Avast blog: Instagram bans are now being sold as crime-as-a-service

Posted on by
Reply

Cybercriminals are expanding their “services” by offering to ban an Instagram user for the low, low price of $60. This was recently reported by Motherboard, whose research showed that anyone on Instagram can harass or censor anyone else. The notion is actually pretty clever, because the same criminals (and their close accomplices) can then offer a “restoration” service to the victim for several thousands of dollars.

Instagram has a support page that walks you through how to protest a disabled or banned account. It isn’t very good. In my post for Avast’s blog, I mention the issues and what you can do to harden your Instagram account.

China fights inhumane 996 work practices

Posted on by
2
Last week China’s Supreme People’s Court and the Ministry of Human Resources and Social Security issued a set of ten new legal cases (what we would normally think of as judicial rulings) about how to treat workers’ rights in labour disputes. The ten cases (documented here in Chinese) cover mostly workplace overtime disputes. Before I can describe these cases, we need to talk about what is called 996 schedules.
Chinese companies are infamous for setting very high working hours: the numbers refer to the “usual” workday running from 9 am to 9 pm, six days a week. As Protocol discusses, this schedule has been tacitly approved by the government for years, and even promoted by such mainstream business owners such as Jack Ma (who called 996 workers a blessing for his company Alibaba) and Richard Li, who derided those that didn’t as slackers.
Microsoft and GitHub Workers Support 996.ICUThe 996 practice got to be so well known that two years ago it got its own Github project, now supported by more than 500 contributors. Called 996icu, its name means if you work 996 hours, you will end up in a hospital’s ICU. The project has badges and banners for supporters of more reasonable working hours, lists of companies that have more balanced work rules and tips to help workers fight 996 conditions. The project’s readme file states “This is not a political movement. We firmly uphold the labor law and request employers to respect the legitimate rights and interests of their employees. We want to create an open source software license that advocates workers’ rights.”
The 996 situation changed with the cases cited by the courts last week. Given a series of high-profile deaths by overworked and overstressed employees, a growing movement among Chinese Millennials to have more of a work/life balance and a concern by the central government about a shrinking labor force (China’s population growth is slowing), it was time for some clarification and to try to stamp out 996 practices. The ten cases define a “standard” 44 hour workweek and 8 hour work day. how to resolve pay disputes, and other employment matters.
The rulings have already brought about changes for smartphone maker Vivo, which scrapped its six-day work weeks the day after the cases were published. Legal scholars predicted that worker complaints would be given more credence by the court system. Still, some social media reaction was skeptical, so we’ll see what happens. But it certainly is a step in the right direction.

CSOonline: How to find the right testing tool for Okta, Auth0, and other SSO solutions

Posted on by
Reply

If you have bought a single sign-on (SSO) product, how do you know that is operating correctly? That seems like a simple question, but answering it isn’t so simple. Configuring the automated sign-ons will require understanding of the authentication protocols they use. You will also need to know how your various applications use these protocols—both on-premises and SaaS—to encode them properly in the SSO portal. It would be nice if you could run an automated testing tool to find out where you slipped up, or where your SSO software is failing. That is the subject of this post. You can read more on How to find the right testing tool for Okta, Auth0, and other SSO solutions on CSOonline here.

 

 

NokNok blog: Next level metal credit cards

Posted on by
Reply

I got my first metallic credit card from Apple a few years ago. I thought it was more a curiosity than anything else. Soon after, my wife got a metallic card from Chase. American Express and Discover have both been making metal cards for years as well. Now, thanks to a partnership between NokNok and CompoSecure, you will see new types of cards that have something besides their outer skin to offer consumers: the ability to include authentication tokens and cold cryptocurrency wallets. You can read more in my blog post for NokNok here.

Avast blog: Protect your online store against Magecart attacks

Posted on by
Reply

Shopping cart malware, known as Magecart, is once again making headlines while plying its criminality across numerous ecommerce sites. Its name is in dishonor of two actions: shopping carts, and more specifically, those that make use of the open-source ecommerce platform Magento. Magecart malware compromises shopping carts in such a way that credit card data collected by the cart is transmitted to cybercriminals, who in turn resell this information to other bad actors. In my blog for Avast, I review some of the more notable attacks over the past several years and catalog the confluence of trends that have made Magecart a popular threat vector.

In addition to some suggestions on how you can strengthen your ecommerce storefront, here are a few other tips  to try to prevent this from happening to your website:

  1. Use this browser-based tool from Trustwave to check if your site has been compromised, along with other tips listed in the blog post to help you investigate your web storefront code.
  2. Use isolation tools such as this one from SourceDefense to better control access rules and prevent malicious script injections.
  3. Finally, whatever website server software you use, make sure you apply updates as soon as possible. Magento users who were compromised by early attackers delayed these updates and the attackers found these outdated versions and took advantage of them. The software vendor lists current patches and also has a free vulnerability scanning tool too.

Wanna email your governor? Good luck!

Posted on by
7

One of the simplest methods of communication with the top executive in your state is anything but. This week I tried to find the email address for my governor, Mike Parson, but all I got was a lousy web form on the state website. Yes, I could fill out the form, but I wanted to track our correspondence (wishful thinking, I know) through my email client. Alas, it was not meant to be.

This turned into A Project. Turns out many states aren’t so transparent about their email addresses. Surely they must use email to conduct state business. But finding out these actual addresses well, that is another matter.

Yes, almost every governor’s office phone number is easily discoverable from numerous online sources. And part of me wanted to call each one and ask what the appropriate email address is, just to hear the staffer sputter or put me on hold. You can go to this document, maintained by the National Governors Association, which lists both phone numbers and postal addresses for all of them, including territories. There is a separate document that links to various social media addresses. But email? Nope. You can see the data here for the first few lines:

 

 

(NGA, you might want to spend the minutes it might take to add another column to this document and become useful to those of us who want to use email.)

A quick check of several nearby states shows Missouri isn’t alone in relegating constituent queries to a web form: the state websites of Illinois, Kentucky, Iowa and Maryland also just have these forms on their governors’ pages, with no mention of their chief executive’s actual email address. That’s annoying. I tried to decode the underlying HTML of the forms, but I wasn’t smart enough to suss it out.

This reminds me of a story that I wrote many years ago, at the dawn of the internet era. I was searching for computer tech support information, and back then we didn’t have Google and most vendors barely had FTP servers, let alone websites that had this information. But that was the 1990s. Those that had email responders didn’t really staff them for timely answers either. That article btw is notable in how many companies have gone to dust (Lycos? Compuserve? Memories.)

There is a source of governor emails, and it comes from an odd place: Rick Halperin, a history professor at Southern Methodist University. Not wanting to link to an outdated document, I emailed him and asked if he keeps the document up to date. Within minutes he replied (thanks Rick! Governor staffers, please note.), saying thanks for reminding him and yes, link away. So there you have it. To paraphrase that infamous cartoon, on the internet, everyone knows you are a dog if you work for a state government.

Now I am under no expectations that my governor — or any other — is actually going to read his or her emails. Or that anyone will actually respond with anything other than a form letter. But if you want to comment on this piece, I will take the time to write back.

Book review: The Next Rules of Work

Posted on by
1

I have known Gary Bolles for decades. Back when I was putting together the first editorial staff for Network Computing magazine, Gary was one of my early hires. He had a curious resume, made even more so by the fact that his father was infamous for the “Parachute” career counseling books. He was a quick learner — so quick that when I left the magazine to start my own consulting business he was my pick to succeed me, and then went on to found other publications and eventually his own consultancy. He has written his first book, and it complements the family business by showing how we have evolved in how we approach work. His thesis is that we are in a new era, where the old rules of pre-learning isn’t sufficient, and we need to become lifelong learners with a deep portfolio of experiences, interests and job-like skills.

Part of the new rules is directed towards managers, who have to transition from being the “sage on the stage” to the “guide on the side.”

Like the Parachute series, there is assigned homework, which is just as annoying as when I read Bolles Sr. books back in the day. The model canvas can be found on Gary’s website here.

Most of his book is focused on adjusting three frames of reference for both individuals and the new companies that they work for: Mindset, toolset and skillset. You will need to adjust your mindset to handle what the world needs, what you love and are good at, and what you can actually be paid hard cash money for.) The Japanese call this Ikigai. You will need to adopt what he calls “flash problem solving” skills with an ad hoc group he calls the coalition of the willing. This may mean “unbossing” yourself, which sounds scary but millions of gig workers have already succeeded.

Another concept is one that I wrote about last week, how to become a life-long learner and what this means for retirement.

There are a lot more thought experiments and Venn diagrams to illustrate his points. If you are ready to make the jump and sign on to this new way of life, you might find the book a useful manual. Bolles book is available on his website, and if you are still unsure you might want to sign up and watch a couple of his classes on LinkedIn Learning ($30/mo).

Avast blog: Here’s how hackers can steal your data using light, radio, and sound waves

Posted on by
Reply

Most of us are familiar with the primary methods for moving data into and off of our computers: think Wi-Fi networks, USB ports, and Bluetooth connections. However, there are additional, lesser known ways in which data can be retrieved from a device. An elite group of cyber researchers from Ben-Gurion University (BGU) in Beersheva, Israel, have made it their mission to figure out more than a dozen different ways that bad actors with lots of time can extract information, even if you think your PC isn’t connected to anything obvious.

In my post for Avast’s blog, I summarize these methods and provide some advice on how to avoid these sorts of attacks.

Why we need girls’ STEM programs

Posted on by
2

Like many of you, I have watched the horrors unfold in Afghanistan this week. There has been some excellent reporting — particularly by Al Jazeera on their English channel — but very little said about one massive and positive change that the past 20 years has seen: hundreds of thousands of boys and girls there have received an education that was previously out of reach. I am particularly glad to see that many students have also gotten interested in STEM fields as well.

I was reminded of something that happened to me nine summers ago, when I was one of the judges in the annual Microsoft Imagine Cup collegiate software contest, held that year in Sydney. By chance, I ended up judging three teams that were all female students from Ecuador, Qatar and Oman. Just so you understand the process: each country holds its own competition, and that team goes on to the finals. That means that the women bested dozens if not hundreds of other teams in their respective countries.

My post from 2012 shows the Omani team (above) and how carefully they branded themselves with red head scarfs (their app was something dealing with blood distribution, hence the color and the logos on their shirts). The Qatari team had a somewhat different style: one woman wore sweats and sneakers, one wore a full-on burka covering everything but a screen for her eyes, and the other two had modest coverings in between those points. It was my first time seeing anyone give a talk in a burka, and it was memorable. All four of them were from the same university, which was also an important point. While none of my teams were finalists, it didn’t really matter. They all were part of the 375 students who made it to Sydney, and they all got a lot out of the experience, as did I.

The reason I was thinking about the issues for women’s STEM education was this piece that I found in the NY Times about the FIRST robotics competition and the Afghan girls team. The story was written two years ago, and pre-dates what is happening now.

The girls were able to made it out of Kabul on Tuesday to Oman, where they will continue their STEM education. But there are certainly many thousands of girls who aren’t so fortunate, and we’ll see what happens in the coming weeks and months. I think many of us are literally holding our breaths and hoping for the best.

One of the reasons for the FIRST girls team’s success was great mentorship by Roya Mahboob, an Afghan expat tech entrepreneur and the team’s founder. She — yes you might not know that Roya is a woman’s name and is Persian meaning visionary — isn’t the only one that got behind these girls — if you read some of their own stories you can see that they had the support of an older generation of women who had gotten STEM education — the “tech aunties brigade” as I would call them — who were important role models. It shows that this progress happens slowly — family by family — as the old world order and obstacles are broken down bit by bit. Think about that for a moment: these girls already had older family members who were established in their careers. In Afghanistan, there isn’t a glass ceiling, but a glass floor to just gain entry.

While there is a lot to be said about whether America and the other NATO allies should have been in Afghanistan to begin with, I think you could make an argument that our focus on education was a net positive for the country and its future. From various government sources cited in this report, “literacy among 15- to 24-year-olds increased by 28 percentage points among males and 19 points among females, primarily driven by increases in rural areas.” This is over the period from 2005 to 2017. And while I couldn’t find any STEM-specific stats, you can see that education has had a big impact. I don’t know if the mistakes of our “endless war” can be absolved by this one small but shining result, but I am glad to see more all-girls STEM teams take their message around the world, and to motivate others to try to start their own STEM careers.

The period of your life formerly known as retirement

Posted on by
7

I have known quite a few of my contemporaries who are contemplating the next phase of their lives. In April, 4M people quit their jobs.  This used to be called retirement but now we need a better word to indicate more of a transition rather than a choice.  I now think of this differently. No longer is this the time to relax, to travel, to see the grandkids, to take up new hobbies or volunteer work.

This isn’t exactly a new idea. Pablo Casals once famously said that he was motivated to continue to practice the cello in his 90s because he was making progress.

One friend of mine is hyper-organized: he has five volunteer jobs — one for each day of the week to keep himself busy. Others have a part-time job that gives them some flexibility. As to travel — well, we have the virus to change those plans.

Gary Bolles in his first book, called The Next Rules of Work, plots out a new vision for how we relate to work, to jobs, to bosses, and to our lives. You can click here for my full review of his book. My takeaway for this blog post is the changing way we need to approach retirement — no matter what is your age.

For many years now you didn’t have to be receiving Social Security payouts to retire. I know plenty of teachers and military members who began working at age 20, and were able to retire with full benefits when they turned 40, often starting new careers.

When friends ask me if I am planning on retirement, I say no. And this is because I am completely aligned with Bolles’ Next Rules. I consider myself a lifelong learner, and designed my freelance business to ensure that I would always be learning something new about the tech fields that I write about. It wasn’t too hard: I imagine if I was writing about the sporting goods or home appliances businesses I would have a lot less learning to do year-on-year. (Maybe not, but you get my point.)

No matter where you are in your life, you have to figure out how to continue to learn new stuff. When we are working every weekday, we tend to have someone else force us into this learning-as-part-of-the-normal work process. But as more of us become gig workers, we have to create these situations on our own, and that is the manual that Bolles has constructed.

You could build it in, as “if it is Tuesday I volunteer at X” how my friend does. Or you could have other mechanisms that force the learning, such as a book club (where the group actually does read the assigned books), or a travel schedule (if we can ever get back to that again), or something else that forces you out of the house so you aren’t locked into daydrinking/Netflix bingeing cycles. Of course, for some of us that just may be an intermediate goal, which is fine.

So if you aren’t happy in your current job, think about making this transition to becoming a life-long learner. Don’t wait until you reach your 60s.