FIR B2B podcast #51: The end of Gawker and where CMOs should spend their budgets

Posted on by
Reply

This week Paul Gillin and I look at six recent stories and how they affect marketing decisions, including the end of Gawker, how Google is changing its algorithms to penalize pop-up mobile ads, a survey out of the Duke business school about expectations on social media marketing, and why many marketers aren’t doing enough to take advantage of LinkedIn’s deeper engagement features. You can listen to the podcast here:

‘I have nothing to hide’ doesn’t mean you are anonymous

Posted on by
2

nothing to hideIn my post from last week, I addressed some of the concerns in the growing conflict between security and privacy. One of the issues that I didn’t talk about, as several readers reminded me, is the difference between privacy and anonymity. This is often summarized by saying, “I don’t care if someone tracks me, I have nothing to hide.” Well, consider the following scenarios.

Scene 1. You are hiking on a remote trail. As you are enjoying the view, someone is taking pictures with their smartphone and pointing their camera in your direction. flash hiding scarfSo essentially your image is being taken without your consent. At first, you think this is fine: after all, you are anonymous, just some random hiker. But when the photographer posts your image on their social feed, your face is recognized thanks to the site’s software. And now, not only are you identified, but your location is also specified. So you have been tagged without your consent. One way around this is to wear specialized clothing that defeats flash photographs, as shown here.

Scene 2. You maintain a very active Pinterest account and post numerous pictures when you are at various events, or when you travel to distant cities. One consequence of this is that anyone who spent time looking at your account could see where you have been and what you have done.

Scene 3. Beginning in 2007, employees of the UK-based News Corp. regularly hack into celebrities’ voicemail accounts. They are sued and eventually pay various fines. Eventually, things come to boil in 2011 and others are charged, and one staffer is actually jailed. Testimony reveals that thousands of phones were involved and dozens of staffers had access to the collected information.

Scene 4. In the neighborhood where I live in St. Louis, the community monitors nearly 100 cameras that continuously capture video imagery to aid in solving crimes. Several dozen people have been arrested as a result of investigations using these images, which are available to law enforcement personnel. While they don’t have facial recognition software yet, it is only a matter of time. But what if anyone could access the video feeds online and monitor what is going on?

Scene 5. Your online activities are being tracked. One of the stories that I wrote about tracking online fraud recently was how security researchers were able to use machine learning to predict when an endpoint device could be considered compromised. They found a series of common characteristics that were easy to discover, without any sophisticated software. These included freshly made cookies (fraudsters clear their cookies often while regular users almost never do), erased browser histories, 32-bit Windows running on 64-bit CPUs and using few browser plug-ins. While any of these factors taken alone might be from a legit user, combined together they almost always indicated a machine used by an attacker.

Still think you have nothing to hide? Maybe so, but it is a bit creepy to know that your digital footprints are so obvious, and show up in so many places.

Some vendors, such as email encryption software Mailpile, have gone to great lengths to document how they address their users’ privacy. Given their market focus, it isn’t surprising. But still the level of detail in that document is impressive. “People should be able to communicate privately,” as they state in their document. That means no eavesdropping on email content, supporting authentic messages and privacy when it comes to the message metadata and storage too. What I liked about the Mailpile manifesto was their non-goals: “Mailpile is not attempting to enable anonymous communication. Most people consider e-mail from anonymous strangers to be spam, and we have no particular interest in making it easier to send spam.”

So as you can see, there is a difference between being anonymous online and maintaining your privacy. Like anything else, it is a balance and everyone has their own trade-offs as to what is acceptable, what isn’t, and what is just creepy. And expect new technologies to upset this balance and make these choices more difficult in the future.

The best tools to predict and manage cloud computing costs

Posted on by
Reply

Cloud pricing can be a frustrating experience. Everything is charged by different metrics. Some of the prices are spelled out, some are hidden behind paywalls or aren’t clear until you get your monthly bill and realize you forgot to turn off an instance that is chewing up your wallet. Some are charged by usage, others by the month.

I look at some of the issues in keeping track of your cloud costs and summarize the numerous services that are currently available. You can read my post on WindowsITpro here.

The debate between privacy and security

Posted on by
Reply

aaaaIt seems as if we are headed for a showdown between privacy and security. I don’t think I have seen a time where there has been more conflict, and more acrimony, than the present day.

Let’s take a look at a few examples.

Earlier this month, the UK’s Telegraph newspaper ran a story that reported the BBC will send out specialized vans to determine if its customers are illegally accessing TV streams without paying a special license to do so. The story was later repudiated by The Register, but not after some sturm und drang across various social media and the BBC made it clear that it wasn’t scooping up traffic on home Wifi networks. That story reminded me of a Google snafu. Between 2007 and 2010, Google Street View cars tapped into the browsing histories, text messages and personal emails of people on unsecured WiFi networks. Street view cars haven’t gotten much love since then. Earlier this summer, an Oakland man was arrested near Google’s Mountain View HQ. He later admitted to bombing other Street View cars earlier this year. He said he did this because he thought Google was watching him, and “that made him upset.” Street View does capture some wacky stuff, and I will leave it to you to dig that up.

But Google isn’t the only place where you can invade someone’s privacy. Take the site Ready or Not. It was developed by UC Berkeley researchers and has an app that can track your physical movements thanks to your phone’s GPS and social media accounts that have location services enabled. You just type in a Twitter ID and you can bring up a map showing where that person has been lately. This is a lesson to turn off those services if you don’t need them: but the problem is many of our apps do require them, so you are left with annoying messages to turn them back on.

Then there was a mother in Houston, Texas who was horrified to learn hackers had compromised her home’s security camera system and put up a live feed of her two daughters’ bedroom online. It turns out one of her daughters accidentally opened up the virtual the door to a group of hackers when she decided to play Minecraft on an unprotected server. It was easy enough for the attackers to identify the IP address of the daughter’s iPad. From there, they made their way to the router and the connected home’s security cameras.

progressiveSometimes the tradeoffs between privacy and security can be a benefit for us. Progressive Insurance sells several billion dollars’ worth of auto insurance over the past several years. Customers agree to place a monitoring device called a Snapshot (pictured) in their cars in exchange for lower premiums. The device beeps when you are speeding or braking hard, and if you are driving after midnight.

aHow about this scarf that can be used to hide your face and other features when you are out on the town and don’t want some flash-wielding paparazzi taking your picture? Its surface and pattern is specially designed to foil the camera’s exposure sensors.

And then several years ago at the royal wedding of Prince William, British police arrested more than 50 protestors. What made this significant was that many of them were arrested before they actually did any acts of civil disobedience, recalling the pre-crime plot lines of the movie and Phil Dick story “Minority Report.” How did the cops locate these miscreants? Using social media posts, of course.

These are just a few examples of where the security/privacy debate is headed. I don’t have any ready answers for how this all going to shake out, but it certainly is going to make for additional conflicts as we struggle with finding the right balance.

EventTracker blog: What is privilege escalation and why should I care?

Posted on by
Reply

A common hacking method is to steal information by first gaining lower-level access to your network. This can happen in a variety of ways: through a print server, via a phished email, or a taking advantage of a remote control program with poor security. Once inside, the hacker will escalate their access rights until they find minimally protected administrative accounts. That is where the real damage and data theft starts. Given the number of Internet-available servers and reused passwords, this rough outline of attack happens more often than anyone wants to admit, and it can be a very big threat. The good news is that fixing this isn’t very difficult, just requiring diligence and vigilance. It also helps if you have the right protective software, such as what you can purchase from EventTracker, to stop these sorts of “privilege escalation” attacks.

The first thing is in understanding how prevalent this really is, and not bury your hand in the virtual sandbox. Consider the Black Hat 2015 Hacker Survey Report, which was done on behalf of Thycotic last December. The results showed 20% of those surveyed were able to steal privileged account credentials “all the time”. Wow. And what is worse is that three fourths of those surveyed during the conference saw no recent improvements in the security of privileged accounts too. Finally, to be more depressing, only six percent of those surveyed could never find any account information when they penetrated a network

Granted, the survey is somewhat self-serving, since Thycotic (like EventTracker) sells security tools to track and prevent privilege escalation events.

Next, you should understand how the hackers work and what methods they use to penetrate your network. A great play-by-play article can be found here in Admin magazine. The author shows you how a typical hacker can move through your network, gathering information and trying to open various files and find unprotected accounts.  In the sample system used for the article, the author “found a very old kernel, 28 ports open for incoming connections, and 441 packages installed and not updated for a while.” This is certainly very typical.

So what can do you to be more pro-active in this arena? First, if you aren’t using one of these tools start checking them out today. You should certainly have one in your arsenal, and I am not just saying this because I am writing this blog here. They are essential security tools for any enterprise.

Second, clean up your server password portfolio. You want to strengthen privileged accounts and shared administrative access to critical local Windows and Linux servers (Lieberman Software has something called Enterprise Random Password Manager that will do this quite nicely). Any product you use should discover and strengthen all server passwords and then encrypt them and store them in an electronic vault, and will change them as often as your password policies dictate. These types of tools will also report on those resources that are still using their default passwords: a definite no-no and one of the easiest ways that a hacker can gain entry to your network.

An alternative, or an addition to the password cleanup is to use a single sign-on tool that can automate sign ons and strengthen passwords at the same time. There are more than a dozen different tools for this purpose: I reviewed a bunch of them for Network World about a year ago here.

Next, regularly audit your account and access logs to see if anyone has recently become a privileged user. Many security tools will provide this information: the trick is to use them on a regular basis, not once when you first purchase them. Send yourself a reminder if you need the added incentive.

Finally, start thinking like a hacker. Become familiar with tools such as Metasploit and BackTrack that can be used to pry your way into a remote network and see any weaknesses. Known thy enemy!

iBoss blog: Hacking Your Network Through Smart Light Bulbs

Posted on by
Reply

Earlier this year I posted an entry about how the Internet of Things (IoT) can create all sorts of insider threats.  Sadly, this is becoming true faster than anyone has thought. Now connected light fixtures can be compromised, perhaps creating a new punchline to that age-old joke: “How many security managers does it take to screw in a lightbulb?” Only, no one is really laughing. Security researchers at Rapid7 have found nine different vulnerabilities with using the Sylvania Osram Lightify smart bulbs. I talk about which ones of these you should be concerned with if you have these lights in your buildings in my latest blog for iBoss.

SecurityIntelligence blog: Tracking Online Fraud: Check Your Mileage Against Endpoint Data

Posted on by
Reply

A recent Simility blog post detailed how it is tracking online fraud. With the help of a SaaS-based machine learning tool, the company and its beta customers have seen a 50 to 300 percent reduction in fraudulent online transactions. This last January, they looked at 100 different behaviors across 500,000 endpoints scattered around the world. They found more than 10,000 of those devices were compromised, and then looked for patterns of similar behavior. They found seven commonalities, and some of them are surprising.

You can read my blog post on IBM’s SecurityIntelligence.com here.

Looking back at 25 years of the world wide web

Posted on by
2

This week the web has celebrated yet another of its 25th birthdays, and boy does that make me feel old. Like many other great inventions, there are several key dates along the way in its origin story. For example, here is a copy of the original email that Tim Berners-Lee sent back in August 1991, along with an explanation of the context of that message. Steven Vaughan-Nichols has a nice walk down memory lane over at ZDnet here.

Back in 1995, I had some interesting thoughts about those early days of the web as well. This column draws on one that I wrote then, with some current day updates.

I’ve often said that web technology is a lot like radio in the 1920s: station owners are not too sure who is really listening but they are signing up advertisers like crazy, programmers are still feeling around for the best broadcast mechanisms, and standards that are changing fast making for lots of unsure technology that barely works on the best of days. Movies obviously are the metaphor for Java and audio applets and other non-textual additions.

So far, I think the best metaphor for the web is that of a book: something that you’d like to have as a reference source, entertaining when you need it, portable (well, if you tote around a laptop), and so full of information that you would rather leave it on your shelf.

Back in 1995, I was reminded of so-called “electronic books” that were a big deal. One of my favorites then was a 1993 book/disk package called The Electronic Word by Richard Lanham. It is ironically about how computers have changed the face of written communications. The book is my favorite counter-example of on-line books. Lanham is an English professor at UCLA and the book comes with a Hypercard stack that shows both the power of print and how unsatisfactory reading on the screen can be. Prof. Lanham takes you through some of the editing process in the Hypercard version, showing before and after passages that were included in the print version.

But we all don’t want to read stuff on-line, especially dry academic works that contain transcripts of speeches. That is an important design point for webmasters to consider. Many websites are full reference works, and even if we had faster connections to the Internet, we still wouldn’t want to view all that stuff on-screen. Send me a book, or some paper, instead.

aaaSpeaking of eliminating paper, in my column I took a look at what Byte magazine is trying to do with their Virtual Press Room. (The link will take you to a 1996 archive copy, where you can see the beginnings of what others would do later on. As with so many other things, Byte was so far ahead of the curve.)

Byte back then had an intriguing idea of having vendors send their press releases electronically, so editors don’t have to plow through the printed ones. But how about a step further in the interest of saving trees: sending in both the links to the vendor’s own websites and whatever keywords are needed. Years later, I am still asking vendors for key information from their press releases. Some things don’t change, no matter what the technology.

What separates good books from bad is good indexing and great tables of contents. We use both in books to find our way around: the latter more for reference, the former more for determining interest and where to enter its pages. So how many websites have you visited lately that have either, and have done a reasonable job on both? Not many back in 1995, and not many today, sadly. Some things don’t change.

Today we almost take it for granted that numerous enterprise software products have web front-end interfaces, not to mention all the SaaS products that speak native HTML. But back in the mid 1990s, vendors were still struggling with the web interface and trying it on. Cisco had its UniverCD (shown here), which was part CD-ROM and part website. The CD came with a copy of the Mosaic browser so you could look up the latest router firmware and download it online, and when I saw this back in the day I said it was a brilliant use of the two interfaces. Novell (ah, remember them?) had its Market Messenger CD ROM, which also combined the two. There were lots of other book/CD combo packages back then, including Frontier’s Cybersearch product. It had the entire Lycos (a precursor of Google) catalog on CD along with browser and on-ramp tools. Imagine putting the entire index of the Internet on a single CD. Of course, it would be instantly out of date but you can’t fault them for trying.

The reason why vendors combined CDs with the web was because bandwidth was precious and sending images down a dial-up line was painful. (Remember that the first web browser shown at the top of this column was text-only.) If you could off load these images on to a CD, you could have the best of both worlds. At the time, I said that if we wanted to watch movies, we would go to Blockbuster and rent one. Remember Blockbuster? Now we get annoyed if our favorite flick isn’t available to be immediately streamed online.

Yes, the web has come a long ways since its invention, no matter which date you choose to celebrate it. It has been an amazing time to be around and watch its progress, and I count myself lucky that I can use its technology to preserve many of the things that others and I have written about it.

FIR B2B podcast #49: Rich Mironov on how product managers need to work together with marketers

Posted on by
Reply

Paul Gillin and I this week interview Rich Mironov, who has held marketing and product management positions at many silicon valley companies including Tandem (when we called cloud computing “timesharing”), Sybase, Air Magnet and iPass. Rich and I have worked together over the years and he is a very astute guy who understands how enterprise software is made and marketed.

You don’t want to build something that no one wants and as he says, there are no health benefits from joining a gym. And since most users only use a few functions of every product, it is important to focus on the three or four things that really matter about the product.

Listen to our podcast here: