and others. It is too soon to tell, although Facebook has announced some very small steps that will probably prove to be ineffective, if history is any predictor.