Avast blog: It ain’t easy to remove your personal data from the brokers

I tried to remove my own data recently and found it to be a very frustrating online rabbit hole. You will find either task to be nearly impossible and, sadly, this is by intent and by design: They charge by the gigabyte and aren’t paid for being accurate. And you don’t pay them anything, so you aren’t really the customer; you are just the unwilling victim. 

Note: these brokers are the legitimate side of selling your data, and not to be confused with the dark web illegal side, such as the recent scraping of 700M LinkedIn users. FIghting that is for another post.

I started out my own quest by submitting removal requests for my data to three places: Epsilon, Experian, and Intelius. I picked these somewhat at random, but the trio gives you a good idea of what you are in for. My journey through this looking glass is chronicled for my latest blog post for Avast here.

Avast blog: Fighting unpredictable existential threats

Earlier in June, CogX Festival brought together representatives from business and government to discuss innovation. I watched a panel session on dealing with unpredictable existential threats. The panelists included Robert Hercock, the Chief Research Scientist at BT Security, Clarissa Rios Rojas, a research associate at the University of Cambridge’s Centre for the Study of Existential Risk, and Avast CISO Jaya Baloo. Rojas and her colleagues spend a lot of time looking at a wide range of global risks that could lead to human extinction and other dire circumstances. You can watch the session here and can read my synopsis of the conference session on Avast’s blog here.

Wanna read books for free? Here’s how.

For those of you who are avid readers, you might want to investigate a service called NetGalley. I have been using them for seven years and have read hundreds of books for free. The only catch? I have to read them on my Kindle (or Nook or equivalent device) and then write a short review that I then post to Amazon, B&N, Goodreads, and other bookselling websites.

It is a terrific service which publishes the pre-publication versions of books, which used to be called galleys back in the days of Gutenberg, to a select audience of what they call “professional readers.” These versions often have small editing mistakes but are otherwise close to the actual text that you will see in the finished book.

The workflow is as follows. Once you join the service, you will get weekly notifications in your email about upcoming new books. Sometimes there is a short description, and you can click on that and get a longer one that will give you an idea if you are interested in reading the book. The service is used by both new authors and established ones alike, and there are tens of thousands of readers and authors using the service. Some books are immediately available for download; some will require the publisher to approve your request. Sometimes I get turned down, but usually within a day or so I have a new book waiting for me in my NetGalley account. I then send the digital file to my Kindle reader, and within minutes I can be reading a new book. Pretty neat, this whole internet thing, right?

I would say over the past several years I go through phases where I read more books on my Kindle than in print, and then the reverse. Given that bookstores have been mostly closed for browsing under the pandemic, I have gone back to using my Kindle more.

The NetGalley service keeps track of when the book is actually available for sale on the book ecommerce sites and sends you a tickler so you can post your review accordingly. That appeals to me, because I like to be in the first batch of folks posting my review.

There is a wide range of books available on the service, and this also includes audiobooks as well as the traditional printed text. You can set your subject matter preferences and other parameters for your account. If you don’t want to wait for the weekly notifications, you can browse for new titles at any time.

If you really like a book and want to get to interview the author, NetGalley will help facilitate that relationship. They also make it very easy to take your review and get it put on the bookselling sites with a couple of clicks.

As I said, the service is free for readers. They make their money from publishers (and self-published authors) who pay a fee to post their galleys on the service for a specific time period. The fees vary from a single book for $450 for six months to discounts for multiple books for publishing houses or members of various publishing associations.

I will be giving a seminar on NetGalley in September for the St. Louis Publishers Association. Email me if you are interested in seeing this presentation.

The role of mutual trust when you resume international travel

I recently spent two weeks in Israel visiting my daughter’s family. Making the arrangements was an interesting exercise and exposed how broken our mutual trust relationships have become in the Covid era. There are several weak points, especially under the strain of crossing international borders:

— Crossing borders (customs and immigration procedures). Before the pandemic, there were fairly well-defined rules on how one could enter another country. Some places, such as the EU, had complete trust and no actual physical barrier between countries: it was more a line drawn on a map. But that trust has broken down, and now the rules are in flux, seemingly with daily changes.

In my previous visits to Israel, I didn’t need a visa as an American citizen. But I was interrogated by a customs official as to my purpose. That in-person conversation was replaced by a pre-flight application process that was maddening. I had to provide all sorts of documents to the Israeli embassy (in Miami, which covers my part of the US). My application was questioned several times before getting approval. Once I arrived at the Tel Aviv airport, I was able to gain entry to the country by just scanning my passport, and a quick conversation with a health ministry representative that wanted to see the documentation about my negative Covid PCR test. The passport scan had previously only been available to those holding Israeli passports, and is similar to our Global Entry process.

— Proof of vaccination. The issue for any American traveling abroad is that our cardboard proof of vaccination isn’t trustworthy. I had to get a blood test in Israel that proved it: the locals have an app that is tied to their HMO’s system that used to be a condition for entering public places like shopping malls and sports stadiums. While I was there the restrictions were removed: that is what happens when sufficient folks have gotten vaccinated. But without the blood test, I would have had to stay in isolation at my daughter’s home during my entire visit.

— Passenger behavior (inflight). The news media is filled with stories about misbehaving passengers who have been arrested and removed from flights. The vast majority of these cases were from domestic US flights. The international flights that I was on saw no trouble. And when I interviewed my flight attendants, they also said that the cases were overstated by the media.

— Passenger behavior (on the ground). The five airports that I was in (St. Louis, Houston, Frankfurt, Tel Aviv and Newark) all had vastly different experiences. The most crowded airport was Houston and most of the passengers were masked and the airport shops were open and busy. In Tel Aviv’s airport, few people wore masks and donned them just before boarding their flights. Frankfurt was a ghost town and few shops and airport lounges were open, although I did find one where I could take a shower. Newark was busy, and had frequent PA announcements that any passengers without masks would be subject to a $50 fine.

I am glad that I got an opportunity to see my family. The bottom line for those of you that want to travel internationally in 2021: plan ahead and be prepared to roll with sudden and inexplicable changes.

Avast blog: Should you just walk away from Amazon’s “Just Walk Out” tech

If you’ve been following Amazon’s move towards having physical storefronts, you probably have seen the news about a series of different types of retail stores they have created, including bookstores, grocery stores, general merchandise stores, and shops selling prepared food. Add to this along with the fact that they’ve owned Whole Foods Markets for the past four years. In my blog post for Avast, I take a closer look at the way that these Amazon outlets collect customers’ money, how they access their data, and some of the privacy implications tied to Amazon’s “Just Walk Out” technology. These stores and technology take the collection of shopper data to the next — and perhaps creepier — level.

book review: Make it, don’t fake it (Sabrina Horn)

I’ve know Horn and worked with many of her staff for decades, since I am a freelance journalist that has written about many of her B2B enterprise technology clients.  Reading her book Make it, Don’t Fake It was part trip down memory lane, part catching up on key moments of tech history, and part appreciating her advice.

I think like many business books, the first half is strong and full of creative and great suggestions on how to become more authentic and more honest as a business leader. For example, she writes early on in the book “when you are first starting out, doing and being anything to win business is tempting and also dangerous.” I liked that she poses the question, ”Am I ready to become a business founder?” and that you need to carefully consider the exact role that you want to play in your company. She takes you through a process to disarm your fears and minimize the risk of starting your business with a series of exercises that are well worth studying. But you need the practice and the patience to do the work – if you didn’t think similar items in “What Color is Your Parachute” were for you, then this book’s advice is wasted.

Horn also gives an analysis of the common traits in the best and worst employees she has hired over the decades, something that I as a manager can relate to. For example, people who could do things that she couldn’t, and respected my authority as a boss. (I once had an employee who refused to acknowledge that simple fact, and while he was very smart, he was impossible to manage.)

Ultimately, the “hardest thing about building a great brand is keeping it that way,” and she goes on to suggest ways to investigate initiatives for both business expansion and contraction while listening to your customers and your staff carefully. And running a postmortem exercise after every time you make a big mistake or fail to get some important client.

Horn comes down on the tech bro culture, but she could have strengthened and sharpened her analysis and made it more relevant, especially in this hyper-woke world where culture can be tricky to navigate. And as this tweet proves,  “online a lot of people benefit from appearing to be friends so that they can push their brand. I don’t have it in me to be fake and play those kinds of games.” There are many dimensions to being authentic, indeed.

Book review: A Dark and Secret Place

The copycat serial killer on the loose is a common plot point, but this horror/thriller takes things a step further. Some of the steps I can’t reveal without spoilers but let’s just say this novel has some very strange stuff going on and it plumbs the depths of psychosis of several of its characters. The POV is from the daughter who has found out her mother killed herself, and she tries to figure out what happened. The two were never very close, and the death brings out many life moments that were swept under the rug and placed into dark reaches of her memories. While I am not a big horror genre reader this book worked for me as a pure thriller and mystery. The characters ring true and of course the bodies begin to pile up as the copycat killer continues to strike. Highly recommended.

Finding the right VPN isn’t so simple

Never has some imperfect corporate memory been so public before now. In recent testimony before Congress, the CEO of Colonial Pipeline admitted they had forgotten about an old VPN connection that the hackers had found and exploited. “It was an oversight,” he said. I was amazed at this revelation. Yes, we all forget about things, but this was a biggie. You might recall that a few years ago Avast had an unauthorized access to an unused VPN account.

This reminded me of my own “oversight.” Turns out I had created a second user of my password manager, something that I had setup years ago and never used. This username didn’t have the appropriate password and multi-factor protections. Even within my small company, it is easy to lose track of things.

But being forgetful is just one of several different VPN problems. If you are going shopping for a VPN, you need to consider this. Some VPNs have very good digital memories and are keeping track of your digital movements, even though they claim not to log or store your data. This could be caused by the vendors who are deliberately harvesting their customers’ data. If you aren’t paying for your VPN, chances are good that is how your VPN vendor is making money.

There is another issue, that some VPNs aren’t very well constructed and contain coding errors or make use of sub-standard encryption protocol implementations. This happened several years ago, when hackers found their way into NordVPN, TorGuard and VikingVPNs. PulseSecure VPN has had its share of problems for several years, including a recent hack that enabled back doors.

Some VPNs have the potential for leaking DNS data and IP addresses of their users. Last year, a series of reports were published (one by VPNcrew, the other by VPNmentor), that demonstrated that potentially 20M users have had their private data leaked in this way.  Not helping matters is that some of the VPNs deliberately hide their corporate ownership details to disguise the fact that they have shady origins.

So how to fix this? First, find out if your VPN vendor has paid for an independent audit. McAfee’s TunnelBear, for example, does regular security audits of their code and publishes the results. My VPN of choice is ProtonVPN, which also publishes its audit results and takes things a step further by publishing its source code too. There are other open-source VPNs too.

Second, you should understand the testing rubics that the major computer publications use in their VPN ratings. If you are ready for a deeper dive, here is a detailed explanation of how rigorous your tests need to be and suggestions for testing tools. There are various tests including the DNS Leak Test and the IPLeak test. If you want to do these tests yourself, compare the output when not using any VPN to what they show when you turn on the VPN.

And you might want to review your own infosec posture, and track down “forgotten” accounts that you have created that have fallen by the wayside. You never know what you might find.

CSOonline: CSPMs explained

Every week brings another report of someone leaving an unsecured online storage container filled with sensitive customer data. Thanks to an increasing number of unintentional cloud configuration mistakes and an increasing importance of cloud infrastructure, we need tools that can find and fix these unintentional errors. That is where cloud security posture management (CSPM) tools come into play. These combine threat intelligence, detection, and remediation that work across complex collections of cloud-based applications. You can see a few of them above.

I discuss the importance of CSPMs and what you need to know to evaluate one of them for your particular circumstances in my CSOonline post.

 

Avast blog: Reimagining staffing in the cybersecurity industry

Since 1967, ISACA has been providing a centralized source of information and guidance within the IT governance and control field. ISACA’s State of Cybersecurity 2021, Part 1 report contains the organization’s update on its workforce development efforts. This is the seventh year that ISACA has surveyed its membership, and the report is based on more than 3,600 respondents from 120 countries, with more than half of them saying their primary jobs are directly in the field.

In spite of the Covid-19 pandemic, overall cybersecurity spending has dropped, which seems counterintuitive but continues to be a trend that ISACA has been documenting for several years.

You can read my analysis of their report here on Avast’s blog.