Why we need girls’ STEM programs

Posted on by
2

Like many of you, I have watched the horrors unfold in Afghanistan this week. There has been some excellent reporting — particularly by Al Jazeera on their English channel — but very little said about one massive and positive change that the past 20 years has seen: hundreds of thousands of boys and girls there have received an education that was previously out of reach. I am particularly glad to see that many students have also gotten interested in STEM fields as well.

I was reminded of something that happened to me nine summers ago, when I was one of the judges in the annual Microsoft Imagine Cup collegiate software contest, held that year in Sydney. By chance, I ended up judging three teams that were all female students from Ecuador, Qatar and Oman. Just so you understand the process: each country holds its own competition, and that team goes on to the finals. That means that the women bested dozens if not hundreds of other teams in their respective countries.

My post from 2012 shows the Omani team (above) and how carefully they branded themselves with red head scarfs (their app was something dealing with blood distribution, hence the color and the logos on their shirts). The Qatari team had a somewhat different style: one woman wore sweats and sneakers, one wore a full-on burka covering everything but a screen for her eyes, and the other two had modest coverings in between those points. It was my first time seeing anyone give a talk in a burka, and it was memorable. All four of them were from the same university, which was also an important point. While none of my teams were finalists, it didn’t really matter. They all were part of the 375 students who made it to Sydney, and they all got a lot out of the experience, as did I.

The reason I was thinking about the issues for women’s STEM education was this piece that I found in the NY Times about the FIRST robotics competition and the Afghan girls team. The story was written two years ago, and pre-dates what is happening now.

The girls were able to made it out of Kabul on Tuesday to Oman, where they will continue their STEM education. But there are certainly many thousands of girls who aren’t so fortunate, and we’ll see what happens in the coming weeks and months. I think many of us are literally holding our breaths and hoping for the best.

One of the reasons for the FIRST girls team’s success was great mentorship by Roya Mahboob, an Afghan expat tech entrepreneur and the team’s founder. She — yes you might not know that Roya is a woman’s name and is Persian meaning visionary — isn’t the only one that got behind these girls — if you read some of their own stories you can see that they had the support of an older generation of women who had gotten STEM education — the “tech aunties brigade” as I would call them — who were important role models. It shows that this progress happens slowly — family by family — as the old world order and obstacles are broken down bit by bit. Think about that for a moment: these girls already had older family members who were established in their careers. In Afghanistan, there isn’t a glass ceiling, but a glass floor to just gain entry.

While there is a lot to be said about whether America and the other NATO allies should have been in Afghanistan to begin with, I think you could make an argument that our focus on education was a net positive for the country and its future. From various government sources cited in this report, “literacy among 15- to 24-year-olds increased by 28 percentage points among males and 19 points among females, primarily driven by increases in rural areas.” This is over the period from 2005 to 2017. And while I couldn’t find any STEM-specific stats, you can see that education has had a big impact. I don’t know if the mistakes of our “endless war” can be absolved by this one small but shining result, but I am glad to see more all-girls STEM teams take their message around the world, and to motivate others to try to start their own STEM careers.

The period of your life formerly known as retirement

Posted on by
7

I have known quite a few of my contemporaries who are contemplating the next phase of their lives. In April, 4M people quit their jobs.  This used to be called retirement but now we need a better word to indicate more of a transition rather than a choice.  I now think of this differently. No longer is this the time to relax, to travel, to see the grandkids, to take up new hobbies or volunteer work.

This isn’t exactly a new idea. Pablo Casals once famously said that he was motivated to continue to practice the cello in his 90s because he was making progress.

One friend of mine is hyper-organized: he has five volunteer jobs — one for each day of the week to keep himself busy. Others have a part-time job that gives them some flexibility. As to travel — well, we have the virus to change those plans.

Gary Bolles in his first book, called The Next Rules of Work, plots out a new vision for how we relate to work, to jobs, to bosses, and to our lives. You can click here for my full review of his book. My takeaway for this blog post is the changing way we need to approach retirement — no matter what is your age.

For many years now you didn’t have to be receiving Social Security payouts to retire. I know plenty of teachers and military members who began working at age 20, and were able to retire with full benefits when they turned 40, often starting new careers.

When friends ask me if I am planning on retirement, I say no. And this is because I am completely aligned with Bolles’ Next Rules. I consider myself a lifelong learner, and designed my freelance business to ensure that I would always be learning something new about the tech fields that I write about. It wasn’t too hard: I imagine if I was writing about the sporting goods or home appliances businesses I would have a lot less learning to do year-on-year. (Maybe not, but you get my point.)

No matter where you are in your life, you have to figure out how to continue to learn new stuff. When we are working every weekday, we tend to have someone else force us into this learning-as-part-of-the-normal work process. But as more of us become gig workers, we have to create these situations on our own, and that is the manual that Bolles has constructed.

You could build it in, as “if it is Tuesday I volunteer at X” how my friend does. Or you could have other mechanisms that force the learning, such as a book club (where the group actually does read the assigned books), or a travel schedule (if we can ever get back to that again), or something else that forces you out of the house so you aren’t locked into daydrinking/Netflix bingeing cycles. Of course, for some of us that just may be an intermediate goal, which is fine.

So if you aren’t happy in your current job, think about making this transition to becoming a life-long learner. Don’t wait until you reach your 60s.

FIR B2B podcast episode #149: Cutting out the middleman in B2B PR

Posted on by
Reply

For years Paul and I have used Help A Reporter Out. The service — now owned by Cision —  aims to eliminate the gatekeeping middleman role of corporate PR, and put sources directly in touch with the journalists that want to quote them. HARO, as it is known, has been less useful as of late, but there is a new, venture-backed startup called Qwoted that is making some important inroads. We spoke to its CEO and co-founder, Dan Simon. He told us Qwoted had close to a thousand inquires last month and is growing. The service has a free tier (individuals can make three monthly requests, agencies five) and a paid tier.

Qwoted flips the PR paradigm on its head by letting journalists initiate the conversation and cutting out the need for pitches.

Simon has lots of pointers to help PR and marketing staff get the most out of his service. He is deeply steeped in the field, having been president of Cognito, a New York financial services agency, among other roles. Simon recommends that you use the tools he provides to search on previous successful match-ups and examine the job titles more carefully, as well as to fill out the profiles to make your expertise more transparent and compelling.

You can listen to our 16 min. podcast here:

Speech: Using NetGalley to Promote Your Self-Published Book

Posted on by
Reply

One of the best ways to promote your book is by reaching new readers with pre-release copies, and thanks to a service called NetGalley, you can add this to your toolbox.

I have been using NetGalley as a reader for the past several years: the idea is that I can read new books that interest me for free, provided that I review them and post my reviews on Amazon and other book selling sites. In this presentation, I will show you the author’s point of view. Yes, it does cost to make your pre-release “galleys” available—but the fee is a very reasonable $450 per book, or $200 if you are a member of IBPA. In this presentation, I will show you how NetGalley works, what kinds of books are best for the service (including audiobooks) and the best time to take advantage of it as part of your book marketing efforts. 

This speech will be given to the St. Louis Publishers’ Assn September 8.

Here is a copy of my presentation slides

Two new posts on cybersec certifications advice from Infosec Resources

Posted on by
Reply

Figuring out your appropriate certification program isn’t easy and involves almost as much studying as preparing for the certification exams themselves. But these programs can have big payouts in terms of job advancement, increases in responsibility and salary. I wrote two posts for Infosec Resources.

In our first post, we presented the issues a manager should consider in building a training program for their company. Training budgets tend to be the first ones to be cut in any economic downturn and often don’t get fully funded even when the economy is improving. But training can also have a significant impact on an enterprise: it can increase the pool of available skills, help pave the way for a department to take on new challenges, improve morale and create a sense of purpose for workers. In this first post, I talk about what are some of the benefits of training and ways to measure them, explore some of the costs, and the four different modalities that you can use to design your own training program.

In the second post, I explore the benefits and costs from the individual’s perspective and what you should expect from a certificate program and how to evaluate a program. This post also has a handy comparison chart that shows your costs and other considerations from the major infosec certs.

Provider/Link Cost Other certifications to consider
COMPTIA Security+

 

 $390 for 90-minute test Penetration testing, cybersecurity analyst and general IT courses too
EC-Council Certified Ethical Hacker (CEH)

 

 $1200 for four-hour test More than a dozen cybersecurity specializations including disaster recovery, penetration testing
ISACA Certified Info Security Manager (CISM)

 

 $760 for four-hour test for non-members but significant discounts for members, study materials extra Courses on risk management, data privacy and auditing
ISC2 Certified Cloud Security Practitioner (CCSP)

 

 $549 for four-hour test Also offer numerous other cloud-based security classes and boot camps for above tests
Offensive Security Penetration Testing $800 for a one year subscription Three different levels, other certifications in web apps and devops
SANS Institute Network penetration testing $8,000 for in-person instruction at various locations around the world Dozens of courses covering a wide range of infosec topics

 

Nine ways to improve your business cybersecurity

Posted on by
1

Two new reports  show the dismal state of cybersecurity across US federal government networks. First is this report from the General Accounting Office, which found hundreds of its earlier recommendations haven’t been implemented by numerous federal agencies. While there has been some progress since it last review these procedures, much work remains to secure our federal systems.

And more recently is this report from the Senate Homeland Security committee is now out. Despite years of warnings, federal agencies such as the State, Education, Agriculture and Health and Human Services departments have not established effective cybersecurity programs or complied with federal information security standards. We all knew that the feds were lax when it came to implementing better cybersecurity practices, but the lack of many basic security practices is alarming.

Here are nine things that most federal departments don’t do and that your company should implement.

1. Maintain an accurate and current IT asset inventory, including apps and OS versions. Do you know where all your critical apps are, and who is responsible for them? How about where outdated systems (Windows XP anyone) still live and lurk? If you don’t know, you will need to find this out, and the sooner the better.
2. Patch quickly and constantly stay up to date with them. Microsoft issues patches weekly on Tuesdays. Adobe is also generous (ahem) with its patches. But you need to get into the regular habit. Some major cyber attacks happened because businesses — some very big ones at that — took a couple of weeks to get around to doing them. (Remember WannaCry?
3. Know your risk factors and assess them regularly. I have written lots of articles about assessing risk, including this one for CSOonline. The key word in this task is being regular. If you are running an online business, your applications are continuously changing, and that means you need to audit these risks and ensure that something isn’t missed. The GAO report found that “while many agencies almost always designated a risk executive, few had not fully incorporated other key risk management practices, such as establishing a process for assessing agency-wide cybersecurity risks.”
4. Do you track unauthorized users’ access to your systems? It is a simple yes or no answer, but often we don’t know enough to be sure. So many attacks happen because the bad guys have gotten into our networks months ago, and had time to mess around with things before we found evidence of the intrusion.
5. Have you implemented any multi-factor authentication methods? One way to shore up your access is to use MFA. This is gaining traction but still far from universal, whether that be inside government or out.
6. Do you protect your personal identifying information (PII) and do you know when you don’t? It is important to first understand where you can find your PII, who has control over this data, and who has control over protecting it.
7. Do you have a CIO or does anyone have that role carry the authority to fix any of the above problems? While many small businesses don’t have budgets to hire a full-time CIO, someone has to take on the job — either inside the company or as a consultant. Make sure the authority to make improvements is also part of the job.
8. Do you know your IT supply chains well enough? The recent ransomware attacks have shown that many businesses haven’t developed any procedures to ensure that they are protected from these sorts of attacks.
9. Have you read and implemented the NIST standards docs? What, you don’t know what I am talking about? Back in April 2018, the National Institute of Standards published its Framework for Improving Critical Infrastructure Cybersecurity.  Speaking of improving supply chains, another NIST document is worthy of your attention — it lists a bunch of mitigation measures for this particular scourge. While a lot of both documents is written in government mumbo-jumbo, the basics are all spelled out how businesses can reduce the risk of cyber attacks.
Good luck with improving your defenses.

How hate can fund a video streaming career

Posted on by
Reply

When I last checked in with Megan Squire, a computer science professor who specializes in tracking online hate trends, she was looking at the the far-right users of various messaging services. Last month she presented this paper about how this group has taken advantage of the DLive streaming video service to solicit donations and spread their horrible videos. Some of the Jan 6 Capitol rioters used DLive to broadcast their attack and exploits.

Unfortunately for these users, DLive also has a very robust and public API that allows researchers to track the flow of funds through their platform. Squire was able to examine the accounts of more than 100 different users, half of them active streamers and the other half either large-ticket donors or others of interest to her work. Some of these streamers can make $10k in a typical month in donations, providing a way to obtain regular income to these political extremists. While most of these funds comes from these donors, there is also funds that originate from lots of followers. These donations usually happen during the live broadcasts when the viewers purchase “lemons” (the built-in platform currency).

She mapped the community into this network graph shown below. You can see the pink nodes that are the streamers, and the graph shows a very fragmented audience. The streamers mostly have their own and separate fan clubs (if you analyze their donors who give them at least $120). The cluster marked B in the diagram is an affiliated Proud Boys account and the C cluster represents the activist Peter Santilli. Both Santilli and members of the B cluster are facing various criminal charges.

Now, Squire admits that finding these alt-right streamers wasn’t easy, and by no means representative of the larger DLive community, most of whom are focused on online gaming. Since the January riot, the platform has taken steps to remove these streamers and to cooperate with law enforcement on subsequent illegal usage.

Still, while they were allowed on DLive, many of her streamer subjects have made substantial incomes from their narrowcast supporters. I am sure they have found other online platforms to spew their messages of hate.

If you don’t have time to review Squire’s paper, you can watch a short 10 min. video where she walks you through her research. She hopes that by shining a light on these activities, other researchers will be encouraged to examine other online platforms that have public data.

Avast blog: An Ugly Truth: A book review

Posted on by
Reply

56470423. sy475 New York Times reporters Sheera Frenkel and Cecilia Kang have been covering the trials and tribulations of Facebook for the past several years, and they have used their reporting to form the basis of their new book, An Ugly Truth: Inside Facebook’s Battle for DominationThe book is based on hundreds of interviews of these key players  and shows the roles played by numerous staffers in various events, and how the company has acted badly towards protecting our privacy and making various decisions about the evolution of its products. Even if you have been following these events, reading this book will be an eye-opener. If you are concerned with your personal security or how your business uses its customer data, this should be on your summer reading list. The book lays out many of the global events where Facebook’s response changed the course of history.

My review of the book and some of the key takeaways for infosec professionals and security-minded consumers can be found here.

Avast blog: Beware of crypto exchange scams

Posted on by
Reply

You may already have won! How many scams have begun with these words?

There is a new breed of scammers gaining popularity, thanks to the wild swings in the cryptocurrency market. I worked with Avast researcher Matěj Račinský who has tracked three different fake crypto exchanges, I show you some of the come-on messages, why their tactics are so compelling and — almost — believable — and how they ply their criminal trade, including phony news sites announcements (as shown here).

You can read more about these scammers, and ways to avoid them, in my blog post for Avast here.

Recently published stories you might be interested in

Posted on by
1

First off, mea culpa for sending out that test message earlier this month. As you might have guessed, I have moved everyone to a new listserv (still using Mailman after all these years) at Pair.com, and things seem to be working. LMK if you want to be removed or have your address updated or have issues with the mailings.

Last week was not a quiet week in Lake Wobegon, where all of my sources are above average. I flew for the first time domestically on business, and (unlike the fictional town) the flights and airports were crowded, but everyone was masked up and behaving, thankfully. The trip was to visit the Cyber Shield exercises held at the Utah National Guard base outside of Salt Lake City. I was staying on the base across the street from the monster NSA data center that you can see in the background.

The Guard story is posted here on Avast’s blog. I write about how the Guard is using live cyber ranges to train its cyber soldiers and the very realistic scenarios it is using. The dedication of the 800-some participants during this two-week event was amazing to see first-hand, and I appreciated all the time the Guard took to explain what they were doing and give me some of their stories of how they got involved with both the Guard and how it related to their careers in cybersecurity.

I also wrote another post for Avast about the Pegasus Project that was the work of security researchers at The Citizen Lab in Toronto, the Security Lab of Amnesty International in Berlin, and the Forbidden Stories project in Paris. Pegasus is a surveillance tool sold by the Israeli private firm NSO Group. It can be deployed on both Apple and Android phones with incredible stealth, to the point that targets don’t even know it is there.

The three groups examined phones from 67 people and found 34 iPhones and three Androids had contained traces of Pegasus – about a third of these had evidence that Pegasus had successfully compromised each phone. What was interesting was two items: First, one of the hacked iPhones was running the most current version of iOS. Second, many of the targets show a very tight correlation between the timestamps of the files deposited by Pegasus and particular events that link to the monitoring of the victim. Someone was very interested in these people, which ranged from politicians to journalists, someone who was a client of NSO and could target their tool to these people.

Several years ago, one of my contacts showed me the power of Pegasus on a test phone at my office and it was scary how easily the spyware could collect just about anything on the phone: texts, pictures, IP addresses, phone contacts, and so forth. If you want to read more about this project, several media outlets have written stories about it and are linked in my Avast blog.

Since I am in self-promotions mode, you might also want to check out some of my other work that I have written recently:

  • A story for CSOonline about a new defensive knowledge graph done by Mitre for the NSA called D3FEND. The project will help IT managers find functional overlap in their security tools and help guide new purchases as well as make better defensive decisions.
  • A podcast about a new report by Forrester that Paul Gillin and I recorded about the changing landscape of B2B discussion groups. The 14 minute conversation is how the shift from LinkedIn to Facebook groups has evolved and why IT vendors and channel partners should pay attention to the other social network outlets.