AMD and Supermicro have asked me to help them build this new website that focuses on higher-end computing services. Topics include building computing clusters, taking advantage of GPUs to increase capacity and performance, and highlighting various case studies where this equipment plays a key role, such as with scientific computing and for academic research.
I talk about passkeys: what they are, how they work, and how they can be used to protect your identity and your logins. This is with Shaun St. Hill’s Tech and Main podcast. And I also get to tell a story about erector sets too.
If you didn’t attend the RSA conference this year, you might have missed this presentation about a rather interesting application of codes and ciphers. I call it the Goldberg variations, and those of you that are musically inclined might get the references in my post’s title.
The band members knew that their bags would be searched, because let’s face it, in 1985 the USSR wasn’t high on the tourist trail and travel blogging hadn’t yet been invented as a profession. Goldberg came up with a very clever coding scheme that used musical notation to document her efforts, and smuggle information out of the country to help the dissidents eventually escape. Musical note names span the letters A to G, so Goldberg assigned the remaining letters of the alphabet to notes in the 12-tone chromatic scale using sharps and flats. She used other notations to make her music look more like music to pass casual inspection.
When the band arrived in Moscow, they were detained. Goldberg describes how one customs official went through her music book sheet by sheet. The coded messages were disguised as separate compositions. If you could sight-read music, you would very quickly figure out that the notes didn’t make much sense — perhaps if you were a Philip Glass fan you might think this is more modern music. Anyway, her steganography worked and the band was able to enter the country, play their music, and identify the dissidents and complete their mission. The trip wasn’t without drama: the Americans were tailed by the KGB and eventually expelled, as documented in this news clipping:
Music “is a way to find space when you’re dealing with bad guys and bad things gives you that energy inside your brain,” she said at the conference. I find it an interesting story, and glad Goldberg was around to remind us that EGBDF is an important acronym for more than musical notation.
If you enjoyed this little moment of history, you might want to take in a documentary that will air next month on PBS about the life of Elizebeth Friedman. She literally paved the way for the modern era of codes and ciphers nearly 100 years ago, and a skit featuring actors portraying her and her husband I believe was presented at RSA’s 2005 conference.
Peiter “Mudge” Zatko worked to improve Twitter’s security posture during 2021 directly for Jack Dorsey. Last month he sent a 200+-page complaint uncovering many of its internal security bad practices. The document was widely distributed around various DC agencies, including the FTC, the SEC, the DoJ. A redacted version was also sent to Congress. This smaller document was shared with the Washington Post and made public online. You can watch his interview with CNN’s Donie O’Sullivan here.
Mudge was fired in January 2022 for poor performance and ineffective leadership. Which seems suspect just from that wording, and what I know about his level of professionalism, knowledge and sincerity. (Mudge was one of the L0pht hackers who famously testified before Congress in 1998, a story that I covered for IBM’s blog here.) Yet, I am not sure why it took many months before he circulated his document and obtained legal protection. Whether you agree with Mudge or not, the complaints make an interesting outline of what not to do to provide the best possible internal security.
Excessive access rights. Mudge said too many of Twitter’s staffers (he claimed about half of total staff) had access to sensitive information. Twitter had more than 40 security incidents in 2020 and 60 in 2021, most of which were related to poor access controls. Its production environment was accessible to everyone and not properly logged. This isn’t anything new: Twitter was hacked by a teen back in 2020 through a simple social engineering trick. Inappropriate access control is a very common problem, and an entire class of privilege access management tools has grown up that can be used to audit permissions.
Poor board communication of security posture. Mudge alleges that his research wasn’t properly communicated to Twitter’s board of directors as early as February 2021 and was told to prepare other documents that were “false and misleading” to the board’s risk committee. The proportion of incidents attributed to access control failures was also misrepresented to the board.
Poor compliance regimens. Security issues were brought up to compliance officials during Mudge’s tenure. But only after he was fired did he hear from these officials, which is documented in the complaint. Compliance is a two-headed process: you need to first figure out what private data you collect, and then ensure that it is properly protected. It appears Twitter did neither of these things and did them over a period of many years, creating what Mudge called “long overdue security and privacy challenges.” Mudge documented that Twitter never was in compliance with a 2011 FTC consent decree to fix handling private data, document internal systems and develop an appropriate software development plan. He also stated that the progress of all of these elements were misrepresented to both the board and FTC in subsequent filings.
Sloppy offboarding. Do you terminate access rights when employees leave? Twitter didn’t: A software engineer demonstrated that 18 months after his departure, he was still able to access code repositories on GitHub. When this was made public, his access was only then removed.
Where are the bots? An entire section of Mudge’s report is devoted to “lying about bots to Elon Musk.” Note the timing of this: Mudge was fired months before Musk began his mission to acquire the company. Mudge claims Twitter provided false and misleading information to Musk, saying they couldn’t accurately report on the number of bots on their platform, and citing various SEC reporting requirements. Mudge’s claim was if this number was ever measured properly, it would harm Twitter’s image and stock valuation. Twitter executives also received bonuses not for cutting spam and bots but for growing user numbers.
Lack of updated systems. Half of the staff PCs had disabled software and security updates and patching on their systems, such as endpoint firewalls or enabling remote desktop software. This is also a common problem, and Twitter had no corporate view of the security posture across its computer population. Nor was this situation ever properly communicated to Twitter’s board, who were originally told that 92% of the PCs were secured.
Lack of any insider threat detection or response. Mudge discovered that more than 1,500 daily failed logins were never investigated. Many employees had copies of data from production systems. Both are wide open invitations for hackers to compromise their systems.
Lack of any backup regimen. No employee PCs were ever backed up. At one point, Twitter had implemented a backup system, but it was never tested and didn’t work properly.
Twitter has claimed they have made security improvements since Mudge left the company. Mudge points out this blog post from September 2020 (during his tenure at Twitter) co-written by CEO Parag Agrawal, as filled with false claims that his document goes through at length to illuminate. Clearly, from what I know Twitter has a long way to go to improve their security practice. Hopefully, some of the items mentioned above are under control in your own business.
Mudge testifies before the Senate Judiciary Cmte. today, watch the stream.
In the last couple of weeks I have seen business relationships sour over bad software security. The two examples I want to put forward for discussion are:
Both breaches had larger consequences. In Digital Ocean’s case, the lack of MailChimp’s response (which was two days) was one of the reasons for switching list serve providers. Signal had 1900 customer accounts that were at risk and is still using Twilio. Twilio’s breach response has also been criticized in this blog post, and the breach has spilled over elsewhere: Cloudfare announced that 76 of their employees had experienced a similar attack in the same time frame but didn’t fall for it.
What is happening here is a warning sign for every business. This isn’t just a software supply chain issue but a more subtle situation about how you use someone’s software tools in your daily operations. And if basic services are at risk, such as mailing lists and phone number verifications, what about things that are more complex that are part of your software stack?
Here are a few tips. If you use Signal, go to your phone to Signal Settings > Account > Registration Lock and make sure it is enabled. This will prevent these kinds of compromises in the future. Also update your phone to the latest Signal version too. Take a moment to explore other third party software providers and ensure that your APIs have been set up with the most secure authentication options possible. This includes cloud storage containers: the latest cloud-native security report from Sysdig found that 73% of cloud accounts contained exposed Amazon S3 buckets with no authentication whatsoever.
We recently learned about major security breaches at two tech companies, Twilio and Slack. The manner in which these two organizations responded is instructive, and since both of them published statements explaining what happened, it’s interesting to observe the differences in their communication, along with some lessons learned for your own breach planning and response. You can read more about the situations in my latest blog post for Avast.
(revised 6/28/24) This post originated with some online discussions with my freelancer peers on keeping track of your clips or portfolio spurred me to do further research. There are six major providers that I know of, broken into two rough categories. I have provided links to my own sites in the case of the free providers, and showcase those who have paid for their sites.
Those that are mostly about the clips:
How each site maintains the clips is important. Authory actually scraps the original website and archives your piece in its own database, where it claims it maintains it forever, or at least at long as they will be in business, as long as you pay your monthly fee. If you want a free site, you get 10 clips max. The other two sites just have a link to the original site, which means if the site changes its links or goes dark, you have nothing to show for it.
Those that offer a bunch of other features besides tracking your clips:
I went overboard with my page in Contently, putting more than 500 article links together. I think they have the best of the three systems. Not sure that after you have more than 25 stories in your portfolio if it really matters and then you still have to weed out the dead links manually. I was into them early on, when they offered a decent wage (defined as >$1/word). They mostly offer much, much less. An inquiry from an assignment editor for this rate resulted in no real response back from the actual client, so consider that before you invest much time here.
I was also early into Skyword, and they have suffered much the same fate as Contently, including moving to the cheap side of the fee structure. So steer clear if you can. It also deleted my portfolio. You are paid exclusively via PayPal, (and paid with a two or three-week delay) which is an issue for me since I deleted my account years ago and don’t want to start a new one now.
MB has a bunch of different services, including a database of FL opps, a page of links to your published work (which you have to manually construct), links to various editorial mastheads and edit cals, tons of online courses (such as fact checking for journalists, essential digital journalism skills, and building your brand voice), and ways to build your career. You can sign up for a 14-day trial. Here is Esther Shein’s site. She told me that like Contently and Skyword, she got a lot of business early on but now uses it mostly for maintaining her clips.
My recommendations? First, if you haven’t built a portfolio page somewhere online, now is the time to get started. Take a couple of days, find 10 (or whatever) of your best pieces, and just collect the URLs (if they are still online) or construct a page of PDFs (if not, if you can reconstruct them somehow). Find some images that would be relevant to attach each piece, and decide how you are going to present yourself. Dan Dern has a lot of comments about different ways to do this that could be helpful if not overwhelming.
Besides the vendors mentioned above, you have a few other choices. I still recommend you set up your own clips website outside of these systems for complete control (I use my own hosted WordPress for this: blog.strom.com, and a mailing list hosted using mailman.) You also can construct various LinkedIn pages that showcase your work.
Second, if you want to maintain a historical and automatic archive of your work, look at either MuckRack or Authory. The other four require you to manually enter your piece, which wears thin after the initial effort to get things setup. MuckRack is free, it mostly will find your bylined pieces (there doesn’t seem to be any method to what gets found and what doesn’t), and you don’t have to do anything once you set up your page. Authority will cost you, and you have to tell them what pub to look for your stuff, but then they collect the piece and preserve it forever, even if the pub moves or deletes your cheese (that is a problem for the other four providers, where you have to manually maintain the links). Todd Weiss’ Authority page can be found here for reference. I found it erred on the side of including things that weren’t my bylines, so there is a fair amount of editing involved after it collects your clips. Also, both Authory and MuckRack will connect to your social feeds and display what you post there. Here is the analytics from Authory as an example.
Another use for these providers is to track who views your purple prose. Contently, Skyword, and MediaBistro don’t have any. The other three have some — MuckRack has the best analytics, Clippings.me integrates with Google Analytics, and Authory has some data as shown above.
Finally, and I can’t emphasize enough, this effort for building a portfolio should be complemented by constructing and regularly writing an email newsletter. (Authory has a built-in newsletter feature that I didn’t test.) That is the single best thing that I ever did to build my business, and continues to pay dividends 30 or so years later.
I first met Dave Piscitello in the late 1990s when we served together on the Interop+Networld conference program committee, and collaborated on several consulting reports. He went on to create his own conference on internet security that ran from 1997-2000, then went on to work on security for ICANN until 2018. He serves on several international do-gooder infosec boards and is part of a consultancy called the Cybercrime Information Center that produces some very excellent reports on the state of malware, phishing, and domain name abuses. The most current report is on phishing, which shows that monthly attacks have doubled since May 2020. What makes his report powerful is that includes data from four commercial information sources, which collected more than a million unique attacks and publish their own blocklists. I wrote about his work and the state of phishing for my latest Avast blog here.
Mobile payment apps can be a convenient way to send and receive money using your smartphone or smartwatch. Paying for items this way has never been easier, thanks to the availability of numerous mobile payment apps, better payment terminal infrastructure, and wider support for Bluetooth/near-field communication (NFC) contactless credit cards by American issuers. The coronavirus pandemic has also helped to make contactless “everything” more compelling. I tested out five different mobile payment apps: Apple Pay, Google Pay, Samsung Pay, Venmo (by PayPal) and Cash App (by Block, formerly Square) recently, and wrote my review for CNN/Underscored here.
Interest in multi-factor authentication (MFA) has risen in the past few years, spurred by the increasing frequency and severity of data breaches and destructive attacks. When Covid-19 happened, ransomware actors proliferated. Recently, MFA has received a boost from various supporters, including Google, the US federal government, GitHub and Microsoft. When evaluating the various MFA products and technologies on the market today, it’s important to understand the tradeoffs in security, scalability and usability inherent in each option. Additionally, it can be helpful to understand your available choices in the context of how MFA has developed over time.
In this ebook I co-authored with Evan Krueger, the engineering manager of Token, we track the evolution of MFA, the work of the FIDO Alliance to bring the industry together and provide new authentication standards, and some suggestions on how to choose the right MFA technology that you carry with you, that understands your biometrics, and can be married to your identity without any operator intervention. Ransomware and data theft are only increasing in severity. It’s time for the defenders to up their game as well.