What doesn’t get backed up makes you stronger

I was just finishing off an article that will be posted on the Avast blog in a few days about ransomware-as-a-service. I was typing that one way to minimize the damage from ransomware is to “ensure that your backups are intact and accurate.” This was somewhat ironic, given that soon after disaster struck. And it had to do with the poor quality of my iPhone backup. As if this wasn’t bad enough, next week is the annual World Backup Day. Let’s rewind a bit to set the context.

For the past four or so years, I have been using an iPhone 7. Because I was a cheapskate, I bought the phone with only 32 GB of storage. Over the past several months, as I diligently kept the iOS version updated, I saw that it was having issues finding enough empty space to do the updates. Then last week I got tired of deleting apps or trying to fit my music and photos (the things that take up the most storage) and just said the heck with it and bought a new iPhone 12 and got the 128 GB model, which hopefully will last me a few years. This is my fourth or fifth iPhone (I think I had the 4 before the 7). Activating and moving my data over to the new phone was time consuming but mostly an automated transfer of data, and today I was ready to get down to working with the phone.

Just one problem. I am a big user of the Google Authenticator app to provide additional login security, and when I went to open the app on my new phone, there were no password codes installed. Now, I have about 25 different logins that use this app, and if I didn’t have access to these codes it meant that I couldn’t login to any of my apps. After I had been resuscitated seeing that empty Authenticator screen, I was ready to figure out how to get these login authentications back on my phone. One thing that I didn’t want to do was to have to authenticate each login separately by entering manually these logins to the app. Fortunately, I still have my old phone, and (after looking around) I found the way to transfer them manually. I had to do it 10 logins at a time (the Authenticator app produces a nifty QR code that you then use to restore the logins to the new phone), but problem solved. If my phone had been lost or stolen, I think I would still be in the local cardiac care unit.

Even the best backup plans can ignore certain scenarios. Look at the OVH data center that was on fire not too long ago. That brought down quite a few internet sites. that never thought they would see something like that happen. And I have had my own brushes with bad backups (or no backups, as the case may be), including a fire in my office building many years ago, or a flood in my provider’s basement. Both times things could have been catastrophic, and I did learn my lessons and improve my internal procedures. (Here is a post that I wrote many years ago about my own backup commandments. And for your own amusement, there is always the Tao of Backup.

But apparently there are still some lessons to be learned. So this whole experience with Google Authenticator made me think what else isn’t being backed up on my new phone? How about all the credit cards that I entered for my Apple wallet? Yup, MIA. A relatively easy one to fix. But still, ensuring your backups are complete isn’t a simple concept, even for a company of one. And there are still lessons to be learned, particularly as we do more computing on our mobiles.

Understanding the issues behind crypto art works

This week the art auction house Christie’s sold a work of art for $69M. What is noteworthy here is that the artist Mike Winkelmann had until last fall never sold any of his works for more than $100. Entitled Everydays: The first 5000 days, (a portion of it shown here) the artwork was entirely a digital work. The buyer got a digital record of the work, but not the graphics file itself. What was interesting about the sale was the bidding process, typical of a valuable eBay collectible: the auction had to be extended several minutes as dozens of hopeful buyers bid the price up in the last moments. You would think they were bidding on a “analog” DaVinci or a Degas. The piece, as you can see, is a digital file composed of a mosaic of other digital files. How meta!

This is the brave new world of what is being called non-fungible tokens (NFTs) or crypto art. This world is heavily into cryptocurrencies, blockchains, smart digital contracts and other totems of tech. Even if you think you understand what each of these things means in isolation, you might not be able to wrap your brain around this concept entirely. So you should start with this post on GitHub, which explains some of the movers and shakers, links to where you can purchase other crypto art works, how the various tech pieces fit together, and other components of this ecosystem. The NY Times documents some of the other crypto works that have recently sold for multiple millions of dollar-equivalents (the actual transactions typically happen via Ethereum), such as a digital copy of Jack Dorsey’s first Tweet. One analog art collector commented about the Christie’s sale that “Art is no longer about a relationship with an object. It’s about making money,” he said. “I feel bad for art.” As someone who has purchased a few analog pieces myself (more on that in a moment), I would tend to agree.

The site CryptoSlam keeps track of recent transactions and should convince you that this is now A Thing. Tim Schneider writes this excellent piece about the crypto art evolution and mentions four important and unresolved issues:

  • Who really owns what? As I mentioned, these works are really selling digital licenses and descriptions but not he bits of the digital art itself. The art is hosted elsewhere – what happens if the hosting provider disappears? Or if your digital wallet is compromised?
  • Will gatekeepers be the same old rich white boys club or have a chance to decentralize and diversify? Or put another way, is there an opportunity for grassroots and sustainable tech platforms to take hold that will encourage a more pluralist art world?
  • Will collectors be the same old RWBC, or worse –the rich tech bros from Silicon Valley? How the gatekeepers and collectors interact will be critical for the future success of the crypto art world.
  • The old system benefitted the collector on resale of the art. Can crypto-based systems benefit the artist since they can track ownership forever? But while using existing ETH-based smart contracts is a step in the right direction, it is just a small step. Most of these contracts don’t contain any resale/redistributions provisions. The Mint fund is trying to solve this in a different way by giving grants and getting new artists started and trying to diversify the creators beyond the US/EU RWBC axis.

This last point deserves further discussion. One crypto artist is Sara Ludy. She wrote smart contracts that lays out the revenue share arrangement, now and forever, for her works. She keeps half of any sale for herself, 15% goes to the crypto marketplace/platform she chooses to sell with, and then the remaining 35% to her gallery, where it is divided among the staff in equal portions. That means as the price of the art work escalates, everyone retains a piece of the action. That Christie’s sale only benefitted the last owner of the work — who wasn’t even the artist. Clearly the crypto world still has some major teething pains.

My first piece of art that I bought was a series of county courthouse photos taken by William Clift in 1976. I owned them for many years and they had supposedly appreciated in value. But when I couldn’t find a buyer, I decided to donate them to a museum instead. That points out that any auction requires both buyers and sellers.

Telegram designs the ideal hate platform

Last week the Parler social network went back online, after several weeks of being offline. Its return got me thinking more about what the ideal hate platform is. I think there are two essential elements: the ability to recruit new followers to hate groups, and the ability to amplify their message. The two are related: you ideally need both. Parler, for all the talk about its hate-mongering, really isn’t the right technical solution, and I will explain why Telegram has succeeded.

This blog post comes out of email discussions that I have had with Megan Squire who studies these groups for a living as a security researcher and CS professor. She gave me the idea when we were discussing this report from the Southern Poverty Law Center on how Telegram has changed the nature of hate speech. It is a chilling document that tracks the rise of these groups over the past year. But the SPLC isn’t the only one paying attention: numerous other computer science researchers have tracked the explosive growth in these pro-hate groups since the Capitol January riots and other seminal events in the hate landscape.

Telegram’s rise in numbers doesn’t tell the complete story. Telegram has crafted a more complete social platform for distributing hate speech and recruiting new followers. Certainly, Facebook still has the largest user base, but their tech hate stack (if you want to give it a name) is nowhere near as well developed as Telegram’s, and Parler’s is a distant third. Compare the three networks below in terms of both amplification and recruitment elements:

Criteria Parler Facebook Telegram
Type of service Microblog Social network Messaging+
Coherent and transparent reporting process for hate speech No Mostly and improving No
Support email inbox No Yes No
Content moderation team It depends Yes It depends (see below)
Appeals process Yes Yes No
Encrypted messaging No Separate app Built-in
Corporate HQ location USA (for now) USA Dubai
Growth in English-speaking hate group followers Unknown Unknown Huge growth (SPLC report)
Group cloud-based file storage No No < 2 GB
Group-based sticker sets No No Yes
Bot infrastructure and in-group payment processing No No Yes

“Telegram is absolutely the platform of choice right now for the harder-edged groups. This is for technical reasons as well as access/moderation reasons,” says Squire. You can see the dichotomy in the table above: most of the moderation features that are (finally) part of Facebook are nowhere to be found or are implemented poorly on Telegram, and Parler is pretty much a no-show. Telegram’s file-sharing feature, for example, “allows hate groups to store and quickly disseminate e-books, podcasts, instruction manuals, and videos in easy-to-use propaganda libraries.” I have put links in the chart above to descriptions on why the bot infrastructure and sticker creation features are so useful to these hate groups.

What about moderating content? Here we have conflicting information. I labeled the boxes for Parler and Telegram as “it depends.” Telegram has said that their users do content moderation. In their FAQ they claim to have a team of moderators. For Parler, their community guidelines document says in one place that they don’t moderate or remove content, and in another that they do. My guess is that they both do very little moderation.

The picture for Parler is pretty bleak. If they do succeed in keeping their site up and running (which isn’t a foregone conclusion), they have almost none of the elements that I call out for Facebook and Telegram. Using the Twitter micro-blogging model doesn’t make them very effective at amplification of their messages (at least, not until some of their personalities can bring over huge crowds of followers) or in recruitment, especially now that their mobile apps have been neutered.

There are two technical items that are both useful for Telegram: its encrypted messaging feature and the difference between its mobile app and web interfaces. Much has been written about the messaging features between the different social networks (including my own blog post for Avast here). But Telegram does a better job both at protecting its users’ privacy (than Facebook Messenger) and has much better integration into its main social network code.

The second item is how content can be viewed by Telegram users. To get approval for its app on the iTunes and Google Play app stores, Telegram has put in place self-censorship “flags” so that mobile users can’t view the most heinous posts. But all of this content is easily viewed in a web browser. Parler could choose to go this route, if they can get their site consistently running.

As you can see, defining the tech hate stack isn’t a simple process, and evolving as hate groups figure out how to attract viewership.

N.B.: If you want to read more blogs about the intersection with tech and hate, there is this post where I examine the evolution of holocaust deniers and this post on fighting online disinformation and hate speech.

On becoming a digital nomad

I am getting close to hitting the pandemic wall. Like many of you, I have been trying to be safe, following the rules, limiting my social contacts. Not getting on planes, going to any f2f meetings or even driving very much. I think last year my wife and I put a grand total of 6,000 miles on our car. So here is my current fantasy: becoming a digital nomad and living in some foreign country.

It is very ironic, this fantasy, because to some extent I already am a digital nomad, just without any of the nomadic travels. I have had my own freelance writing and speaking business now for several decades, but always have had a nearby office. (Mine is across the street from my home, but it could be anywhere in the world). Yet all my work is done for clients remotely. In some cases, I haven’t ever met some of them f2f. I was talking about this with my accountant, who lives just a few miles away. She and I have worked together for more than a decade but have never physically met.

In years past, I was semi-nomadic: I did a fair amount of travel to industry events, to speak at conferences, or to work with my clients at their offices. But now, thanks to the pandemic, that is all off the table. There is also an upside to the pandemic though: some companies have loosened their remote work restrictions and no longer care where in the world you work, just as long as you have the connectivity, the tools, and the time zones that you consider part of your workday firmly in place. This last issue is important: if your employer expects to find you at your desk or online at a certain time, you need to structure your day accordingly, wherever in the world you might be.

If you are considering becoming a digital nomad, you might want to study up on how to make the transition, as well as to figure out where in the world the Global You HQ will set up shop. Now is certainly the time to think about this, especially as many countries are trying to make it easier for nomads to settle – in some cases for years or more. Here are two resources that have the most current info on which countries are offering this arrangement, one from GodSaveThePoints and one from TravelOffPath. The list is somewhat fluid, as countries are changing the rules and evolving their Covid restrictions often at the same time. You can see some countries have placed income requirements: they want to attract nomads who have resources and income to come, and who will continue to work and earn their livings there. If you are just starting to think about becoming a digital nomad, there are dozens of blogs that describe the process, such as this one on TwoWanderingSoles.

In the past, pre-pandemic, nomads usually worked in a country under the radar, using 90-day tourist visas. You can still do this, if you understand that when the time is up, you literally must pack your bags and get out of Dodge. You can then find your next post and take up another 90-day residency. But that can get tiresome. And it could be risky: in these Covid times, you might not be able to get on any flights and then you would be in trouble when you try to leave on an expired visa. So that is where the digital nomad visa comes into play. Actually, the name is somewhat misleading, because it really is a temporary residency permit for an extended period of time.

I spoke to Bryan Cooley, who is a serial tech entrepreneur that I met when he was living in St. Louis. He has lived in various places around the world and now spends half the year in Manila as a permanent resident. He has spent at least a week in more than 130 countries and dozens where he has lived at least a month. I asked Bryan about his Internet connectivity, and he told me it has never been an issue. “I have had better connectivity than back in the US, even in some very remote areas.” Certainly, Covid has disrupted his travel plans: for example, even though he is a permanent resident in the Philippines, under current rules he can’t return if he leaves during the pandemic. He is looking into getting residency in Australia. He feels the digital nomad visas are mostly marketing efforts: “There are so many people traveling and going where they want to live. It has been going on for a long time. These programs are very limited in terms of numbers.”

A tech writer colleague of mine, Sharon Fisher, decided to go nomadic last fall, and has been to both Aruba (from October to January) and is now in Bermuda with her partner. I asked her how she ended up in these two places. She said that first she examined if Americans could enter the country, how their Covid cases were being handled, and what kind of broadband internet was available. Part of her Covid research was in understanding how onerous their quarantine protocols were. “We didn’t mind testing and staying home for a while, but we didn’t want to have to each pay $5000 to be sequestered for 14 days in a specific hotel on arrival.”

Next, they looked at the AirBnB situation, and so far they have had great experiences with the hosts they stayed at. They also need to have a close time zone to US operations: “we looked at Saipan (an island in the middle of the South Pacific) but that meant having to work in the middle of their night,” she told me.

Her biggest issues so far were groceries, transportation and bandwidth. “Food is more expensive than we anticipated, milk and produce in particular. Rental cars in Aruba were expensive but necessary. There are no rental cars in Bermuda, so we take the bus. Internet has been fine in the AirBnBs, including streaming video, with two people using the Internet just about constantly.” They also have T-Mobile cellular coverage which enables international data roaming but they eventually bought local SIM cards in Aruba.

What about her travel in the time of the Covid? “Ironically, it’s actually kind of been easier because Covid has reduced the number of choices we’ve had to make, and everyplace is less crowded. But the hardest part about traveling now is the existential question of ‘should we be doing this?’ The people in Aruba were very appreciative that some travelers were still coming, because of how dependent their economy is on tourism. Also, both countries have had much lower incidences of Covid than where we were in the US, and people seem to take it far more seriously. We personally have been much safer in these countries than we would have been in the US, and we have taken all the steps we can to ensure that the people in the other countries are safe as well. We realize what a privilege we have, and we appreciate it.”

If you are thinking about becoming a nomad, here are a few more points that I want to make. First, learn as much about the expat culture of your target destination. There is a difference between expats – people from elsewhere who intend to live there for the long haul – and nomads, who might not want to stick around or who want to travel as part of their newfound freedom. Bryan mentioned these communities might not be everyone’s cup of tea: “there are a lot of nomads who don’t really know what they are doing.”

Second, look at places that are specifically focusing on startups, such as Madeira Their website offers links to coworking places, long-term housing rentals, and other aspects of their support for digital nomads. Yes, the number of people that will be accepted to this program is small, and Americans can’t yet travel there — but it represents an interesting step in the nomad field. Next, don’t forget about your digital entertainment. If you expect your streaming services to deliver the same programming you have gotten in the US you might want to experiment with various VPNs. Also, understand the Covid vaccination program at your destination. Sharon mentioned that her “current plan is to stay in Bermuda through March, return to the US, get vaccinated, then see what options we have. If we aren’t yet able to get vaccinated, we will likely stay in Bermuda until we can. So far as I know we can stay for up to a year.”

Finally, learn about the changes that the EU has in store for its visa requirements in the near future. That could influence how your plans evolve once we are finally out of the pandemic.

Avast blog: Understanding the circle of digital certificate trust

If you recall the scene in Meet the Parents where the characters played by Robert De Niro and Ben Stiller discuss the “circle of trust,” then today’s blog will resonate with understanding of how your own digital circles of trust are constructed. Recently,  Google decided to ban Spanish CA Camerfirma after repeated operational violations. The ban will come into effect with the launch of Chrome version 90, scheduled for release in mid-April. What this means for you, and how digital certificates are used in your daily computing life, are explained in my blog post for Avast here. 

Haters gonna hate: fighting Holocaust deniers across social media

A new report from the Anti-Defamation League has reviewed the stated hate speech policies of nine different social media platforms. Unlike other studies, it also tests their responsiveness to user reports of violations of those policies. The ADL is an organization that has been operating for more than 100 years trolling (literally) these waters. They were specifically interested in how social media propagated posts made by Holocaust deniers across their networks. They scored each platform in terms of intentions and how they performed in terms of preventing hate speech on such issues such as:

  • Did the platform investigate the report and promptly respond (defined as within 24 hours) to the complaint?
  • Do users of each platform understand why it has made a certain content decision based on its stated policies?
  • Did the platform take any actual action once something was reported?

You can see a part of their report card above. Before I get to the grades given for answering these and other questions, I want to talk about my own personal experience with Holocaust denial. About four years ago, my sister and I went to Poland to see the places where our mom’s family came from. One of our cousins did some genealogy research and found an ancestor who lived in a small town in northeast Poland who was a rabbinical judge back in the 1870s. One of the stops on our trip was to visit Auschwitz, and you can read my thoughts about that day here.

One of the exhibits at the site was about the German engineering firm that designed the mass extermination equipment. For years, the copies of the original drawings used to build this gear were kept from public view by the denier network. But eventually they were sold to someone who flipped from being a denier to someone who realized the legitimacy of these plans, and that’s how we were able to finally see them.

Several years ago I attended a lecture by Jan Grabowski, a history professor from Ottawa. He has done extensive research into Polish Holocaust history, despite the current denier political climate where he and his research associates and colleagues have been threatened and in some cases jailed for their work. Grabowski is affiliated with the Polish Center for Holocaust Research in Warsaw which is attempting to find primary source records to document what happened during those dark times. Add to this a recent survey of millennials that found that 56% of the respondents could not even identify what Auschwitz was about.

From these two personal moments, I realize that we need more evidence-based approaches and to disseminate facts rather than fiction or misdirection. That is where the social networks come into play, because they have become the superhighway of these fictions. Let’s not even glorify them by using the term “alternative facts.”

Let’s return to the report card. Sadly, only Twitter and Twitch acted against the Holocaust denial content reported. No network got any A grades across the ADL’s rubric, to no surprise. Twitch, the gaming social network, scored B’s. Twitter and You Tube got C’s. Facebook and others received grades of D.

Based on its research, the ADL has some recommendations:

  • Tech companies must make changes to their products to prioritize users’ safety over engagement and reduce hateful content on their platforms.
  • All the platforms need to do a better job on transparency. They should provide users with more information on how they make their decisions regarding content moderation. This is especially urgent, given the recent decisions to terminate several high-profile accounts.

You can read others at the link above. My final point: yes, censoring hate speech — whether it about the Holocaust or whatever — is destructive to our society. Just look at the mob that swarmed across our Capitol earlier this month. The social networks have to decide whether they can step up to the task. And while it bothers me that we have to censor the most dangerous of hate speakers, we do have to recognize their danger.

Avast blog: How to celebrate Data Protection Day

Today is known as “Data Privacy Day” in the US and in other countries around the world, and the theme chosen by the US National Cybersecurity Alliance for this year’s event is about owning your privacy and respecting others. Somehow it seems fitting, given that we have been under lockdown for most of the past year. In my post for Avast’s blog, I talk about some of the ways you can get better at protecting your privacy. But realize that it is a constant struggle, particularly as you can compromise your privacy from so many places in your digital life. The key takeaway to remember is to watch out for your privacy more than once a year.

What’s up with WhatsApp privacy (Avast blog)

Last month, I wrote about the evolution of Instant Messaging interoperability. Since posting that article, the users of WhatsApp have fled. The company (which has been a subsidiary of Facebook for several years now) gave its users an ultimatum: accept new business data sharing terms or delete their accounts. For some of its billion global users, this was not received well, especially since some of your data would be shared across all of Facebook’s other operations and products. The change was indicated through a pop-up message that requires users to agree to the changes before February 8. The aftermath was swift: tens of millions of users signed up for either Signal or Telegram within hours of the news.

If you are interested in getting more of the details and my thoughts about whether to stay with WhatsApp or switch to Telegram or Signal, you should take a gander over on the Avast blog and read my post.

WhatsApp pushed off the change until May, which was probably wise. There was a lot of bad information about what private data is and isn’t collected by the app and how it is shared with the Facebook mothership. For example: while the change deals with how individuals interact with businesses, Facebook has and will continue to share a lot of your contact data amongst its many properties. What this whole debacle indicates though is how little most of us that use these IM apps every day really understand about how they work and what they share. My Avast blog tracks down the particular data elements in a handy hyperlinked reference chart.

The problem is that to be useful your IM app needs to know your social graph. But some apps — such as Signal — don’t have to know much more than your friends’ phone numbers. Others — such as Facebook Messenger — want to burrow themselves into your digital life. I found this out a few years ago when I got my data dump from Facebook, and that was when I deleted the standalone smartphone app. I still use Messenger from my web browser, which is a poor compromise I know.

Speaking of downloading data, I requested my data privacy report from WhatsApp and a few days later got access. There are a lot of details about specific items, such as my last known IP address, the type of phone I use, a profile picture, and various privacy settings, This report doesn’t include any copies of your IM message content, and was designed to meet the EU GDPR requirements. I would recommend you request and download your own report.

One of the sources that I found doing the research for my blog post was from Consumer Reports that walked me through the process to make WhatsApp more private. You can see the appropriate screen here. Before today, these items were set to “everyone” rather than “my contacts” — there is a third option that turns them off completely. This screen is someplace that I never visited before, despite using WhatsApp for years. It shows you that we have to be vigilant always about our privacy — especially when Facebook is running things — and that there are no simple, single answers.

Never before have we so many choices when it comes to communicating: IM, PSTN, IP telephony and web conferencing. We have shrunk the globe and made it easier to connect pretty much with anywhere and anyone. But the cost is dear: we have made our data accessible to tech companies to use and abuse as they wish.

Avast blog: Covid tracking apps update

After the Covid-19 outbreak, several groups got going on developing various smartphone tracking apps, as I wrote about last April. Since that post appeared, we have followed up with this news update on their flaws. Given the interest in using so-called “vaccine passports” to account for vaccinations, it is time to review where we have come with the tracking apps. In my latest blog for Avast, I review the progress on these apps, some of the privacy issues that remain, and what the bad guys have been doing to try to leverage Covid-themed cyber attacks.

Avast blog: It’s time to consider getting a Covid-19 vaccine passport for travel

As the number of people getting vaccinated against Covid-19 rises, it’s time to review the ways that people can prove they have been inoculated when they want to cross international borders. These so-called “vaccine passports” have been in development over the past year and are starting to go through various trials and beta tests. The passports would be used by travelers to supplement their actual national passport and other border-crossing documents as they clear customs and immigration barriers. The goal would be to have your vaccination documented in a way that it could be accepted and understood across different languages and national procedures.

In my blog for Avast, I talk about how these passports (such as the CommonPass open source one being developed above)  could prove to be a solution for travelers crossing borders, but they also come with their own set of challenges