CSOonline: How to improve container security

Posted on by
Reply

Gartner has named container security one of its top ten concerns for this year, so it might be time to take a closer look at this issue and figure out a solid security implementation plan. While containers have been around for a decade, they are becoming increasingly popular because of their lightweight and reusable code, flexible features and lower development cost. In this post for CSOonline, I’ll look at the kinds of tools needed to secure the devops/build environment, tools for the containers themselves, and tools for monitoring/auditing/compliance purposes. Naturally, no single tool will do everything.

FIR B2B podcast #118: Customers as advocates, ODI progress and why you need a style guide

Posted on by
Reply

We have a trio of discussion items on this week’s podcast with myself and Paul Gillin. The first is from DigitalCommerce360 and concerns how customers should be your best advocates at building your brand identity and promoting your company. Marketers who focus on improving the customer experience and figuring out ways to regularly listen to customers’ desires and complaints can benefit from low-cost and powerful word-of-mouth promotion. So why don’t more B2B marketers have programs aimed at loyal customers?

Late last month there was some progress to report on the Open Data Initiative, a standards effort launched last fall that seeks to create a standard for the interchange of marketing data. Sounds boring, but with marketers spending more on analytics than IT organizations these days, we thing it’s important. Executives from Adobe, Microsoft and SAP just gave more details about how the three will standardize interfaces among their products to help common customers get a clearer view of their customers without going through a lot of messy data transformation. The trio also announced a slew of VAR partners that will support ODI. But the list was also notable for the big companies that weren’t there, like Oracle, Salesforce.com and marketing automation vendors.

Our final item is How to Create a Style Guide for Content Marketing. Too often marketers jump in to content programs without laying the groundwork for a consistent style and direction for their blogs and websites. Having a solid style guide isn’t just about where to place your commas but the right tone of voice and point of view that your authors should take. There is a lot of good advice in this piece.

You can listen to our 14 min. podcast here:

How business voice-enabled apps will become the next thing

Posted on by
Reply

If you have an Alexa or Google Home nearby, you probably already know how handy it can be to help your life. But what you may not be as aware is how businesses are adopting voice-enabled information access, and how this technology could become as revolutionary as HTML and websites were back in the 1990s.

I got to see some of this future at the Prepare.AI conference yesterday here in St. Louis. In particular, a presentation by Bob Stolzberg, the founder of VoiceXP, a two-year old startup that is beginning to make some noise with a voice toolkit that is aimed at business. At the show, Bob demonstrated a couple of examples, using an Alexa as his speaking partner.

One was an app developed for Mercy Health, so you can locate the nearest doctor with just a few commands (Say “Alexa, Start Mercy”). Another was for a law firm, so you can use voice commands to find a lawyer after you have been in an auto accident. One app showed how an executive could easily get various business metrics reported via voice, rather than plowing through a bunch of spreadsheets. One for a scientific research company allows their researchers to add experimental notes via voice commands, so they don’t have to remove their gloves and type them in. “Businesses are adopting voice apps to start their conference calls, to integrate with Slack as replacements for front-desk check-in kiosks, and numerous other apps. We are living in a voice-enabled world,” he said at the conference. They have a few demos on their site with apps that they have built for other companies as well.

The Mercy app was a significant effort, taking a good-sized team working over several months and a pretty substantial budget to put it together. That experience got them working on a much easier path for developing business voice apps so that ordinary folks could build them without a lot of programming or systems integration knowledge. They call it their Voice Experience Platform. They are still in beta but nearing its launch with several different plans that include managed services hosting, custom lead gen features and help with on-boarding the apps. They also provide a voice marketing plan that teaches business how to successfully market their new voice experience.

Voice-enabled apps do have their downside, namely a threat to our privacy and potential misuse by bad actors. Given that the Alexa/Home device is always listening, this data could be captured or subject to a man-in-the-middle attack without the proper security posture. VoiceXP has security built into its platform, which is encouraging. “What if a rogue device shared confidential medical data,” asks Adam Levine, a privacy expert. “These new technical advances may make our lives easier, but we need see a greater focus on privacy.”

Another issue is that to voice-enable your corporate apps, you need someway to access them programmatically. That could be trouble: with one of their customers, VoiceXP ended up using a complex spreadsheet and pulling data directly from that into their platform.

Finally, voice apps touch many different parts of your organization, similar to how web apps did when they were first created back in the day. You will need to keep an open mind, build your team accordingly, and empower them to collaborate to formulate best practices to make them work successfully.

If you have examples of your favorite business-related skill or action (as these apps are called), do share them in the comments.

My experiences with online banking

Posted on by
Reply

This week saw the announcement of Apple Card, a credit card that doesn’t even a number on its face. While it remains to be seen if Apple will be successful here, certainly we are witnessing a new era of online financial services. More to the point are the development of open banking in the UK. The idea behind open banking was standardizing on APIs to make it easier to move from one bank to another. We are far from that here in the States but there are many innovators in the banking field. As a big proponent of online banking, here is my report on what I have been using and how they work, for Simple, Aspiration, USAA and Marcus.

Simple was one of the first online banks and I have had an account for several years. They offer  no-fee checking/savings and VISA debit cards, although there are some fees for foreign transactions and some ATMs. Opening an account takes minutes and their web interface is clean and easy to understand with superior online help and telephone support.

Marcus is the online entity of Goldman Sachs (who is one of the partners for the Apple Card) and they have two main products: high-interest CDs (right now they offer a five year 3.1% rate) and no-fee loans (6% APR). Opening an account takes minutes and their web interface is clean and simple to understand. I had some issues setting up joint accounts and their telephone support was efficient and helpful and resolved it quickly.

Aspiration offers no-fee checking and debit cards. Actually, that isn’t quite accurate: you decide on the fees that you wish to pay them. It is an interesting gimmick. You can select nothing, and you can change the amount as often as you wish. There are some third-party fees, such as for wire transfers, that they pass along at their cost. They also make it easier for you to donate money to particular causes that you can setup online.

Activating my debit card from them required a call to their telephone support center. This could have been a network problem that they were experiencing at the time. They have a mobile app where they have spent more development time, and their web interface is pretty spare.

USAA has been in the online financial services world for a very long time, and it shows. If you have a family member that has served in the military you can open an account. They offer life, car and home insurance, CDs, credit cards, mutual funds and many more products. They try to keep their costs low and usually send me a small check at the end of the year as a “dividend” to thank me for being a member. I have had my car insurance with them for a long time and they have superior claims service and amazing response time from their telephone call center.  

If you are looking for online banking services, here are some things to look out for:

What services do you need? If you just want a no- or low-fee credit card, there are many solutions, including products from regular card issuers. If you need more online services, you will have fewer choices. USAA offers the widest spectrum and as I said has been doing it for the longest time. 

Opening and funding your account. You want a provider that has taken the time to build a simple and easy-to-use interface. Each provider does this slightly differently. All offer the ability to enter your bank routing and account numbers and make two test small deposits that you have to verify or you can provide your funding bank’s username and password. Aspiration had two issues: they made finding the external funding menus hard to find, and also they took a week to fund my account. The others were speedier with their funds transfer. Marcus wins this category. 

Making deposits, money transfers and obtaining reports. This is the meat of any provider and most have obvious ways of doing this. My local online bank had two separate procedures for funding and then linking an external account, which was annoying and took two calls to their phone support center to resolve. None of the four were any better or worse than others.

What are the hidden fees? Simple is my favorite here, they were one of the first to be very explicit about the fees they charge. Plus, you can find out everything without having to become a customer. The others are less transparent, although they all offer lower fees than your traditional retail bank (as they should).

What are the MFA implementation(s)? Both Simple and Aspiration offer SMS PINs to authenticate, and once you set this up, you can’t change anything without calling them. But the real standout is USAA, which in addition has other options as explained here, including support for Symantec’s VIP smartphone app. All of these are easily changed online, as long as you can find the linked URL above.

If you check this list of MFA options for the banking sector, you will see support for the MFA authentication smartphone apps is pretty sparse. Sigh.

International travel. Simple and Aspiration both offer quick notification of when and where you travel online, which is appealing to me and one of the reasons I went down this rabbit hole. For many years, I only had one credit card that I would pay off the balance each month. When I began doing more international travel, I realized that I wanted to minimize my exposure if my high-credit-limit card was lost or stolen. I opened an account with Simple, one of the first online banks.  

Do they offer a mobile app? Simple and Aspiration both offer them and focus on mobile as their primary method for customer transactions.

As you can see, no single provider is strong in all areas, which is a shame because you would hope their development teams could learn from the best examples and enhance their sites.  

Some final words of wisdom: prepare to spend some time with your own research and step into these waters gingerly before committing a lot of your money with any provider. Find out what your local bank offers with their online services, as many of them realize they have to be competitive in this area. And feel free to make recommendations of your own experience in the comments.  

Behind the scenes at a regional NCCD competition

Posted on by
Reply

Every year hundreds of college students compete in the National Collegiate Cyber Defense Competition. Teams from around the country begin with regional competitions, and the winners of those go on to compete for bragging rights and cash prizes at the national event in Orlando held at the end of April. A friend of mine from the Seattle area, Stephen Kangas, was one of the volunteers, all of whom are drawn from IT security professionals. I spoke to him this week about some of his experiences. The event tries to simulate defending a simulated corporate network, and is divided into two basic teams: the defenders who comprise the blue teams from the colleges, and the attackers, or red team. In addition, there are other groups, such as the judges and the “orange team” which I will get to in a moment. There is also a team of judges with body cams to record the state of play are assigned to each blue team and these are used to tally up the final point totals. Points are also awarded based on the number of services that are still online and haven’t been hacked, as well as those systems which were hacked and then recovered. Both teams have to file incident reports and these are also evaluated as part of the scores.

Stephen has participated at the competition for several years as a mentor and coach for a team from a local high school that competes in the high school division. This year he was on one of the red teams attacking one of the college blue teams. He has his Certified Ethical hacker credential and is working towards a MS in Cybersecurity degree too. He has been involved in various IT roles both as a vendor and as a consultant, including a focus in information security, for decades. “I wanted to expand my knowledge in this area. Because most of my experience has been on defensive side, I wanted to get better, and for that you have to know about the strategy, tools, and tactics used by the offensive black hats out there.”

The event takes place over a weekend and the red team attackers take points away from the defenders for penetrating their corresponding blue team’s network and “pwning” their endpoints, servers, and other devices. “I was surprised at how easy it was to penetrate our target’s network initially. People have no idea how vulnerable they are as individuals and it is becoming easier every day. We need to be preparing and helping people to develop the knowledge and skills to protect us.” His red team consisted of three others that had complementary specializations, such as email, web and SQL server penetration and different OSs. Each of the 30 red team volunteers brings their own laptop and but they all use the same set of hacking tools (which includes Kali Linux, Cobalt Strike, and Empire, among others), and the teams communicate via various Slack channels during the event.

The event has an overall red team manager who is taking notes and sharing tips with the different red teams. Each blue team runs an exact VM copy of the scenario, with the same vulnerabilities and misconfigurations. This year it was a fake prison network. “We all start from the same place. We don’t know the network topology, which mimics the real-world situation where networks are poorly documented (if at all).” Just like in the real world, blue teams were given occasional injects, such as deleting a terminated employee or updating the release date of a prisoner; the red teams were likewise given occasional injects, such as finding and pwning the SQL server and changing the release date to current day.

In addition to the red and blue teams is a group they call the orange team that adds a bit of realism to the competition. These aren’t technical folks but more akin to drama students or improv actors that call into the help desk with problems (I can’t get my email!) and read from scripted suggestions to also put more stress on the blue team to do a better job of defending their network. Points are awarded or taken away from blue teams by the judges depending upon how they handle their Help Desk phone calls.

Adding additional realism, during the event members of each red team make calls with the help desk, pretending to be an employee, trying to social engineer them for information. “My team broke in and pwned their domain controllers. We held them for ransom after locking them out of their Domain Controller, which we returned in exchange for keys and IP addresses to some other systems. Another team called and asked ransom for help desk guy to sing a pop song. They had to sing well enough to get back their passwords.” His team also discovered several Linux file shares that had employee and payroll PII on it.

His college’s team came in second, so they are not going on to the nationals (University of Washington won first place). But still, all of the college students learned a lot about better defense that they can use when competing next year, and ultimately when they are employed after graduation.  Likewise, the professionals on the red teams learned new tools and techniques from each other that will benefit them in their work. It was an interesting experience and Stephen intends to volunteer for Pacific Rim region CCDC again next year.

RSA blog: Understanding the trust landscape

Posted on by
Reply

Earlier this month, president of RSA, Rohit Ghai, opened the RSA Conference in San Francisco with some stirring words about understanding the trust landscape. The talk is both encouraging and depressing, for what it offers and for how far we have yet to go to realize this vision completely.

Back in the day, we had the now-naïve notion that defending a perimeter was sufficient. If you were “inside” (however defined), you were automatically trusted. Or once you authenticated yourself, you were then trusted. It was a binary decision: in or out. Today, there is nothing completely inside and trusted anymore.

It is all a matter of shades of grey. So cyber security means evaluating who and what is trusted on a continuous basis. Ironically, to get to appreciate these shades of grey, we have to work a lot harder before we can trust our computers, apps and devices.

I had an opportunity to  spend some time with Rohit at a presentation we both did in London earlier this year and enjoyed exchanging many ideas with him.

Part of the challenge is that the world has become a lot more complicated. How many of us accept the following activities as part of our normal activities?

  • Telling your credit card company when you will be out of the country is now part of my pre-trip routine.
  • Questioning when asked to provide our SSN or street address – remember when some of us had them printed on our checks?
  • When signing up for a new website, I no longer automatically provide my “real” birthday. While this is a more secure posture, it is also somewhat annoying when this date rolls around on the calendar and those congratulatory notes come in.
  • Now I use MFA sign-ons more routinely. But when I have an account that doesn’t use MFA it gives me pause as to whether I even want to do business with them.
  • I now accept the extra steps of using a VPN when roaming around on public Wi-Fi networks as part of the my normal connection process.

Like Rohit, I have begun “to obsess about the trust landscape.” I think we all know what he means. He spoke about how to manage various risks, which means assessment about the likelihood of particular digital compromises to our networks, our endpoints, and our lives. “It must become our new normal,” he said during this keynote.

But what does this really imply? That we can’t trust anyone or anything anymore? That is where the depression sets in. Some vendors have tried to make lemonade out of these lemons by promoting what they call a “zero trust” model. You might think this is a new term, but you would be wrong. It has been around since 2010, when then-Forrester analyst John Kindervag first created the notion. The idea is simple: no one gets any access until they can prove their identity. In that paper, he mentions how when Bugsy Siegel built Vegas, he built the town first, and then the roads. In IT, too often we first go for the infrastructure before we understand the apps that will be running on it.

Here is a better idea: RSA CTO Zulfikar Ramzan advocates replacing the zero trust model with one that focusses on managing zero risk. That gets IT staffs to examine what is really important: identifying key IT assets, data as well as third parties and focusing their energies on securing those. He mentioned in this video interview that “if digital transformation is the rocket ship, then trust has to be the fuel for that rocket ship.”

Using this zero-risk model changes the conversation from building roads to looking more carefully at the business itself: what apps will we need to deliver business services, how will proprietary data be stored and protected, and who will have access to what based on the business. How many of you can certify with complete confidence that every user in your Active Directory is still a legitimate and current employee? I don’t see too many hands raised, which proves my point.

Tom Wolfe wrote in his 1987 novel, The Bonfire of the Vanities, about a concept called “the favor bank.” This means we all make deposits, as favors, in the hopes of making future withdrawals when we need them. Rohit used a variation in his speech he called the “reputation bank,” where companies make deposits of trustworthy moments, to balance those dark times when they need to make their own withdrawals. I like the concept, because it gets across that trust is a two-way street. I will give up my email to you, if I get some benefit to me. Those vendors that know how the reputation bank will earn interest and our trust; those that lie about their privacy policies will overdraw their accounts.

To conclude things, I turn to that great security authority, Billy Joel, who once said it best:

It took a lot for you to not lose your faith in this world
I can’t offer you proof
But you’re going to face a moment of truth …
It only is a matter of trust.

FIR B2B #117: Alternatives to Facebook

Posted on by
Reply

The short answer is yes, and we explore the various dimensions of The Facebook Problem in this week’s podcast. First we touch on the swirl of commentary about Zuck’s latest pronouncement that the company will combine Facebook Messenger, WhatsApp and Instagram into a single, unified product. Is there a business model in there somewhere, or is this just wishful thinking? Some analysts have already said that the era of Facebook’s News Feed is now officially over. We aren’t so sure, but we agreed that Facebook has become mostly a waste of time. There are some other business-oriented networks that we think have more value, including Reddit, Quora, LinkedIn, Alignable and Spiceworks. We’ve found all to be more fertile hunting grounds for business marketers. We also have advice about how to choose and test among those sites. 

We recorded this episode just before Brian Krebs revealed that Facebook exposed hundreds of millions of user passwords to more than 20,000 employees for years. It is certainly a sad state of affairs.

One final thought about Facebook: Reuben Arnold, Starbucks’ vice-president of marketing and product in EMEA, said he wants to  have deeper conversations with some of its customers and promote its brand using private groups and private accounts on social media channels. Maybe this is an alternative to just posting to the greater universe. We’ll see. 

But wait, there is more. We like this post about whether it’s time to go back to taking notes with pen and paper. How many of those people tapping away on their laptops during a meeting are doing something related to the meeting? You know the answer. Maybe it’s time to ban the laptops and aim for shorter meetings instead. 

We also discuss a recent news item about how execs from the UK-based convenience store Tesco are frustrated that the company is having to spend an increasing amount of money on ensuring its advertising doesn’t appear next to inappropriate content and believe publishers should foot more of the bill. It used to be that publishers protected their advertisers from this kind of embarrassment, but in a world dominated by algorithms, anything goes.  

Finally, there was a charming story earlier this month about a handwritten note to the CEO of Quantas from a 10-year-old boy who wanted to start his own airline. The airline posted the kid’s letter and a welcoming reply from CEO Alan Joyce, who commented, “Our competitors don’t normally ask us for advice, but when an airline leader reached out, we couldn’t ignore it.” The story is more than charming though: it is a lesson about how a light touch and a sense of humor can go a long way towards promoting your brand, in this case to the tune of nearly 30,000 retweets.

You can listen to our 19 min. podcast here:

The technology behind “Patriot Act”

Posted on by
1

If you have seen the Netflix show Patriot Act with Hasan Minhaj, you might have noticed the spectacular eye-popping set that is used for the show. And if you are a curious geek like me, you might want to know about the people responsible for building and operating it.

The show is a comedy vehicle for the Daily Show correspondent, and mixes a great deal of pop culture and news references in the goal of tackling a single topic each week. Minhaj is on stage for almost all of each episode. You first notice the stunning visual design of the set because it is the set. Minhaj stands on an LED floor that changes in synch with the screens that form the background of the show. This isn’t your grandfather’s PowerPoint, baby: images zoom in and out and video animations roll across the screens. There are catchy infographics that rotate and fade in, and all the other tricks that we have come to expect in the average Marvel or Pixar movie. Only it is a TV talk show. I think it is pure genius. After you watch this show, every other talk show looks dull as dishwater by comparison.

My interest here is also personal: as a professional speaker, what the team that produces this show is doing is showing how we can use technology to truly immerse an audience into a performance. It is as big a sea change as when I swapped out my black-only “foils” for color PowerPoint for my speeches. Only better.

I interviewed two of the folks that are responsible for the show. Granted, any show is a collaboration of many, many people, including a dozen different animators, designers, and pre-visualization specialists, not to mention all the writers and other usual TV production folks. If you aren’t familiar with pre-viz, as it is called, this is an interesting part of the entertainment universe. As more filming has gone digital, pre-viz folks become very important, because they give directors the ability to see exactly how a scene will look like in its final form before anyone has touched a camera. Think of it like a virtual scene — you can manipulate all sorts of stuff without having to actually build it in real life. I’ll get to why this is important in a moment.

I first spoke to Greg Bloxham, who is the computer operator for the show. That title doesn’t really do his role justice, which is critical to the whole operation. I then exchanged emails with Marc Janowitz, who is the Production and Lighting Designer for the show. Both guys have developed the look and feel and chose the technologies that are used each week.

If you are a fan of Minhaj’s standup, you probably have seen his Netflix special, Homecoming King. Janowitz was involved in that production, which really was a beta test of what the TV series is doing.  “Patriot Act is more like a deep dive into a particular subject that requires intense visual aids to help support the thesis. We had this desire to delve into a style of visual narrative that blends imagery, form and structure and helps to immerse the audiences in the material,” said Janowitz. And as I said earlier, the studio audience is immersed. “A big part of the design impetus for this show was to capture the energy of a live performance with an audience,” he said. Basically, they have turned the tired model of anchorperson-behind-a-desk on its head.

Bloxham spends two days a week on each episode, one day for basic rehearsals, the next day for more detailed rehearsals and then the live-to-tape final run through. He has had a long career in lighting and media design, starting with the Oprah show and then moving into doing live music events and other extravaganzas. “This was a field that was pretty obscure a few years ago, but is now getting to be more common,” he told me. If you remember Oprah, she had video screens around her studio, but not to the extent that Minhaj uses on his show, and certainly not to the extent that they are run in real time.

One of the reasons for the look and feel of the show has to do with Minhaj’s personal preferences. He is very involved in the pre-viz process, naturally, and also has a lot of opinions in how the final shows appear. “It is nice that he is so deeply involved,” Bloxham told me. The show takes a lot of collaborative work, because as you might imagine having such powerful tech means that writers can change things pretty much up to the last minute. He takes the content from the animators and then puts it all together so that they can run the visuals in real time during the actual performance. If you look carefully at any of the episodes, you’ll see the set lighting change colors in synch with what is shown on the video screens. “You can literally program things to move in time with each beat,” he said.

The gear that they use is the Disguise 4x4Pro, which is a specialty piece of hardware that is pretty much the gold standard in the industry and used in many concert venues to drive their complex lighting and visual effects. “The Disguise system is what allows the set to exist as a 3D immersive visual display and can map these different surfaces into a cohesive image,” said Janowitz. “The set design is composed out of multiple different styles and resolutions of LED video displays.’

This system costs tens of thousands of dollars, but what you’ll find inside is a couple of 16-core Xeon CPUs and 32GB of RAM, running Windows embedded 8.1. It outputs 4096×2160 video streams to the various LED screens that are part of the show’s set. “We are certainly pushing a lot of pixels,” Bloxham told me, although I was surprised that this is well within the reach of a typical high-end PC server. “The tech has gotten approachable,” he told me. Each summer he runs a boot camp in Vegas to teach video designers some of the tricks of his trade.  “Your average PC with a good graphics card can do a lot today.”

Actually they have two media servers, one for backup. “Tech always has a risk, and this way I can switch over to the backup system with just a push of a button,” said Bloxham. He has a control console board  that is custom built, and includes the lighting controls as well. Given the number of people involved in producing the show, paying for a second server is a wise investment.

So check out Patriot Act on Netflix and let me know what you think. I think years from now we will be talking about its influence, just as we wax on about The Sopranos today.

Where Moneyball meets addiction counseling

Posted on by
1

A startup here in St. Louis is trying to marry the analytics of the web with the practice of addiction counseling and psychotherapy. In doing so, they are trying to bring the methods of Moneyball to improve therapeutic outcomes. It is an interesting idea, to be sure.

The firm is called Takoda, and it is the work of several people: David Patterson Silver Wolf, an academic researcher; Ken Zheng, their business manager; Josh Fischer, their co-founder and CTO; and Jake Webb, their web developer. I spoke to Fischer who works full time for Bayer, and supports Takoda on his own time as they bootstrap the venture. “It is hard to put all the various pieces together in a single company, which is probably why no one else has tried to do this before,” he told me recently.

The idea is to measure therapists based on patient performance during treatment, just like Moneyball measured runs delivered by each baseball player as their performance measurement. But unlike baseball, there is no single metric that everyone has created, certainly not as obvious as RBIs or homers.

We are at a unique time in the healthcare industrial complex today. Everyone has multiple electronic health records that are stored in vast digital coffins; so named because this is where data usually goes to die. Even if we see mostly doctors in a single practice group, chances are our electronic medical records are stored in various data silos all over the place, without the ability to link them together in any meaningful fashion.

On top of this, the vast majority of therapists have their own paper-based data coffins: file cabinets full of treatment notes that are rarely consulted again. Takoda is trying to open these repositories, without breaching any patient data privacy or HIPAA regulations.

Part of the problem is that when someone seeks treatment, they don’t necessary learn how to get better or move beyond their addiction issues while they are in their therapist’s office. They have to do this on their own time, interacting with their families and friends, in their own communities and environment.

Another part of the problem is in how we select a therapist to see for the first time. Often, we get a personal referral, or else we hear about a particular office practice. When we walk in the door, we are usually assigned a therapist based on who is “up” – meaning the next person who has the lightest caseload or who is free at that particular moment when a patient walks in the door. This is how many retail sales operations work. The sole design criterion was to evenly distribute leads and potential customers. That is a bad idea and I will get to why in a moment.

Finally, the therapy industry uses two modalities that tend to make success difficult. One is that “good enough” is acceptable, rather than pursuing true excellence or curing a patient’s problem. When we seek medical care for something physically wrong with us, we can find the best surgeon, the best cardiologist, the best whatever. We look at their education, their experience, and so forth. Patients don’t have any way to do this when they seek counseling. The other issue is that therapists aren’t necessarily rewarded for excellence, and often practices let a lot of mediocre treatment slide. Both aren’t optimal, to be sure.

So along comes Takoda, who is trying to change how care is delivered, how success is measured, and whether we can match the right therapists to the patients to have the best treatment outcomes. That is a tall order, to be sure.

Takoda put together its analytics software and began building its product about a year ago. First they thought they could create something that is an add-on to the electronic health systems already in use, but quickly realized that wasn’t going to be possible. They decided to work with a local clinic here. The clinic agreed to be a proving ground for the technology and see if their methods work. They picked this clinic for geographic convenience (since the principals of the firm are also here in St. Louis) and because they already see numerous patients who are motivated to try to resolve their addiction issues. Also, the clinic accepts insurance payments. (Many therapists don’t deal with insurers at all.) They wanted insurers involved because many of them are moving in the direction of paying for therapy only if the provider can measure and show patient progress. While many insurers will pay for treatment, regardless of result, that is evolving. Finally, the company recognized that opioid abuse has slammed the therapy world, making treatment more difficult and challenging existing practices, so the industry is ripe for a change. Takoda recognizes that this is a niche market, but they had to start somewhere. “So we are going to reinvent this industry from the ground up,” said Fischer.

So what does their system do? First off, it uses research to better match patients with therapists, rather than leave this to chance or the “ups” system that has been used for decades. Research has shown that matching gender and race between the two can help or hurt treatment outcomes, using very rough success measures.

Second, it builds in some pretty clever stuff, such as using your smartphone to create geofences around potentially risky locations for each individual patient, and providing a warning signal to encourage the patient to steer clear of these locations.

Finally, their system will “allow practice offices to see how their therapists are performing and look carefully at the demographics,” said Fischer. “We have to change the dynamic of how therapy care is being done and how therapists are rated, to better inform patients.”

It is too early to tell if Takoda will succeed or not, but if they do, the potential benefits are clear. Just like in Moneyball, where a poorly-performing team won more games, they hope to see a transformation in the therapy world with a lot more patient “wins” too.

The rise of the online ticketing bots

Posted on by
2

A new report describes the depth of criminality across online ticketing websites. I guess I was somewhat naive before I read the report, “How Bots affect ticketing,” from Distil Networks. (Registration is required.) The vendor sells anti-bot security tools, so some of what they describe is self-serving to promote their own solutions. But the picture they present is chilling and somewhat depressing.

The ticketing sites are being hit from all sides: from dishonest ticket brokers and hospitality agents who scrape details and scalp or spin the tickets, to criminals who focus on fan account takeovers to conduct credit card fraud with their ticket purchases. These scams are happening 24/7, because the bots never sleep. And there are multiple sources of ready-made bad bots that can be set loose on any ticketing platform.

You probably know what scalping is, but spinning was new to me. Basically, it involves a mechanism that appears to be an indecisive human who is selecting tickets but holding them in their cart and not paying for them. This puts the tickets in limbo, and takes them off the active marketplace just long enough that the criminals can manipulate their supply and prevent the actual people from buying them. That is what lies at the heart of the criminal ticketing bot problem: the real folks are denied their purchases, and sometimes all seats are snapped up within a few milliseconds of when they are put on sale. In many cases, fans quickly abandon the legit ticketing site and find a secondary market for their seats, which may be where the criminals want them to go. This is because the seat prices are marked up, with more profit going to the criminals. It also messes with the ticketing site’s pricing algorithms, because they don’t have an accurate picture of ticket supply.

This is new report from Distil and focusing just on the ticketing vendors. In the past year, they have seen a rise in the sophistication of the bot owners’ methods. That is because like much with cybercrime, there is an arms race between defenders and the criminals, with each upping their game to get around the other. The report studied 180 different ticketing sites for a period of 105 days last fall, analyzing more than 26 billion requests.

Distil found that the average traffic across all 180 sites was close to 40% consumed by bad bots. That’s the average: many sites had far higher percentages of bad bot traffic. (See the graphic above for more details.)

Botnets aren’t only a problem with ticketing websites, of course. In an article that I wrote recently for CSOonline, I discuss how criminals have manipulated online surveys and polls. (Registration also required.) Botnets are just one of many methods to fudge the results, infect survey participants with malware, and manipulate public opinion.

So what can a ticketing site operator do to fight back? The report has several suggestions, including preventing outdated browser versions, using better Captchas, blocking known hosting providers popular with criminals, and looking carefully at sources of traffic for high bounce rates, a series of failed logins and lower conversion rates, three tells that indicate botnets.