Avast blog: Top MFA myths busted

Today is World Password Day. Ideally, every day you should take some time to improve your password collection, and the best way to do that is to use MFA. But for all of its utility, MFA still has its resistors. If you need some ammunition to fight for its acceptance across your company, we’ll bust a few MFA myths in my latest post for Avast and hopefully help you convince folks to get onboard.

What is the online “town square” and how should it work?

renee direstaThe news about Elon Musk’s intended purchase of Twitter has brought about a lot of hooey and hand-wringing. Here are my thoughts. I first listened to a very interesting interview by ex-White House speechwriter Jon Favereau of Renee DiResta, an expert on tech policy at the Stanford Internet Observatory, whom I have quoted numerous times in the past. She makes the case that Elon has a fundamental misunderstanding of what online free speech means, even ignoring the fact that free speech only applies to governments, not companies. Renee amplifies her piece for The Atlantic that she wrote a few weeks ago, saying that Elon is more about attention than freedom (and who knows if his bid will even go through). “Free expression should be a foundational value,” she wrote. She also makes the case that all online social media products moderate their content – and most do so reactively, inconsistently or clumsily or all three. This includes Truth Social, Gettr and Parler, just to name some of the more notable “free speech” ones. (The hyperlinks will take you to their community guidelines for your future reference.)

Suzanne Nossel, the CEO of the writers’ group PEN America, writes that “Musk will learn the hard way that there is no return to a mythic online Eden where all forms of speech flourish in miraculous harmony.” However, she agrees with him (and others) that our current content moderation methods are deeply flawed. If you haven’t learned the words “shadow banned” (where followers are deleted without telling them from your social accounts) or retconned (officially sanctioned revisionist history), you will hear them more often during these discussions.

So what is the solution? DiResta and others penned this piece in SciAm, suggesting that social media companies need to become more transparent. “The only way to understand what is happening on the platforms is for lawmakers and regulators to require social media companies to ​provide researchers and others access to data on the structures of social media, like platform features and algorithms​.”​ PEN’s Nossel is also for more transparency. She suggests that more moderation is essential to prevent spammers, trolls, and other quackery from taking over social media and that “robust content moderation is here to stay,” especially to try to stem the tide of false positive takedowns of content and users. For example: TikTok restores more than 1M videos each month after initially removing them for violations. Of course, they allow millions more to be posted to their site. But still, that is an awful lot of content to judge.

I think there is a bigger question that many of the commentators aren’t really addressing: do we really want an online town square? The comparison doesn’t really work when millions of people are shouting to be heard, or in places in the world that are under the grip of authoritarians. It very quickly devolves from the marketplace of ideas to mob rule. DiResta spoke about the “high harm areas of online that are worth moderating,” which is a good way to look at this, especially given the absence of facts being spewed there and how they are amplified and become part of the conversation offline.

Avast blog: The U.S. government wants to expand the use of social media for visa vetting

For the past several years, millions of foreign visitors and potential immigrants entering the US have divulged the contents of their social media accounts to the US Department of Homeland Security (DHS). This requirement is part of the Visa Lifecycle Vetting Initiative (VLVI) that began in 2014 and has been expanded in 2019.

You can read more about the evolution and dangers of this program in my post for Avast’s blog here.

Avast blog: Obama on strengthening our democracy and reforming social media

Last week, Barack Obama delivered a keynote address at an event, “Challenges to Democracy in the Digital Information Realm”, co-hosted by The Stanford Cyber Policy Center and the Obama Foundation. He discussed the role of government in online technologies, the relationship between democracy and tech companies, and the role of digital media to elevate authoritarian rulers. He touched on the point that we all now occupy entirely different media realities that are fed directly into our “personal information bubbles” of our smartphones.

You can read my post for Avast’s blog here to see what else he had to say to this audience and what he recommends we do to fix social media to make it better for democracy.

CSOonline: How to choose the best VPN for security and privacy

Enterprise choices for virtual private networks (VPNs) used to be so simple. You had to choose between two protocols and a small number of suppliers. Those days are gone. Thanks to the pandemic, we have more remote workers than ever, and they need more sophisticated protection. And as the war in Ukraine continues, more people are turning to VPNs to get around blocks imposed by Russia and other authoritarian governments,

A VPN is still useful and perhaps essential to a modern mostly remote workplace. In this post for CSO, I describe these scenarios, what security researchers have found about how VPNs leak data or have other privacy issues, and what you should look for if you intend to deploy them across your enterprise.

FIR B2B podcast episode #156: Time to talk about the Twitter

Paul and I have been on Twitter for 15 years. While we were some of the first business tech journalists to use it, we have also spent a considerable amount of time investing in the care and cultivation of our accounts, and Paul has written several books about social media marketing. Even before the circus called Elon came to the Twittersphere, we had planned to devote a podcast to discussing whether Twitter can thrive in the era of constant outrage or whether it is destined to be another Myspace.

A couple of interesting sources informed this discussion, including Jon Faverau’s interview with Twitter Co- founder Ev Williams, in which Williams recounts some of the early decisions that drove Twitter’s architecture and news orientation. There was also this piece by Jonathan Haidt in the Atlantic on how the past decade of our lives have been influenced by social media and especially how the retweet function has driven misinformation and disinformation. Haidt believes social media has weakened the intrinsic trust that we place in each other.

While Elon’s dreams of a truly open source and “inclusive arena for free speech” might be taking Twitter down the wrong path, there are still many reasons for B2B marketers to use the network as long as they are authentic, can stick to their knitting and promote longer forms of content such as blogs and, yes, podcasts and videos. Just remember to stay in your swim lane.

You can listen to our 17-minute podcast here:

Avast blog: Introducing important changes to credit card data security standards

The Payment Card Industry Data Security Standards (PCI DSS) organization has made a series of updates to its standards with its latest version 4.0. It contains several important improvements, perhaps the most important change is the expansion of encryption and MFA requirements to protect all accounts that have access to cardholder data. I describe these developments in my post for Avast’s blog here.

 

More on the Pegasus Project

Since I last wrote about the NSO Group’s Pegasus mobile spyware last summer, there have been several new developments that show just how insidious the software is and how pervasive its use around the world.

Pegasus can be placed directly onto a target’s smartphone without any user interaction and can then start tracking a phone’s location and operations. Last year a consortium of journalists revealed who was using the spyware after doing extensive forensic research on dozens of phones. This resulted in the US Commerce Department putting NSO on a block list, the DoJ beginning investigations and Apple suing the company. Then we saw two developments from last December: first, Apple notified a bunch of US State Department employees in Uganda that their phones have been hacked. And Pegasus was found to be used to track Jamal Khashoggi and residue was found on one of his wives’ phones.

There were other reports that the FBI had tried out Pegasus but didn’t actively use it, or at least not that anyone could prove. And that a security researcher had decompiled several code samples and documentation.

Just recently, the Citizen Lab — one of the research groups involved in last summer’s project — found more cases of Pegasus used on dozens of Catalan phones, probably at the direction of various government entities in Spain. One of the researchers found a previously-unknown iOS zero-click exploit. The more we find out about Pegasus, the more I am convinced this tool spells trouble.

Again, I want to emphasize that your chances of getting infected with Pegasus are very, very low. But it does seem to crop up frequently enough, and now in places that you would think would be curious as they are free, democratic countries. NSO representatives continue to maintain that they carefully vet their potential customers and say its software is intended to investigate terrorists and potential criminals. But given that its residue has been found on phones of political figures, journalists and human rights workers, I wonder how careful this vetting process really is.

Aiding Ukraine in the modern web era

I want to tell you two stories to counter-balance the seemingly endless ones about the horrors of war we have seen coming from Ukraine. I am doing this not to blunt the tragedies that millions have and are continuing to experience, but to show you that there are many people who have taken action and done something to help others. I am sure there are many other stories of hope and would urge you to share them here if you feel so inclined.

The first story is a group of hundreds of librarians and others who have banded together with the sole purpose of Saving Ukrainian Cultural Heritage Online, which coincidentally is their actual name. They have saved more than 25TB of scanned documents, artworks and many other digital materials from thousands of websites of Ukrainian museums, libraries and other archives. The group was founded by a few dedicated individuals such as Anna Kijas, a music librarian at Tufts University, who saw a looming disaster in February as the country’s buildings were being systematically bombed out of existence, and began making digital copies of various archives. She was joined by Quinn Dombrowski, an academic technology specialist at Stanford University, and Sebastian Majstorovic, a digital historian based in Vienna.

You might think that the Internet Archive Wayback Machine already does this, but it doesn’t crawl very deeply. For my own website, many of the saved copies just include the home page or one or two other pages. The team harnessed a couple of other web scraping tools and began search Google Maps to go literally block-by-block to find physical museum collections. They developed workflows and scripts and distributed them via a Slack channel and shared documents to keep things organized.

My second story concerns the video channel Yes Theory. This is a group of three guys that have traveled together for several years doing very entertaining and sometimes meaningful videos. The trio combined forces with Adventurers for Change and have raised more than half a million euros from 8000 contributors to support Ukrainian refugees. Their video describes how they set up offices at a co-working space in Warsaw to coordinate their volunteers, who came from all over the world to help them purchase basic staples and get them to the Ukrainian border. The group began operations at the end of February.

What these two stories have in common was a ground-up organization that wouldn’t have been possible in the pre-web era. Using email lists, messaging groups, social networks, crowdfunding and other tools, they not only got their message out and recruited volunteers but were able to keep overhead costs low and be on the ground helping people almost immediately. Both relied on existing channels and groups that were together for other purposes, rather than tapping into existing relief efforts such as Doctors Without Borders or various UN-backed programs. Both did more than just ask for money, and had to develop their infrastructure quickly and figure out the daunting logistics to put everything in place. When you think about all the ways that technology is being used for evil purposes, it is great to read about these two efforts.