The latest digital divide spans multiple governance dimensions

Posted on by
3

When we used to talk about the digital divide, we thought about who had what technology and how they used it. A new book has opened my eyes to yet a new series of dimensions, and these take both a closer look at the technology as well as place it in a different and more complex framework of multi-stakeholder inclusion and governance.

The book is Geopolitics at the Internet’s Core, and it is a most unusual and very helpful effort by four co-authors that have been long involved in shaping technology policy and governance: Fiona M. Alexander and Nanette S. Levinson, who both hold various research positions at American University in Washington DC; Laura DeNardis, a professor at Georgetown University and author of numerous books on tech governance; and Francesca Musiani, a researcher at the French National Center for Scientific Research. I got a copy to review and reading this book made me want to talk to Alexander directly about the inclusion issue. (If you would like to purchase the book, use PALAUT to get a 20% discount.)

But first, let me lay some foundations.

If we look at how IP protocols are distributed across the globe, we’ll see that their DARPA origins are still very much in evidence. There are several of ways to measure this. One is by counting Internet Exchange Points — the places where large ISPs can connect to each other. These are still mostly congregated in western countries, and many countries have either no IXPs or a single place. The absence or paucity of an IXP means that residents of that country will have longer latencies, less local content and higher cost of internet access.

There is also measuring the number of available IP address ranges available in any given locality. We know that the IPv4 “classic” address ranges have been mostly consumed, but in Africa there are still many available address ranges.

And then there are the distribution of DNS servers, because having one logically “nearby” also effects traffic latency and resiliency of digital networks. It took until 2022 before Africa had its own managed DNS cluster, meaning that prior to then most of its DNS traffic had to transit to another continent.

If we move our lens to a wider angle to examine the actual languages used online, we see that English dominates, and despite there being thousands of different languages spoken and written, 82% of online content is represented by ten languages: English, Chinese, Spanish, Arabic, Portuguese, Japanese, Russian, German, French and Malaysian. For much of the internet’s early years, non-ASCII domain names weren’t supported, and today there are still gaps in having local character set support.

Let’s move our lens to a still wider angle to internet governance. This is also instructive in showing the unequal distribution of these resources. The various standards bodies that determine internet policy still have a very western bias. And as conflicts spread to the TCP/IP space — such as one country asking to terminate access into another country, who is serving on these bodies can be significant. This is not a new problem.

Geoff Huston, who works for the Asia Pacific Network Information Center, is a keen observer of these and other issues. “The problem is that the distribution of this digital wealth is very uneven, and while a small clique of individuals may live in an extreme level of opulence, large proportions of domestic populations are disenfranchised and marginalized. Having valuable digital enterprises domiciled in a nation does not translate to widespread economic prosperity. It’s extremely challenging to espouse the benefits of an open multi-stakeholder global communications environment when the dream has been so basely corrupted by the exploitative excesses of the small clique of digital megaliths.” He is of course referring to the major US online companies such as Google, Facebook, and Amazon.

These and other issues were part of a chapter of the Geopolitics book. This chapter is devoted to the role of the internet ecosystem to become more inclusive and involve multiple stakeholders in developing technical standards and to be adopted and supported across multiple geographies and cultures. The authors write that “the intersections of the internet with governing bodies are neither hierarchical nor linear. Thus, approaches to inclusion should involve models that complement the kaleidoscopic design of IP and reflect its very nature.”

I spoke to Alexander about her book and her role in shaping US and internet policy over her 20-year government career. “The internet has been a resounding economic success, but what is needed now is a more holistic assessment of policies to forge a path forward,” she said. “There is no singular multi-stakeholder approach — it is the tool and not an outcome, and it works best when more people and more transparency are involved.” She relishes her early years when she worked for the Clinton administration and wishes that we could have more opportunities for bringing the right people from around the world to debate these future policy choices. “Not everyone sees that, but hopefully it will happen. I remain an optimist.”

Huston fears that various national pressures might drive us away from inclusive gains of the recent past. “Maybe it’s the broader challenges of our enthusiastic adoption of computing and communications that have formed a propulsive force for widespread social dislocation in today’s world,” he says.

30 years of Web Informants

Posted on by
6

Break out the candles because this month I will celebrate Web Informant turning 30. What began as an email newsletter back in 1995 and eventually morphed into a blog is still going strong. Ten years ago I wrote this post about my first 20 years of Informants, and included a link to remembering some of the more notable interviews that I conducted from back in that era

So let’s catch up on my last decade. Three years ago, I interviewed several IT managers whom I have kept in touch with in this series, and another notable 2024 interview with Janey Brummett who spent three decades working in the IT department for the Catholic Health Association. Back in 2019, the term digital nomad was just coming into style, just before the worldwide lockdown that made travel difficult. That post has held up well, and I still follow some of the folks — who are now just called content creators — that I originally wrote about, such as Jessica Carroll recently.

During this past decade, I spent a great deal of time being a corporate blogger, including the following stints at major security vendors. Amazingly some of my content is still online from both Avast, from 2020-2022 and  Kaspersky, from 2019-2021. Sadly, some of it has been erased from these sites:

  • RSA, from 2018-2020
  • HPE, from 2017-2019
  • iBoss, from 2016-2018
  • IBM, from 2015-2019, with an excellent site called SecurityIntelligence.com 

You can find a few selected pieces that I have resurrected on my blog if you want to take a deeper historical look.

Looking over this list, there is a lot that I am proud of and that much of this content has held up well. Speaking of corporate blogging, back in 2006 I wrote a piece for Computerworld about best practices for corporate bloggers, and revisited that topic in 2015. Both of those pieces have held up well too.

In addition to this work, over the past decade I have written for various editorial pubs that I either created (such as Inside.com’s email newsletter on security topics) or continue to contribute to, such as CSOonline, NetworkWorld (and other IDG/Foundry pubs) and for SiliconAngle in 2023.

I wrote a few pieces over the years about the lessons that I learned first-hand from web publishing, including this piece for Baseline magazine in 2008 (a Ziff print pub that I contributed to for many years) and more recent advice on this topic that I posted in 2014 on my own blog.

One story that I am particularly proud of was for the Internet Protocol Journal, a pub that I have written numerous stories. This one was about the genesis of the Interop Shownet and its history and role in the development of the internet. I describe my personal involvement with the show when I launched Network Computing magazine back in 1990, and interviewed some of the show’s early participants in creating and maintaining the show’s innovative network. Alas, last year saw the passing of Interop’s guiding light Dan Lynch, who was a giant among us all. 

I will leave you with some words about the current AI context. I have been writing, thinking, and using AI now for some time and see that in particular, cybersecurity stands at a crossroads with agentic AI, LLMs and chatbots. Never have we had such a powerful tool that can create reams of code in a blink of an eye, find and defuse threats, and be used so decisively and defensively. This has proved to be a huge force multiplier and productivity boon for security pros. But while these technologies are powerful, they aren’t dependable, and that is the conundrum. They can quickly spin stories that are fictional narratives, create code that has subtle flaws and ultimately do more harm than good by boosting phishing lures and building new forms of malware. This is the dark side that can undo these gifts. And that is the challenge at hand. 

Thanks for all your attention, comments, brickbats and kudos over the years. 

The countdown to Google Zero approaches

Posted on by
3

We are witnessing the end of the search era when it comes to web technology. The term, coined last year by The Verge’s Nilay Patel was provocatively called Google Zero.It refers to the moment when Google’s SEO is no longer sending the majority — or any — of its traffic offsite, thanks to the AI overviews that now take up the above-the-fold space on search results. As one analyst put it, “years of SEO strategy are now colliding with a system that for many publishers’ traffic is slowing — and in some cases is falling off entirely.”

Some of this is a good thing: the SEO snake oilers will have to reconstitute their potions and come up with new formulations. But it is also a bad thing, because while Google tweaks their search algorithms nearly continually, this is a big jump, and search ads are shifting quickly into AI-powered search. What this means for organic search traffic is doom, as it has already dropped significantly.

As someone who has seen web publishing from its earliest days, back before we even knew that it was a Thing, it is fascinating to watch. But it is also depressing to be working in this Brave New AI World. I was part of the early PC revolution when dead trees were turned into piles of trade magazines that reached dizzying heights. These piles were delivered the old-fashioned way of the US Postal Service to IT workers’ desks every Monday morning. Those were fun times, because contained in that stack of paper were the embodiment of millions of dollars of ads.

That era lasted about 15 years, until the web became a better delivery mechanism, and within a few moments, we went from a huge stack of paper to electrons that could target the digital cookies placed on your hard drive. The magazines went from each employing dozens or hundreds of people to having a single editor and perhaps another person to clean up the digital mess that was unintentionally published. We had companies such as TechTarget that literally had “search” in every one of their 57 (or was it 157?) of their domain names that built a lead-gen empire.

Now TechTarget is just another bauble in the Informa collection of washed-up mags that is quickly moving to an AI underpinning. Do I sound bitter? I guess.

“Nobody is bragging about their custom CMS with a name from Norse mythology. And now they will need a new investment cycle focused on understanding and applying audience data with fewer means,” says Brian Morrissey. I had to look up the Viking reference, and what I got was of course generated from AI. But I did click on the link just to show that I appreciated a little bit of SEO there. Call me old-fashioned.

CSOonline: Seven ASPM products compared

Posted on by
Reply

Having a central protections platform for application security requires a deep understanding of issues and product capabilities. Protecting your enterprise application collection requires near-constant vigilance and a careful choice of the right collection of defensive tools. As threats continue to become more complex and difficult to discover, applications have also become more complex and bridge the worlds of cloud, containers, and on premises. This presents all sorts of challenges for tools which have struggled to keep pace.

The latest category of products goes by the moniker of application security posture managers, or ASPM. I review seven different tools from these vendors in my latest post for CSOonline:

  • ArmorCode
  • Crowdstrike
  • Cycode
  • Ivanti
  • Legit Security
  • Nucleus Security
  • Wiz

 

New developments in tinnitus treatment

Posted on by
3

As many of you know, I have been a chronic sufferer of tinnitus, or ringing in my ear, for decades. Back in 2018, I went to Iowa City for the annual summer conference on this subject, which I reported on here. Attending this conference changed my life, and my interaction with the medical-industrial complex. I saw first-hand how research items became clinical trials which further evolved into accepted science and treatment options.

I went back to this summer’s conference and today’s post summarizes what I learned. I apologize for the numerous links in this post but wanted you to have access to this material  as you explore your own health journey.

One of the problems with treating tinnitus is that it is a very personal set of symptoms and handicaps. That makes it hard for medical professionals to treat it. One way to figure out what “flavor” a patient has is to use a series of self-reporting questionnaires that can try to guide treatment. One of them is the Miller Hope Scale, a series of 40 questions that is used to show how the patient sees themself. Another is the Tinnitus Reaction Questionnaire, which can quantify how the patent reacts to their tinnitus, and the Iowa researchers have two others of their own design. Another is the Meaning of Life Questionnaire. The first two instruments have long been used by Dr. Brittany Grayless, such as this summary of her research shown below. As the lead off speaker last week, she mentioned how a provider needs to set realistic goals so patients can be encouraged to progress towards them, something that makes total sense to me but that I never thought about before — either with respect to tinnitus or other professional or personal choices.

Harnessing Hope for Tinnitus Recovery

Over the years I have gone through these and other questionnaires, and they are very hard for me to complete. Maybe I am bad at self-assessment of my own tinnitus or emotional state. Maybe I am uncomfortable with such subjectivity, and would rather be asking a medical professional to interpret a blood test or something more concrete. Maybe these tests are designed more for folks that have more severe tinnitus. I raised these issues with several of the speakers when I was in Iowa, and they agreed with me that these tools are admittedly imperfect, but the best things we have at present.

Ann Perreau from Augustana College also makes use of these questionnaires to develop a sequence of self-paced online videos that help provide remote counseling. She reported on the clinical benefits she saw — sadly, this courseware is not yet available to the general public.

Sarah Kingsbury of the Mayo Clinic in Arizona presented her research on the connection between diet and tinnitus, showing some progress (she has been working on this area for many years). Some patients benefit from additional vitamins. I might give this a try.

One enormous data source that was cited by several speakers is the UK’s Biobank effort to catalog 500,000 patients’ data over a long period of time. Ishan Bhatt used this for his research into what is now called the “gut/ear” connection to see if genetic markers could be a cause of both tinnitus and depression. He disproved this connection, although both conditions make use of the same genetic code.  Other work was presented at the conference to further understanding of this connection.

When I was first investigating getting hearing aids, I wasn’t too sure that they would help my regular hearing — irrespective of tinnitus. Last week several researchers pointedly mentioned how aids can help people with “normal” hearing solve other issues, such as social awareness or anxiety in noisy situations, or for children.

One of the reasons why I like the Iowa conference is that it brings together doctors, nurses, audiologists (some of whom are doctors doing active research), patients and vendors. After decades of covering enterprise technology, I love hearing from vendors and last week saw several both presenting their wares and describing their research efforts, such as SoundPillow (that embeds speakers to play custom programs inside a pillow), Neuromonics (an iOS-based software solution that has a six month course to habituate patients), and Neuromod (hardware that stimulates the tongue while playing sounds). Neuromod was just starting clinical trials back in 2018, and now has a commercial product called Lenire that has given relief to some tinnitus patients. (It is rather pricey, just so you know.)

After the first Iowa conference that I attended, I got my first hearing aid, and learned how to own my tinnitus. This year, I upgraded to a second pair of aids, running programs not just for masking tinnitus but also providing stereo sound via its CROS software. A careful reading of my prior posts will show you that I wasn’t impressed with the older CROS capabilities, but they have come a long way and I am now a big fan.

There will never be “a cure” for tinnitus, but bit by noisy bit there are ways to make it better for those of us who have it. Thanks for tagging along and hearing about my own journey.

How this IT executive became an international digital nomad

Posted on by
Reply

I have often looked at my job to “ask questions, to be curious about the other person’s point of view, to have empathy.” No, I didn’t write this, but it could clearly be my credo after all these years and words of wisdom. I found the quote in a blog written by Jessica Carroll about 18 months ago. She has had a long career in IT management, running that department for the US Golf Association for decades before moving to roles in customer experience leadership and now has her own consulting practice.

I used to interview Carroll for various pieces that I wrote when she was at the USGA about 15 years ago, and decided to catch up with her recently. Back then, cloud computing was the shiny new thing and gathering lots of attention — just as AI is getting now. “Everyone now is looking at AI and reacting the same way as they did back then about the cloud,” she said. “I think AI is more evolutionary and not as big a job threat as many people are predicting.” We spoke about how the tech world has changed, however: “We don’t look towards IT as the ultimate authorities anymore. This could be because executives don’t really care about the IT details because tech has become a commodity.” I suggested that perhaps the deeper acceptance of tech throughout businesses has made us less fascinated with it than in those early days when email, the internet, and clouds were quickly evolving and far from generally accepted.

In our chat, I caught up with her in her new role as world nomad. She and her husband, a commercial photographer, have spent the last year living for weeks or months in different places around the world: Barcelona, Florence, Peru, Cape Town, and now in the UK. This was after planning their transition more than a decade ago and selling their home and most of their possessions in New Jersey last summer. They initially thought of early retirement but both enjoy working remotely and have made it possible with being experts in their respective fields — she mostly consults on customer experience — and manage to mix work with the travel. For example, both reserve Mondays for work, and that includes being available during US work hours when they are abroad.

You might think the current political situation was what motivated them to make this move, but as I said their planning started long ago. Nevertheless, “it is refreshing though to remove ourselves from the constant US news cycles. And also to listen to people’s views of our domestic political climate when we are abroad. I tend not to share my views but just listen,” which gets back to the quote at the top of this post. The rest of the quote continues with the point of her article, which was written before she hit the road full time: she tries to “foster an atmosphere where the various teams become enthusiastic about collaborating to solve problems or create innovative solutions.” She goes on to talk about finding common ground: “What if, instead of territorial boundaries, we find a common purpose and intentionally seek ways in which to communicate more productively to help each other make our daily lives better?” Good advice, both in the corporate world as well as for all of us personally.

Once upon a time, I might have envied her nomad way of life, but lately I have been enjoying sticking closer to home. Still, she wrote more recently: “It’s not enough to build great solutions. Without deep, ongoing engagement, opportunities fade, and loyalty weakens. A one-time transaction doesn’t sustain growth. A relationship does.” I agree completely.

Why email makes for a bad login identity

Posted on by
6

For the past three decades, I have had the same email address and domain name. The time has come to consider selling the latter, which means I have to figure out where I am using the former. It isn’t a pretty picture.

Part of the problem — a big, messy, and difficult part — is that my email is used as a primary login ID in several hundred websites and apps. This wasn’t my choice, and sadly, for many website logins, it is still the standard operating procedure.

When I first began this project the number of my site logins was over 500. How do I know this? It is because for many years I have used password managers to handle my logins. I began using LastPass and moved two years ago to Zoho Vault. This project would have been impossible without a password manager.

That being said, it was time for a major cleanup on aisle P. Many of these websites have gone the way of the dodo, or at least evaporated into the dim reaches of cyberspace. Remember efax.com or tweetsmap? The former was an internet faxing site that for years had a secret free service for low-volume receiving faxes, the latter a Twitter analytics service. Both sites will forward to more recent domains, but my logins have disappeared.

There were plenty of other domains that I will no longer be visiting, and they read like a testimonial to the early days of the web: I can’t recall when the last time I rented a car from Hertz ,made a payment using Paypal, had a conference using Webex or used Quickbooks for my accounting needs. All of these items were true back in the early 2000s. That made me a bit sad, seeing how innovative each of those sites were (and many others that you probably wouldn’t recognize what they did back in the day). Rather than mourn their demise, we should be glad that the march of time has brought us Lyft and Venmo, to name two more recent examples.These bygone logins show how far we have come, where we think nothing of tracking and then getting into some stranger’s car or sending a digital payment from our phones.

The issue is that if I do sell my domain, I have to move away from my email ID to something else, and to do the move before my legacy email stops working. Many of the logins have a very convoluted way to change your email address, and often one step is that they first send a notification message to the old address to make sure that it is you that is doing the changing, and not some Russian hacker that is about to gain access to your identity. I am not complaining (well, maybe a little bit) and glad there is some security, however fragile.

There is really no way to automate this process. Making matters worse is that each website tucks away the spot where you can make an email change, which is a massive UI issue too. The airlines are the particular worst offenders here: for Delta and United, I had better luck using their mobile apps than their web interfaces to make the change. For Southwest, I had to call them and walk through a very odd series of steps to find that buried treasure — but first I had to log out of my account. I know, actually talk to someone? On the phone? Let’s party like it is 1999.

For those few sites that offer a non-email ID, this is a better mousetrap because it eliminates the authentication step and places the email portion out of the login stream. Better yet are those sites that offer a passkey, but hey, that is still considered new tech (ahem, it has been around for nearly a decade).

And BTW, I managed to weed out more than 150 logins as I made my way through my password manager. So some progress!

But wait, there is more. Since I use Google to manage email, I also use Google to manage my contact address book. Over the years it has contained thousands of people. For years now I have been dutifully making CSV backups of these contacts, but never really tested to see if I could restore the entire list, with all its metadata labels, to another account. Bad practice to be sure. I am happy to report that I was able to import the list just fine. I still have Google Docs/Sheets/ etc. content to migrate over too. Lots of weeding to be done, for sure.

Book review: The Locked Ward by Sarah Pekkanen

Posted on by
Reply

This book revolves around three sisters: a set of twins that are adopted by different families but are unknown to each other, and a third person who is a biological offspring in one of the families. At the onset of the story, this last person is found dead and one of the twins is accused of the murder. The story is an interesting one as it switches back and forth between the two twins as they discover each other and learn more about their circumstances, including why they were raised separately after their birth. Being an adoptive parent myself I was fascinated with the plot points — which treat the adoption process with some subtlety and respect — and how the actual circumstances around the third sister’s murder is resolved. For thriller fans this novel has a lot going for it, and the various plot twists are described in enough detail to keep your interest and attention. I would urge readers to pay attention near the end of the book to understand these twists and appreciate what the author is trying to tell you. Highly recommended.

Book review: Claire Booth’s Throwing Shadows

Posted on by
Reply

This murder mystery combines real historical elements about the Ozarks near Branson with the author’s imagination of a series of events that happens after an overzealous podcaster brings up the potential for buried treasure in those mountains. The listeners come to the area, and two of them are murdered in search of the loot. How the mystery of their deaths unfolds is told through the eyes of several town officials and hangers-on that are colorfully drawn and interesting to read about. I am somewhat familiar with this part of the country having visited the area several times, and glad that there weren’t any murders happening — at least that I knew about. Booth’s plot points and the novel’s early forays into figuring out quite literally where and why the bodies have been left behind are interesting and the novel remains compelling right up until its conclusion. Highly recommended.

How hackers can live inside your network for months

Posted on by
1

You might have seen this week’s story about how Ukrainian and other anti-Russian hackers brought down parts of Aeroflot’s networks, resulting in massive flight delays and cancellations. It turns out these hackers have had access to the airline’s systems for a year or more, and only recently have begun to play their hand. The hackers coordinated their efforts with numerous drone attacks on civilian airports and other Russian military targets, which has disrupted internet services across Russia to try to disconnect the drones from their commanders.

Despite sanctions, a predicted dearth of spare parts, and other restrictions, Aeroflot has flown millions of passengers in the past year. A report from Finland recently found about $1B in parts being purchased through cut-outs and other third-parties located in China and the UAE. It also didn’t hurt that at the onset of the war and subsequent sanctions, Russia seized about 500 planes that were present in the country, once owned by other airlines. (One crashed shortly after I wrote this post, the cause could be a lack of parts.)

As I was researching this story, I came across a tale from one of my IT contacts. He told me about a situation that happened about ten years ago at a mortgage services company that he was working with as a consultant. “On my first day I found most of their 2000 servers hadn’t been patched, for years! Many were running out of support for their operating systems and applications. The place was a cyber nightmare waiting to happen.” He eventually got the company to agree to patching and upgrading their servers. “Thankfully, we got everything fixed and put in a good security monitoring and incident management system. But then, a few weeks after the new security systems went online, the company detected an attempted breach.”

What happened was the attackers had been spending months accumulating intelligence and doing research into the corporate management chart by dialing into various public phone numbers and taking note of any names, departments and other info attached to those phone numbers. “Essentially, they built a phone book of the company. They then searched names to identify the exec’s, their admins, and anyone who would have elevated access to the company’s systems.” Thus began their second phase to spoof caller IDs to the company’s help desk, and phishing their targets, sending malware-laced emails under the guise of fixing some made-up cyber problem.The assembled phone book was used to give the phishing more cred.

“That morning four people took the bait and ran the attached file. Our security tools quickly spotted the problem. If this had happened a few weeks sooner it would have been very, very bad.”

Lesson learned: hackers can take their time to learn your vulnerabilities, and map your weaknesses. You have to be in the long game too.