9/11, 20 years after

Posted on by
3

Like Billy Joel once sung, I am in a New York state of mind this week. Thinking about where I was 20 years ago, watching the towers collapse from a vantage point in my town in Long Island. Thinking about the two friends that lost their lives that day, Mark Bingham and Tom Kelly. There are certainly plenty of TV programming to choose from this week, as Deadline summarizes.

By way of background, I have spent half of my life living in Long Island: born in Bay Shore, grew up in Levittown and Merrick, then went to college, only to return for a year to live in the pre-gentrified Brooklyn before leaving to go to grad school. Eventually I came back in my 30s to live in Port Washington, where I raised my daughter, served on the local school board, and established my own business. Port Washington lost about a dozen people on 9/11, which was less than its neighboring community Manhasset did on that day.

For most of the last 20 years, I have been living in the Midwest. Every so often, I miss the hustle and bustle of NYC. This is one of those times. This was going to be a tough anniversary. Covid, cancer, travel restrictions, floods and tornadoes in New Jersey! It does seem like End of Days.

I have been watching the NatGeo/Hulu series on what happened that particular day. It is an amazing piece of journalism, linking images of many of the heroes caught on film in 2001 with contemporary interviews. One of them is an interview with Bingham’s mother and highlights his role in thwarting the hijackers of United 93, and how proud she is of him. The series shows the level of heroism from both those who survived and those who perished. We see the firefighters trying to figure out how to save lives but losing their own. It is a hard film to watch, but it gave me hope in humanity and highlighted some of the day’s heroes.

Now, the notion of what constitutes a hero has been somewhat devalued in the past 20 years, but these were folks who put themselves in harm’s way and considered the plight of others before themselves. One guy was buried under the rubble of one of the collapsed towers with someone else. He first helped free that person, who immediately fled, leaving the first guy to fend for himself. You see him today all healthy and hale, then what he looked like back in 2001, all bloody and torn up from trying to squeeze through the pile of concrete and glass.

As many of you know, I have volunteered as a freelance journalist for my local Red Cross chapter, profiling some of the many volunteers who have given far more time and service towards helping others during many disasters. This week you can read my profile of Mickey Shell (and numerous others) when he went to NYC to help out after 9/11. It was the first time he visited the area from his home in Poplar Bluff, Mo. He is a mental health professor who gave comfort to the survivors, and learned how to navigate the complexities of the NY subway system as part of his deployment.

With 9/11, we came together as one – mostly. Sure, there was the attack on an Indian restaurant in Port Washington by some local louts. They didn’t quite get that Sikhs (who owned the place) wore turbans too and had nothing to do with the 9/11 hijackers, Arabs, or the middle east for that matter. Not much has changed today — we have attacks on various Asians that had nothing to do with transmitting Covid. There will always be haters. And now we have thousands of Afghan refugees that arrived in our airports over the past few weeks to try to assimilate, protect, and give opportunities for a new life. Let’s hope there are still some heroes to go around.

Red Cross blog:Mickey Shell works as Red Cross disaster mental health volunteer at 9/11

Posted on by
Reply

I interviewed Arkansas-based Red Cross volunteer Mickey Shell as part of a package of stories about where other volunteers were after the 9/11 disaster. To give you an idea of the scope of the organization’s services, more than 57,000 Red Crossers from across the country served more than 14 million meals and snacks, opened dozens of shelters for people who were left stranded, and connected some 374,000 times with people to provide emotional support and health services.

Avast blog: Instagram bans are now being sold as crime-as-a-service

Posted on by
Reply

Cybercriminals are expanding their “services” by offering to ban an Instagram user for the low, low price of $60. This was recently reported by Motherboard, whose research showed that anyone on Instagram can harass or censor anyone else. The notion is actually pretty clever, because the same criminals (and their close accomplices) can then offer a “restoration” service to the victim for several thousands of dollars.

Instagram has a support page that walks you through how to protest a disabled or banned account. It isn’t very good. In my post for Avast’s blog, I mention the issues and what you can do to harden your Instagram account.

China fights inhumane 996 work practices

Posted on by
2
Last week China’s Supreme People’s Court and the Ministry of Human Resources and Social Security issued a set of ten new legal cases (what we would normally think of as judicial rulings) about how to treat workers’ rights in labour disputes. The ten cases (documented here in Chinese) cover mostly workplace overtime disputes. Before I can describe these cases, we need to talk about what is called 996 schedules.
Chinese companies are infamous for setting very high working hours: the numbers refer to the “usual” workday running from 9 am to 9 pm, six days a week. As Protocol discusses, this schedule has been tacitly approved by the government for years, and even promoted by such mainstream business owners such as Jack Ma (who called 996 workers a blessing for his company Alibaba) and Richard Li, who derided those that didn’t as slackers.
Microsoft and GitHub Workers Support 996.ICUThe 996 practice got to be so well known that two years ago it got its own Github project, now supported by more than 500 contributors. Called 996icu, its name means if you work 996 hours, you will end up in a hospital’s ICU. The project has badges and banners for supporters of more reasonable working hours, lists of companies that have more balanced work rules and tips to help workers fight 996 conditions. The project’s readme file states “This is not a political movement. We firmly uphold the labor law and request employers to respect the legitimate rights and interests of their employees. We want to create an open source software license that advocates workers’ rights.”
The 996 situation changed with the cases cited by the courts last week. Given a series of high-profile deaths by overworked and overstressed employees, a growing movement among Chinese Millennials to have more of a work/life balance and a concern by the central government about a shrinking labor force (China’s population growth is slowing), it was time for some clarification and to try to stamp out 996 practices. The ten cases define a “standard” 44 hour workweek and 8 hour work day. how to resolve pay disputes, and other employment matters.
The rulings have already brought about changes for smartphone maker Vivo, which scrapped its six-day work weeks the day after the cases were published. Legal scholars predicted that worker complaints would be given more credence by the court system. Still, some social media reaction was skeptical, so we’ll see what happens. But it certainly is a step in the right direction.

CSOonline: How to find the right testing tool for Okta, Auth0, and other SSO solutions

Posted on by
Reply

If you have bought a single sign-on (SSO) product, how do you know that is operating correctly? That seems like a simple question, but answering it isn’t so simple. Configuring the automated sign-ons will require understanding of the authentication protocols they use. You will also need to know how your various applications use these protocols—both on-premises and SaaS—to encode them properly in the SSO portal. It would be nice if you could run an automated testing tool to find out where you slipped up, or where your SSO software is failing. That is the subject of this post. You can read more on How to find the right testing tool for Okta, Auth0, and other SSO solutions on CSOonline here.

 

 

NokNok blog: Next level metal credit cards

Posted on by
Reply

I got my first metallic credit card from Apple a few years ago. I thought it was more a curiosity than anything else. Soon after, my wife got a metallic card from Chase. American Express and Discover have both been making metal cards for years as well. Now, thanks to a partnership between NokNok and CompoSecure, you will see new types of cards that have something besides their outer skin to offer consumers: the ability to include authentication tokens and cold cryptocurrency wallets. You can read more in my blog post for NokNok here.

Avast blog: Protect your online store against Magecart attacks

Posted on by
Reply

Shopping cart malware, known as Magecart, is once again making headlines while plying its criminality across numerous ecommerce sites. Its name is in dishonor of two actions: shopping carts, and more specifically, those that make use of the open-source ecommerce platform Magento. Magecart malware compromises shopping carts in such a way that credit card data collected by the cart is transmitted to cybercriminals, who in turn resell this information to other bad actors. In my blog for Avast, I review some of the more notable attacks over the past several years and catalog the confluence of trends that have made Magecart a popular threat vector.

In addition to some suggestions on how you can strengthen your ecommerce storefront, here are a few other tips  to try to prevent this from happening to your website:

  1. Use this browser-based tool from Trustwave to check if your site has been compromised, along with other tips listed in the blog post to help you investigate your web storefront code.
  2. Use isolation tools such as this one from SourceDefense to better control access rules and prevent malicious script injections.
  3. Finally, whatever website server software you use, make sure you apply updates as soon as possible. Magento users who were compromised by early attackers delayed these updates and the attackers found these outdated versions and took advantage of them. The software vendor lists current patches and also has a free vulnerability scanning tool too.

Wanna email your governor? Good luck!

Posted on by
7

One of the simplest methods of communication with the top executive in your state is anything but. This week I tried to find the email address for my governor, Mike Parson, but all I got was a lousy web form on the state website. Yes, I could fill out the form, but I wanted to track our correspondence (wishful thinking, I know) through my email client. Alas, it was not meant to be.

This turned into A Project. Turns out many states aren’t so transparent about their email addresses. Surely they must use email to conduct state business. But finding out these actual addresses well, that is another matter.

Yes, almost every governor’s office phone number is easily discoverable from numerous online sources. And part of me wanted to call each one and ask what the appropriate email address is, just to hear the staffer sputter or put me on hold. You can go to this document, maintained by the National Governors Association, which lists both phone numbers and postal addresses for all of them, including territories. There is a separate document that links to various social media addresses. But email? Nope. You can see the data here for the first few lines:

 

 

(NGA, you might want to spend the minutes it might take to add another column to this document and become useful to those of us who want to use email.)

A quick check of several nearby states shows Missouri isn’t alone in relegating constituent queries to a web form: the state websites of Illinois, Kentucky, Iowa and Maryland also just have these forms on their governors’ pages, with no mention of their chief executive’s actual email address. That’s annoying. I tried to decode the underlying HTML of the forms, but I wasn’t smart enough to suss it out.

This reminds me of a story that I wrote many years ago, at the dawn of the internet era. I was searching for computer tech support information, and back then we didn’t have Google and most vendors barely had FTP servers, let alone websites that had this information. But that was the 1990s. Those that had email responders didn’t really staff them for timely answers either. That article btw is notable in how many companies have gone to dust (Lycos? Compuserve? Memories.)

There is a source of governor emails, and it comes from an odd place: Rick Halperin, a history professor at Southern Methodist University. Not wanting to link to an outdated document, I emailed him and asked if he keeps the document up to date. Within minutes he replied (thanks Rick! Governor staffers, please note.), saying thanks for reminding him and yes, link away. So there you have it. To paraphrase that infamous cartoon, on the internet, everyone knows you are a dog if you work for a state government.

Now I am under no expectations that my governor — or any other — is actually going to read his or her emails. Or that anyone will actually respond with anything other than a form letter. But if you want to comment on this piece, I will take the time to write back.

Book review: The Next Rules of Work

Posted on by
1

I have known Gary Bolles for decades. Back when I was putting together the first editorial staff for Network Computing magazine, Gary was one of my early hires. He had a curious resume, made even more so by the fact that his father was infamous for the “Parachute” career counseling books. He was a quick learner — so quick that when I left the magazine to start my own consulting business he was my pick to succeed me, and then went on to found other publications and eventually his own consultancy. He has written his first book, and it complements the family business by showing how we have evolved in how we approach work. His thesis is that we are in a new era, where the old rules of pre-learning isn’t sufficient, and we need to become lifelong learners with a deep portfolio of experiences, interests and job-like skills.

Part of the new rules is directed towards managers, who have to transition from being the “sage on the stage” to the “guide on the side.”

Like the Parachute series, there is assigned homework, which is just as annoying as when I read Bolles Sr. books back in the day. The model canvas can be found on Gary’s website here.

Most of his book is focused on adjusting three frames of reference for both individuals and the new companies that they work for: Mindset, toolset and skillset. You will need to adjust your mindset to handle what the world needs, what you love and are good at, and what you can actually be paid hard cash money for.) The Japanese call this Ikigai. You will need to adopt what he calls “flash problem solving” skills with an ad hoc group he calls the coalition of the willing. This may mean “unbossing” yourself, which sounds scary but millions of gig workers have already succeeded.

Another concept is one that I wrote about last week, how to become a life-long learner and what this means for retirement.

There are a lot more thought experiments and Venn diagrams to illustrate his points. If you are ready to make the jump and sign on to this new way of life, you might find the book a useful manual. Bolles book is available on his website, and if you are still unsure you might want to sign up and watch a couple of his classes on LinkedIn Learning ($30/mo).

Avast blog: Here’s how hackers can steal your data using light, radio, and sound waves

Posted on by
Reply

Most of us are familiar with the primary methods for moving data into and off of our computers: think Wi-Fi networks, USB ports, and Bluetooth connections. However, there are additional, lesser known ways in which data can be retrieved from a device. An elite group of cyber researchers from Ben-Gurion University (BGU) in Beersheva, Israel, have made it their mission to figure out more than a dozen different ways that bad actors with lots of time can extract information, even if you think your PC isn’t connected to anything obvious.

In my post for Avast’s blog, I summarize these methods and provide some advice on how to avoid these sorts of attacks.