Book review: Ahead of the Game

As someone deeply steeped in the tech industry, I am embarrassed to admit that reading Ahead of the Game by Kevin Ryan (a business tech reporter) is the first time I have heard of Delane Parnell and his rise to run one of the most successful startups of the modern era. His company, PlayVS, has grown into an eSports powerhouse, and Parnell’s origin story is told with lots of verve and interest in this book.

Parnell showed early signs that he was going to be a great business leader. As a teenager, he leveraged his way from working in a cell phone store to becoming a partner and owning several of them in his native Detroit.

When he funded his first venture round, he was the third largest such round by a Black-owned business. PlayVS was responsible for recruiting thousands of high school gamers to participate in the first ever varsity-level gaming contests, with almost half of the players being in their first after-school activity ever. The story shows the numerous obstacles that the venture capital world — like the rest of society — places on successful Black entrepreneurs and how Parnell managed to overcome them to build his company. For all potential entrepreneurs, this is a must-read book.

My former boss Jason Calacanis interviewed Parnell at the beginning of the Covid pandemic in April 2020 on This Week in Startups. If you don’t want to read the book, you can watch the interview, where Parnell talks about going to Jason’s Launch event as a teenager and getting inspired by the conference and meeting other startups.

CSOonline: how to run an effective red/blue team exercise

In the arsenal of cybersecurity defenses is the series of exercises that go by the name of red team/blue team simulated attack. These simulations are purposely designed to closely mimic actual real-world conditions. For example, one of the red team members would take on the role of an employee clicking on a phishing link that deposits malware on the network. The defending team members must then find this malware before it spreads across their network and infects web servers and other applications. To make things more realistic, the simulation replays real network traffic to obscure the attacks, just like in the real world.

In this piece for CSOonline, I discuss the difference between the various colored designations, why you would want to conduct these exercises, and some recommended steps to take to pull this off.

Linode has published an excellent series of red team exercises that is worth looking at.

The latest skirmish in the PR/journalist fight: ghosting each other

Some of you might know about Cision as the company that currently operates PR Newswire (where vendors can post press releases). But they also maintain a database of press contacts with their beats and contact preferences. I have been on this list for decades, and periodically they ask me to update my data. Last week they asked me to participate in their latest survey that will form the basis of their “Global State of the Media” report. I gladly filled it out. One of the questions was: “What would make you block a PR person or put them on the “do not call” list?

Now, I sharpened my virtual pencil and got ready to dish. I have noticed a notable degradation in the quality of PR responses to my own queries. In a recent story for CSOonline on email security suites, four of the vendors (out of 13 initially contacted) didn’t even respond.

Anyway, to answer the question you were presented with lots of situations. I checked the following:

Last minute cancelation, spamming irrelevant pitches, repeated follow ups (more on that in a moment), broken embargo promises, failure to respond within my deadline and lack of transparency. All of these I have experienced since 1987 when I first began writing for PC Week as a tech reporter. The repeated follow-ups is a thing, and one of the subsequent questions from Cision was how often is too many follow-ups? (That’s easy. My answer, anything greater than zero. Assume no answer means no interest.)

I probably could have checked the others, but restrained myself:

Brochure-ware sounding pitches, inaccurate information (this is the only product that does X), calling me by my wrong name (making botched mail-merges obvious) and unsolicited social media pitches.

I will give you an example of “this is the only product” sort of email that I periodically get, this one taken from recently correspondence where company X was defined as “the only company that unifies identity proofing and passwordless authentication.” I replied: You could say the same thing about half a dozen companies right now, depending on how you define “ID proofing” or “passwordless” or even “authentication.” HYPR, Auth0, Secret Double Octopus, Trusona, Iovation’s TruValidate (maybe, but they didn’t respond to my queries), Cisco/Duo, and many that are part of the FIDO Alliance all could fall into this category. All of these vendors do identity validation beyond the “typical” multi-factor authentication mechanisms. My PR contact said, “Getting people to understand that identity and authentication are two different things is why account compromise attacks are so rampant.” Very true, dat.

Now, that was a nice discussion with this PR person, whom I have known for at least 15 years, and probably longer. He is genuinely good at his job, which is why we could have this back-and-forth discussion and not just hit the eject button to ghost each other.

As I have already hinted at, one of the preset responses that wasn’t included in the Cision survey was being unresponsive to my own queries. I am amazed at how few PR people (or at least their press@company.com email address) don’t respond to a direct question about their products. What, they are too busy? One of the challenges of having this group email box is that it relieves everyone from any actual responsibility to follow up. The generally accepted reply time period is that same business day. Often, I have to send a second email, or try to track down a real person’s phone number, in search of an answer. You would think that a live press query would move the massive PR machine like a tsunami moving across the ocean, but in a good way I hope.

This isn’t new, sad to say. Around the virtual water-cooler that my fellow tech reporters frequent, the complaints about badly behaving PR folks is an evergreen topic. Some people do abuse their contact lists, to be sure. Given that the supply of freshly minted comms undergrads continues (my daughter is one of them, ahem), there will always be inexperienced PR folks to train and to learn the ways of world. Back in the late 1980s, the incoming tray of the PC Week fax machine would be filled to overflowing with unsolicited pitches. Now we just have our inbox, plus all of our social media accounts to deal with. I am not sure that is an improvement.

Let’s talk about that hallowed ground, the reporter’s email inbox, for a moment. Some people are offended by receiving a single email: I guess the effort involved in placing your middle finger on the delete key is too much effort. Certainly, this is more effort than tossing a bunch of faxed pages into the nearby trash. But I try not to get too worked up about my overflowing inbox. Yes, if I am out of the office (where else am I going to be these days, anyway?) for any extended period of time the emails do pile up.

Should we ghost each other? I don’t know but notice how I phrased that question. It has to be a two-way street. Should there be allowable offenses, or red lines that we can’t cross? Perhaps. Cision does try to indicate the preferred contact mechanism (hint: for me, it is email). One good thing about the modern era is that I almost never get a telephone pitch call, something that was common c.1989. But let’s hope we can treat each other with respect. We are in this together.

Book review: A biography of the Pixel by Alvy Ray Smith

Alvy Ray Smith played a key role in creating a great deal of digital graphics content over the decades he worked at Lucasfilm and Pixar, and this book is a tour de force and a tour of the people, places, technologies, and companies that played key roles in these creations. The book, A Biography of the Pixel,  serves to correct the historical record about how the early digital computers and computer graphics software came to be and also provides the links between these early efforts — some of which might be well-known to you and some won’t be — and how different (almost always) men stood on each other’s shoulders to get us to where we are today. The illustrations are genius and help to explain his points in the evolutionary cycles of the Fourier series, Kotelnikov’s sampling equations, and Turing’s computational efforts, how computers and digital animation worked hand-in-hand, and the great digital convergence that we know and love today and celebrate what Smith calls Digital Light. You don’t have to know any math to find his explanations lucid and indeed, delightful. These innovators not only had a great scientific idea but drove technology into a fruitful application, while finding powerful supporters to help promote them. Along the way, you’ll see some old myths busted that digital can fully represent analog pictures and sound and how computers don’t have to be electronic numerical calculators — instead, they have become the most “malleable tool ever invented by humankind.”

I realize that a 500+ page book is a big commitment. I would start by reading the Finale chapter, which is a neat summary of all that Smith has presented in one cogent narrative. That should whet your appetite to want to dive into the entire epic journey.

Is it time to consider web v3?

I am not so sure. For those of you keeping score at home, web v1 was the early days where we had web servers delivering static pages of mostly text, starting in the early 1990s and lasting until about 2003 or 2004. The next version was the dynamic web where we created our own content, and where we freely gave away our privacy and data so that we could post cat memes and dance videos to the now giants of Facebook /Apple/Amazon/Netflix/Google, otherwise called FAANG. (Facebook and Google have renamed themselves, but the acronym has stuck.)

But now it is time for a new iteration, and v3 attempts to create a more egalitarian internet, protected by encrypted tokens that can keep everyone’s identity and data private and secure. Say what? At least, that is the plan.

Whether or not you agree with this vision, it has largely been unrealized. Yes, there is a Web 3 Foundation, and you can see at that link a very complex tech stack that will consist of multiple protocol layers, much still TBD. For those of us that cut our teeth on HTML, CSS, and HTTPS, these protocols are pretty much unknown.

Scott Carey writes in Infoworld summing things up this way: “To access most Web3 applications, users will need a crypto wallet, most likely a new browser, an understanding of a whole new world of terminology, and a willingness to pay the volatile gas fees required to perform actions on the Ethereum blockchain. Those are significant barriers to entry for the average internet user.” I’ll say. If you have never had a crypto wallet, never used Rust or Solidity and don’t know what a gas fee is, you need to go to web3 study hall. You may not understand the tech behind it — I don’t fully understand all of these items — but that is the point. The decentralized web is being built on a series of protocols and there are a lot of gaps.

But let’s put aside all the new tech and answer a few basic questions.

What is the role of clients and servers? One of the first things you come to is needing to understand the difference between clients and servers. In the web1 and web2 worlds, there were browsers, and there were various servers (web, database, applications, payments, and so forth). It was a pretty clean separation of powers. Some of us were happy to never touch any kind of server, something that leads off Moxie Marlinspike’s “first impressions” blog post. I don’t agree with this position. I have been running my own web server for more than 25 years. I wouldn’t have it any other way. I like being “master of my domain” (which is more than just running my own server, such as being able to move it from one place to another across the internet, which I had to do last year when my ISP went out of business).

I think what Moxie meant to say is that most people don’t like configuring and maintaining their own servers. But that is why we have ISPs.

But look at the tech stack that we are promised with web3: that is a lot of tech to deal with. If we had resistance to configuring HTML and HTTP, imagine what amount of pain we will be faced when all this new stuff comes to fruition?

Lance Ulanoff writes that the vision for web3 is “more a combination of edgy new technology and a reaction to centralized control.” He goes on to discuss some of the early descriptions before the web3 term came into the popular lexicon, such as the semantic web that was tossed around back in 2006. He describes web3 being when we can control our interactions and have a universal identity across all systems. That’s nice, but so much of the current vision about web3 doesn’t really fill in the blanks about how this control will happen or how we can create these universal identities. Moxie says that we need to use cryptography rather than infrastructure to distribute trust. I completely agree. Ignoring the trust issues is dangerous — look how long it has taken us to resolve email trust issues, and those protocols were created decades ago.

But how this infrastructure play out brings us to my next question:

What is the role of peer-to-peer (p2p) technology? Remember Napster and peer file sharing of music and videos? Back then (roughly 2000-2005), everyone was digitizing their CDs, or stealing music from others, or both. Napster and LimeWire and the other apps created peer file servers on your hard disk, and you then shared your digitized content with the world. Sharing wasn’t caring, and lawsuits ensued. Now we just pay Netflix et al. and stream the content when we want to listen or watch something. Who needs possession of the actual bits?

But see what has happened here: we went from this idealized p2p world to today where just a few centralized businesses (like FAANG) run the show. This could be the fate of web3, and all this talk about a decentralized, egalitarian web could fall apart. Today’s crypto/NFT world depends on just a few centralized service providers, and the distinction between client and server in a fully decentralized p2p blockchain isn’t all that clear, as one of the Ethereum founders Vitaly Buterin points out. He says that there are various gaps in web3 which are bridged with the various API suppliers, such as Infura and Opensea. The issue that Moxie has is that many NFT and crypto advocates have just accepted the role of these API vendors without much thought about the implications. Moxie is worried that these vendors have a lot of control over things, and that there is the potential for the decentralized web3 to turn into a less efficient and less private version of today’s internet. Think of one nightmare scenario, where Facebook (or one of the other giants) has its own web3 servers, APIs, and alt-coins. The horror!

But you think crypto is cool, and there is money to be made. Now we get to the real meat of the matter. Forget about a more equal internet and singing kumbaya off into the sunset. Let’s talk about how high the various alt-coins are trading at – or not, depending on when you entered the market. Remember the internet bubble of 1999-2000, when domains were being bought and sold on little more than a pitch deck. That was Gold Rush v1, and all you had to do to participate was to buy a domain and flip it. (I am guilty of this, but I didn’t buy my domain to flip it. I just got lucky.)  You could argue that all you need now is to hold a basket of crypto coins — as some of you have done. But look at all the knowledge you have to collect to participate in this gold rush. Nevertheless, there is some cool stuff that is being built, as this blogger documents. This post basically rebuts a few of Moxie’s complaints while making Moxie’s point that this is very early stuff.

So go cautiously into the web3 night, and good luck learning about all the requisite tech that will be needed. And for those of you complaining about the decentralized and private web of the future, you might want to spend some time doing the basic blocking and tackling and eliminating duplicate passwords and implementing MFA logins now, because you’ll need something like them to get on the blockchain train. Or at least protect all those crypto funds in your wallet from being lost or stolen.

Avast blog: Beware of a new and dangerous RDP exploit

The often-exploited Remote Desktop Protocol (RDP) is once again in the news. This time, it has a new attack vector that was discovered by researchers and subsequently patched earlier this month by Microsoft. Given that all versions of Windows for the past 10 years – for both desktop and server – need to be patched, you should put this on your priority list, especially since this new problem can be easily exploited. In my latest post for Avast’s blog, I describe what this new challenge is about and ways that you can minimize any potential expoits.

TheVerge: Ways to securely share files in the cloud

The Verge has put together a solid collection of articles on how to deal with the not-so-new realities of working from home, They had me write a piece on how to share your work files and you can read it here. The days when we were all connected to the same shared drive or local network folder are now quaint memories. But today’s sharing files will take some careful planning, particularly if you want to do so as securely as possible.

In my article, I cover the various methods that are available, from sharing a file attached to an email or instant message to using public cloud services like Dropbox to using Google Workspace and Microsoft OneDrive. But the best solution is a group of business-related cloud services that I summarize in this chart.

Vendor Monthly pricing Max. file upload Free trial period Application integration
Egnyte $20/user 100 GB 15 days Extensive
SecureDocs $250 for unlimited users Unlimited 14 days Limited
ShareFile/Citrix $50 for unlimited users 100 GB 30 days Extensive
SugarSync $55 for 3 users 300 GB for web clients 30 days Limited

Avast blog: Introducing a business guide to tackle credential stuffing attacks

One of the biggest threats facing both large and small businesses alike goes by the moniker credential stuffing. In these attacks, the bad guys count on our reuse of passwords across two or more logins, and once they find a user name/password that works, they try to use that information to break into our other accounts. Akamai, in its latest State of the Internet report, says that it has seen over 193 billion credential stuffing attacks in 2020. These attacks can cost billions of dollars annually, when adding up the cost of remediating the problem, handling all the user calls for password resets, and changing other operations. The office of New York Attorney General Letitia James has found thousands of posts containing login credentials that had been tested in credential stuffing attacks. In order to combat credential stuffing attacks, James’ office recently released a business guide.

You can read more about ways to fight credential stuffing attacks in my latest post for Avast’s blog here.

Avast blog: Discussing NSA leaks and recent state activities with Edward Snowden

Edward Snowden and Pulitzer Prize-winning journalists Glenn Greenwald and Chris Hedges have recently come together in a video conference call moderated by Amy Goodman of Democracy Now. In the video, the group talks about the past eight years of privacy problems and other significant events. After Snowden leaked documents from the NSA and left their employment in 2013, he has been living in Moscow and since charged with violating the Espionage Act. I review the discussion in this blog post for Avast and explore his history, the state of affairs around Julian Assange’s self-imposed exile in London, and the relationship between governments and individual privacy in light of the NSA’s mass surveillance that was revealed by Snowden.

 

Time to fire your jerk boss

(An expanded piece has been published here that provides some additional thoughts from my sources.)

Whether you fire everyone on a group Zoom call or dump someone’s last paycheck on their lawn in oily pennies, there are lots of ways to be a jerk boss. What has happened thanks to Covid is that the tables are slowly turning and employees’ tolerance for the jerkiness is dropping quickly. This could be one reason why we have so many job openings. A recent NY Times article describes the situation.

Over my career, I’ve  had two exceptionally jerky bosses. One who fired me and one where I eventually quit. Let’s call them Boss A and Boss B. Both were men with oversize egos that you couldn’t help but trip over in your daily tasks. This resulted in a lot of “walking on eggshells” in the office so as not to set them off. Both had poor leadership skills, meaning that they didn’t understand how to motivate their employees other than giving them direct orders, often at high volumes. Neither could build a consensus – indeed often they tore them down, with one exception: Both were good at getting their staffs to rally around a common enemy – the jerk boss himself. Both men couldn’t tolerate a different point of view than their own and wouldn’t pass up a moment to intimidate where they could.

Boss A hired me and moved me across country to take my job, and then proceeded to give me all the responsibility and almost no authority to do it. It didn’t help that one of my direct reports was really working for Boss A as a spy: meaning he was telling my boss what I was doing wrong and other comments that I had about the boss. Eventually, he couldn’t tolerate my independence and fired me one day as I arrived in the office. Effective immediately. At least, I was fired face-to-face and not over the phone or some video conference.

Boss B didn’t respect any of his employees, and probably was one of the worst bosses that I have ever worked for. He would harangue them in public at ear-splitting volume. He would give two of his staff assignments that would guarantee one would come into conflict with the other, just to see who would reign supreme in an office version of “Iron Chef” or some other reality show. He had just one important skill: how to manage up, so that his superiors kept him running the operation even though his staff would come and go. Those of us who quit became “dead to him,” as he would say to our faces when we offered our resignations. One time, he was running a conference in St. Louis and I wanted to stop by and see some of my former colleagues. He proceeded to shout at me and told me that I wasn’t welcome to walk around the conference venue and made everyone feel uncomfortable. This was years after I had quit.

The Times article doesn’t touch on my own circumstances with one of my jerk bosses: leaving to work for my own business. I was surprised that this situation wasn’t even mentioned in the sources interviewed, and that disgruntled staffers took other corporate jobs – hopefully for non-jerky bosses.

health, mentor, emotions, psychologyI asked my friend Ximena Veliz, who is an emotional coach and mentor to people all over the world, about her clientele. She told me that by the time they come to her, all of them have decided to leave their current jobs thanks to jerk bosses, and she tries to help frame their circumstances, so they don’t make the same mistakes in the next job. The worst combination is women who work for women bosses, and that Covid has made things a lot worse, especially when companies are trying to switch back to in-person offices who have been operating remotely. “No one wants to go back to an office, no matter where they work.” Europeans are even more polarized about Covid, she told me: their population seems to be split down the middle with people who believe Covid isn’t real or not as much of a threat with people who do. That can make for some stressful workplace dynamics, to be sure.

What we need is a personality test to determine the jerky level of your boss to guide your own decision-making – and perhaps for those few jerks that are willing to reform their ways.

  1. Is there a mismatch of authority and responsibility? Rate the percentage of time that this happens, and to score in points divide this by ten. (0-10 points)
  2. How often does your boss take credit for your ideas? Give a 10 for always, 5 for only half of the time, or 0 for never.
  3. Is the volume knob permanently set at 11? Score 20 points for yes, 10 for more than half the time, or 1 for rarely.
  4. When you get together with your colleagues at breaks or lunch, how long does it take someone to start the gripe session about the jerk boss? Score 10 points for almost always or fewer points otherwise.
  5. Where do you get most of your motivation to do your job?
    1. From your own internal satisfaction (10)
    2. From your colleagues or people that report to you (7)
    3. From both a and b equally (5)
    4. Never have any direct praise from your boss (0)

If you scored 40 points or higher, leave that job now. Start thinking about your own business or where you want to live and work. In the 30s, time to brush up your LinkedIn profile and get a few recommendations. In the 20s, tough it out for now but keep your eyes open. Less than 10 points: you are blessed!