How to protect your mobile apps using Zimperium’s zIAP SDK (screencast)

Posted on by
Reply

If you are looking for a way to protect your Android and iOS apps from malware and other mobile threats, you should look at Zimperium ‘s In-App Protection (zIAP) SDK . It supports both Apple X-Code for iOS apps and Android Studio for those apps. One of the advantages of zIAP is that you don’t have to redeploy your code because changes are updated dynamically at runtime and automatically pushed to your devices. zIAP ensures that mobile applications remain safe from cyber attacks by providing immediate device risk assessments and threat alerts. Organizations can minimize exposure of their sensitive data, and prevent their customers and partners’ data from being jeopardized by malicious and fraudulent activity. I tested the product in April 2019.

Pricing starts for 10K Monthly Active Devices at $12,000 per year, with steep quantity discounts available.

https://go.zimperium.com/david-strom-ziap

Keywords: strom, screencast review, webinformant, zimperium, mobile security, app security, Android security, iOS security

RSA blog: Third-party risk is the soft underbelly of cybersecurity

Posted on by
Reply

In the past several weeks, we have seen the effects of ignoring the risks of our third-party vendors. They can quickly put your enterprise in peril, as this story about a third-party provider to the airline industry.  In this case, a back-end database supplier grounded scheduled flights because of a computer outage. And then there is this story about how two third-party providers from Facebook exposed more than 500M records with unsecured online databases. These are just the more notable ones. Hackers are getting more clever about how and when they attack us, and often our third-party apps and vendors are the soft underbelly of our cyber security. Witness the various attacks on point-of-sale vendors, or back-end database vendors, payment providers or ecommerce plug-ins, etc. And then there are system failures, such as what happened to the airline databases.

This isn’t a new problem, to be sure, but we have to ssume these attacks and system failures are going to happen more frequently, and expose more data. A study of 40 incident responders found that half of them have seen attacks that are targeting their entire supply chain, and more attackers are trying to move across an enterprise network laterally to find better opportunities to ply their trade.

We mention the issue with third-party risk management in this post for the RSAC blog. I want to follow up where this post leaves off and talk about more specific and actionable suggestions to protect your third-party flank. The problem is that we are too trusting when it comes to these third-party apps. We have developed complex infrastructures that combine the best of the online and on-premises worlds, with a nice sprinkling of browser-based interfaces riding over all of this. That is great for building some powerful apps, but not as great when it comes to making sure that all of this gear is properly protected.

Here are a few practical things to check as your formulate your own strategies for mitigating these third-party risks:

Vet your providers as if their were your own employees. As this post describes in more detail, you should do due diligence on any prospective vendor, partner or third-party supplier. This is helpful not just for cyber security, but also for compliance reasons too. For example, when did your prospective supplier perform its last pen test or business continuity exercise? Speaking of which, does your breach response plan take into account the posture of all of your key suppliers?

– With any of your security tools, don’t just set and forget but regularly examine your third-party apps to see if any of them have had recent exploits or if they are behind on a software version. NotPetya depended on this lazy upgrade experience. Their authors sent out their malware by taking advantage of a bug that was only patched by Microsoft a few weeks before it was exploited. There are numerous other examples. Hackers are paying attention to the timing of these bugs and zero-days, and that means you have to be ever-vigilant with your upgrades. That means your network is only as good as everyone’s equipment, whether you own it, connect to its servers or just share data with it. When you purchase a new third-party app, make sure you understand your supplier’s update policies and audit this  equipment regularly.

– Speaking of audits, you should regularly perform data inventories too. By this I mean what data sets your third-parties have access to or store on their own computing infrastructures. Part of this assessment is understanding what data from your third-party provider is available online and how it is protected at rest and in motion. This will come in handy if any of your third-party providers is hit with a breach, and can minimize the blowback to your own computing environment.

Segment your network and put each vendor’s servers behind its own firewall. vLANs are not anything new, but they are the first line of defense when trying to stop a hacker from being able to roam around your network at will. A number of third-party attacks happened because the attackers were able to move about an internal flat network from their point of entry, until they found a victim’s PC that they could leverage for a breach.

–  Review your user access policies and know who has administrative and other more privileged rights. This becomes more of an issue when you have numerous third-parties attached to your network, and you may not know if a trusted employee of theirs has been terminated – but his account still has those higher-level access rights. Indeed, as I was writing this post, I got an email from one of my co-workers who told me that I had admin rights to our CMS. I can’t remember why I had these rights, but glad that someone was checking.

–  Have good management techniques on third-party devices and treat them as if they were your own. This is especially important for internet-connected devices.  As our networks become more complex, it becomes harder to lock every endpoint down. This means a network-connected printer at one of your suppliers could become infected and used to move onto your own network.

–  Recognize that these attacks could be a symptom of bigger problem with your security and structure your protection accordingly. Have you lagged behind keeping up with your network documentation? Do you vet all your suppliers consistently? Do you have representatives from your suppliers working on premises – and know what physical access restrictions they have?

– Finally, who stores your secrets (keys, certs) and where do they put and protect them? Just because a third-party uses encryption doesn’t mean they are using it effectively, or universally. The recent Facebook breaches with plaintext passwords discovered unprotected is a good case in point.

As you can see, managing third-party risks isn’t anything fancy, but just the basic block-and-tackling of issues that we have known about for decades. If you follow these best practices, you will go a long way towards protecting your business.

CSOonline: How to improve container security

Posted on by
Reply

Gartner has named container security one of its top ten concerns for this year, so it might be time to take a closer look at this issue and figure out a solid security implementation plan. While containers have been around for a decade, they are becoming increasingly popular because of their lightweight and reusable code, flexible features and lower development cost. In this post for CSOonline, I’ll look at the kinds of tools needed to secure the devops/build environment, tools for the containers themselves, and tools for monitoring/auditing/compliance purposes. Naturally, no single tool will do everything.

FIR B2B podcast #118: Customers as advocates, ODI progress and why you need a style guide

Posted on by
Reply

We have a trio of discussion items on this week’s podcast with myself and Paul Gillin. The first is from DigitalCommerce360 and concerns how customers should be your best advocates at building your brand identity and promoting your company. Marketers who focus on improving the customer experience and figuring out ways to regularly listen to customers’ desires and complaints can benefit from low-cost and powerful word-of-mouth promotion. So why don’t more B2B marketers have programs aimed at loyal customers?

Late last month there was some progress to report on the Open Data Initiative, a standards effort launched last fall that seeks to create a standard for the interchange of marketing data. Sounds boring, but with marketers spending more on analytics than IT organizations these days, we thing it’s important. Executives from Adobe, Microsoft and SAP just gave more details about how the three will standardize interfaces among their products to help common customers get a clearer view of their customers without going through a lot of messy data transformation. The trio also announced a slew of VAR partners that will support ODI. But the list was also notable for the big companies that weren’t there, like Oracle, Salesforce.com and marketing automation vendors.

Our final item is How to Create a Style Guide for Content Marketing. Too often marketers jump in to content programs without laying the groundwork for a consistent style and direction for their blogs and websites. Having a solid style guide isn’t just about where to place your commas but the right tone of voice and point of view that your authors should take. There is a lot of good advice in this piece.

You can listen to our 14 min. podcast here:

How business voice-enabled apps will become the next thing

Posted on by
Reply

If you have an Alexa or Google Home nearby, you probably already know how handy it can be to help your life. But what you may not be as aware is how businesses are adopting voice-enabled information access, and how this technology could become as revolutionary as HTML and websites were back in the 1990s.

I got to see some of this future at the Prepare.AI conference yesterday here in St. Louis. In particular, a presentation by Bob Stolzberg, the founder of VoiceXP, a two-year old startup that is beginning to make some noise with a voice toolkit that is aimed at business. At the show, Bob demonstrated a couple of examples, using an Alexa as his speaking partner.

One was an app developed for Mercy Health, so you can locate the nearest doctor with just a few commands (Say “Alexa, Start Mercy”). Another was for a law firm, so you can use voice commands to find a lawyer after you have been in an auto accident. One app showed how an executive could easily get various business metrics reported via voice, rather than plowing through a bunch of spreadsheets. One for a scientific research company allows their researchers to add experimental notes via voice commands, so they don’t have to remove their gloves and type them in. “Businesses are adopting voice apps to start their conference calls, to integrate with Slack as replacements for front-desk check-in kiosks, and numerous other apps. We are living in a voice-enabled world,” he said at the conference. They have a few demos on their site with apps that they have built for other companies as well.

The Mercy app was a significant effort, taking a good-sized team working over several months and a pretty substantial budget to put it together. That experience got them working on a much easier path for developing business voice apps so that ordinary folks could build them without a lot of programming or systems integration knowledge. They call it their Voice Experience Platform. They are still in beta but nearing its launch with several different plans that include managed services hosting, custom lead gen features and help with on-boarding the apps. They also provide a voice marketing plan that teaches business how to successfully market their new voice experience.

Voice-enabled apps do have their downside, namely a threat to our privacy and potential misuse by bad actors. Given that the Alexa/Home device is always listening, this data could be captured or subject to a man-in-the-middle attack without the proper security posture. VoiceXP has security built into its platform, which is encouraging. “What if a rogue device shared confidential medical data,” asks Adam Levine, a privacy expert. “These new technical advances may make our lives easier, but we need see a greater focus on privacy.”

Another issue is that to voice-enable your corporate apps, you need someway to access them programmatically. That could be trouble: with one of their customers, VoiceXP ended up using a complex spreadsheet and pulling data directly from that into their platform.

Finally, voice apps touch many different parts of your organization, similar to how web apps did when they were first created back in the day. You will need to keep an open mind, build your team accordingly, and empower them to collaborate to formulate best practices to make them work successfully.

If you have examples of your favorite business-related skill or action (as these apps are called), do share them in the comments.

My experiences with online banking

Posted on by
Reply

This week saw the announcement of Apple Card, a credit card that doesn’t even a number on its face. While it remains to be seen if Apple will be successful here, certainly we are witnessing a new era of online financial services. More to the point are the development of open banking in the UK. The idea behind open banking was standardizing on APIs to make it easier to move from one bank to another. We are far from that here in the States but there are many innovators in the banking field. As a big proponent of online banking, here is my report on what I have been using and how they work, for Simple, Aspiration, USAA and Marcus.

Simple was one of the first online banks and I have had an account for several years. They offer  no-fee checking/savings and VISA debit cards, although there are some fees for foreign transactions and some ATMs. Opening an account takes minutes and their web interface is clean and easy to understand with superior online help and telephone support.

Marcus is the online entity of Goldman Sachs (who is one of the partners for the Apple Card) and they have two main products: high-interest CDs (right now they offer a five year 3.1% rate) and no-fee loans (6% APR). Opening an account takes minutes and their web interface is clean and simple to understand. I had some issues setting up joint accounts and their telephone support was efficient and helpful and resolved it quickly.

Aspiration offers no-fee checking and debit cards. Actually, that isn’t quite accurate: you decide on the fees that you wish to pay them. It is an interesting gimmick. You can select nothing, and you can change the amount as often as you wish. There are some third-party fees, such as for wire transfers, that they pass along at their cost. They also make it easier for you to donate money to particular causes that you can setup online.

Activating my debit card from them required a call to their telephone support center. This could have been a network problem that they were experiencing at the time. They have a mobile app where they have spent more development time, and their web interface is pretty spare.

USAA has been in the online financial services world for a very long time, and it shows. If you have a family member that has served in the military you can open an account. They offer life, car and home insurance, CDs, credit cards, mutual funds and many more products. They try to keep their costs low and usually send me a small check at the end of the year as a “dividend” to thank me for being a member. I have had my car insurance with them for a long time and they have superior claims service and amazing response time from their telephone call center.  

If you are looking for online banking services, here are some things to look out for:

What services do you need? If you just want a no- or low-fee credit card, there are many solutions, including products from regular card issuers. If you need more online services, you will have fewer choices. USAA offers the widest spectrum and as I said has been doing it for the longest time. 

Opening and funding your account. You want a provider that has taken the time to build a simple and easy-to-use interface. Each provider does this slightly differently. All offer the ability to enter your bank routing and account numbers and make two test small deposits that you have to verify or you can provide your funding bank’s username and password. Aspiration had two issues: they made finding the external funding menus hard to find, and also they took a week to fund my account. The others were speedier with their funds transfer. Marcus wins this category. 

Making deposits, money transfers and obtaining reports. This is the meat of any provider and most have obvious ways of doing this. My local online bank had two separate procedures for funding and then linking an external account, which was annoying and took two calls to their phone support center to resolve. None of the four were any better or worse than others.

What are the hidden fees? Simple is my favorite here, they were one of the first to be very explicit about the fees they charge. Plus, you can find out everything without having to become a customer. The others are less transparent, although they all offer lower fees than your traditional retail bank (as they should).

What are the MFA implementation(s)? Both Simple and Aspiration offer SMS PINs to authenticate, and once you set this up, you can’t change anything without calling them. But the real standout is USAA, which in addition has other options as explained here, including support for Symantec’s VIP smartphone app. All of these are easily changed online, as long as you can find the linked URL above.

If you check this list of MFA options for the banking sector, you will see support for the MFA authentication smartphone apps is pretty sparse. Sigh.

International travel. Simple and Aspiration both offer quick notification of when and where you travel online, which is appealing to me and one of the reasons I went down this rabbit hole. For many years, I only had one credit card that I would pay off the balance each month. When I began doing more international travel, I realized that I wanted to minimize my exposure if my high-credit-limit card was lost or stolen. I opened an account with Simple, one of the first online banks.  

Do they offer a mobile app? Simple and Aspiration both offer them and focus on mobile as their primary method for customer transactions.

As you can see, no single provider is strong in all areas, which is a shame because you would hope their development teams could learn from the best examples and enhance their sites.  

Some final words of wisdom: prepare to spend some time with your own research and step into these waters gingerly before committing a lot of your money with any provider. Find out what your local bank offers with their online services, as many of them realize they have to be competitive in this area. And feel free to make recommendations of your own experience in the comments.  

Behind the scenes at a regional NCCD competition

Posted on by
Reply

Every year hundreds of college students compete in the National Collegiate Cyber Defense Competition. Teams from around the country begin with regional competitions, and the winners of those go on to compete for bragging rights and cash prizes at the national event in Orlando held at the end of April. A friend of mine from the Seattle area, Stephen Kangas, was one of the volunteers, all of whom are drawn from IT security professionals. I spoke to him this week about some of his experiences. The event tries to simulate defending a simulated corporate network, and is divided into two basic teams: the defenders who comprise the blue teams from the colleges, and the attackers, or red team. In addition, there are other groups, such as the judges and the “orange team” which I will get to in a moment. There is also a team of judges with body cams to record the state of play are assigned to each blue team and these are used to tally up the final point totals. Points are also awarded based on the number of services that are still online and haven’t been hacked, as well as those systems which were hacked and then recovered. Both teams have to file incident reports and these are also evaluated as part of the scores.

Stephen has participated at the competition for several years as a mentor and coach for a team from a local high school that competes in the high school division. This year he was on one of the red teams attacking one of the college blue teams. He has his Certified Ethical hacker credential and is working towards a MS in Cybersecurity degree too. He has been involved in various IT roles both as a vendor and as a consultant, including a focus in information security, for decades. “I wanted to expand my knowledge in this area. Because most of my experience has been on defensive side, I wanted to get better, and for that you have to know about the strategy, tools, and tactics used by the offensive black hats out there.”

The event takes place over a weekend and the red team attackers take points away from the defenders for penetrating their corresponding blue team’s network and “pwning” their endpoints, servers, and other devices. “I was surprised at how easy it was to penetrate our target’s network initially. People have no idea how vulnerable they are as individuals and it is becoming easier every day. We need to be preparing and helping people to develop the knowledge and skills to protect us.” His red team consisted of three others that had complementary specializations, such as email, web and SQL server penetration and different OSs. Each of the 30 red team volunteers brings their own laptop and but they all use the same set of hacking tools (which includes Kali Linux, Cobalt Strike, and Empire, among others), and the teams communicate via various Slack channels during the event.

The event has an overall red team manager who is taking notes and sharing tips with the different red teams. Each blue team runs an exact VM copy of the scenario, with the same vulnerabilities and misconfigurations. This year it was a fake prison network. “We all start from the same place. We don’t know the network topology, which mimics the real-world situation where networks are poorly documented (if at all).” Just like in the real world, blue teams were given occasional injects, such as deleting a terminated employee or updating the release date of a prisoner; the red teams were likewise given occasional injects, such as finding and pwning the SQL server and changing the release date to current day.

In addition to the red and blue teams is a group they call the orange team that adds a bit of realism to the competition. These aren’t technical folks but more akin to drama students or improv actors that call into the help desk with problems (I can’t get my email!) and read from scripted suggestions to also put more stress on the blue team to do a better job of defending their network. Points are awarded or taken away from blue teams by the judges depending upon how they handle their Help Desk phone calls.

Adding additional realism, during the event members of each red team make calls with the help desk, pretending to be an employee, trying to social engineer them for information. “My team broke in and pwned their domain controllers. We held them for ransom after locking them out of their Domain Controller, which we returned in exchange for keys and IP addresses to some other systems. Another team called and asked ransom for help desk guy to sing a pop song. They had to sing well enough to get back their passwords.” His team also discovered several Linux file shares that had employee and payroll PII on it.

His college’s team came in second, so they are not going on to the nationals (University of Washington won first place). But still, all of the college students learned a lot about better defense that they can use when competing next year, and ultimately when they are employed after graduation.  Likewise, the professionals on the red teams learned new tools and techniques from each other that will benefit them in their work. It was an interesting experience and Stephen intends to volunteer for Pacific Rim region CCDC again next year.

RSA blog: Understanding the trust landscape

Posted on by
Reply

Earlier this month, president of RSA, Rohit Ghai, opened the RSA Conference in San Francisco with some stirring words about understanding the trust landscape. The talk is both encouraging and depressing, for what it offers and for how far we have yet to go to realize this vision completely.

Back in the day, we had the now-naïve notion that defending a perimeter was sufficient. If you were “inside” (however defined), you were automatically trusted. Or once you authenticated yourself, you were then trusted. It was a binary decision: in or out. Today, there is nothing completely inside and trusted anymore.

It is all a matter of shades of grey. So cyber security means evaluating who and what is trusted on a continuous basis. Ironically, to get to appreciate these shades of grey, we have to work a lot harder before we can trust our computers, apps and devices.

I had an opportunity to  spend some time with Rohit at a presentation we both did in London earlier this year and enjoyed exchanging many ideas with him.

Part of the challenge is that the world has become a lot more complicated. How many of us accept the following activities as part of our normal activities?

  • Telling your credit card company when you will be out of the country is now part of my pre-trip routine.
  • Questioning when asked to provide our SSN or street address – remember when some of us had them printed on our checks?
  • When signing up for a new website, I no longer automatically provide my “real” birthday. While this is a more secure posture, it is also somewhat annoying when this date rolls around on the calendar and those congratulatory notes come in.
  • Now I use MFA sign-ons more routinely. But when I have an account that doesn’t use MFA it gives me pause as to whether I even want to do business with them.
  • I now accept the extra steps of using a VPN when roaming around on public Wi-Fi networks as part of the my normal connection process.

Like Rohit, I have begun “to obsess about the trust landscape.” I think we all know what he means. He spoke about how to manage various risks, which means assessment about the likelihood of particular digital compromises to our networks, our endpoints, and our lives. “It must become our new normal,” he said during this keynote.

But what does this really imply? That we can’t trust anyone or anything anymore? That is where the depression sets in. Some vendors have tried to make lemonade out of these lemons by promoting what they call a “zero trust” model. You might think this is a new term, but you would be wrong. It has been around since 2010, when then-Forrester analyst John Kindervag first created the notion. The idea is simple: no one gets any access until they can prove their identity. In that paper, he mentions how when Bugsy Siegel built Vegas, he built the town first, and then the roads. In IT, too often we first go for the infrastructure before we understand the apps that will be running on it.

Here is a better idea: RSA CTO Zulfikar Ramzan advocates replacing the zero trust model with one that focusses on managing zero risk. That gets IT staffs to examine what is really important: identifying key IT assets, data as well as third parties and focusing their energies on securing those. He mentioned in this video interview that “if digital transformation is the rocket ship, then trust has to be the fuel for that rocket ship.”

Using this zero-risk model changes the conversation from building roads to looking more carefully at the business itself: what apps will we need to deliver business services, how will proprietary data be stored and protected, and who will have access to what based on the business. How many of you can certify with complete confidence that every user in your Active Directory is still a legitimate and current employee? I don’t see too many hands raised, which proves my point.

Tom Wolfe wrote in his 1987 novel, The Bonfire of the Vanities, about a concept called “the favor bank.” This means we all make deposits, as favors, in the hopes of making future withdrawals when we need them. Rohit used a variation in his speech he called the “reputation bank,” where companies make deposits of trustworthy moments, to balance those dark times when they need to make their own withdrawals. I like the concept, because it gets across that trust is a two-way street. I will give up my email to you, if I get some benefit to me. Those vendors that know how the reputation bank will earn interest and our trust; those that lie about their privacy policies will overdraw their accounts.

To conclude things, I turn to that great security authority, Billy Joel, who once said it best:

It took a lot for you to not lose your faith in this world
I can’t offer you proof
But you’re going to face a moment of truth …
It only is a matter of trust.

FIR B2B #117: Alternatives to Facebook

Posted on by
Reply

The short answer is yes, and we explore the various dimensions of The Facebook Problem in this week’s podcast. First we touch on the swirl of commentary about Zuck’s latest pronouncement that the company will combine Facebook Messenger, WhatsApp and Instagram into a single, unified product. Is there a business model in there somewhere, or is this just wishful thinking? Some analysts have already said that the era of Facebook’s News Feed is now officially over. We aren’t so sure, but we agreed that Facebook has become mostly a waste of time. There are some other business-oriented networks that we think have more value, including Reddit, Quora, LinkedIn, Alignable and Spiceworks. We’ve found all to be more fertile hunting grounds for business marketers. We also have advice about how to choose and test among those sites. 

We recorded this episode just before Brian Krebs revealed that Facebook exposed hundreds of millions of user passwords to more than 20,000 employees for years. It is certainly a sad state of affairs.

One final thought about Facebook: Reuben Arnold, Starbucks’ vice-president of marketing and product in EMEA, said he wants to  have deeper conversations with some of its customers and promote its brand using private groups and private accounts on social media channels. Maybe this is an alternative to just posting to the greater universe. We’ll see. 

But wait, there is more. We like this post about whether it’s time to go back to taking notes with pen and paper. How many of those people tapping away on their laptops during a meeting are doing something related to the meeting? You know the answer. Maybe it’s time to ban the laptops and aim for shorter meetings instead. 

We also discuss a recent news item about how execs from the UK-based convenience store Tesco are frustrated that the company is having to spend an increasing amount of money on ensuring its advertising doesn’t appear next to inappropriate content and believe publishers should foot more of the bill. It used to be that publishers protected their advertisers from this kind of embarrassment, but in a world dominated by algorithms, anything goes.  

Finally, there was a charming story earlier this month about a handwritten note to the CEO of Quantas from a 10-year-old boy who wanted to start his own airline. The airline posted the kid’s letter and a welcoming reply from CEO Alan Joyce, who commented, “Our competitors don’t normally ask us for advice, but when an airline leader reached out, we couldn’t ignore it.” The story is more than charming though: it is a lesson about how a light touch and a sense of humor can go a long way towards promoting your brand, in this case to the tune of nearly 30,000 retweets.

You can listen to our 19 min. podcast here:

The technology behind “Patriot Act”

Posted on by
1

If you have seen the Netflix show Patriot Act with Hasan Minhaj, you might have noticed the spectacular eye-popping set that is used for the show. And if you are a curious geek like me, you might want to know about the people responsible for building and operating it.

The show is a comedy vehicle for the Daily Show correspondent, and mixes a great deal of pop culture and news references in the goal of tackling a single topic each week. Minhaj is on stage for almost all of each episode. You first notice the stunning visual design of the set because it is the set. Minhaj stands on an LED floor that changes in synch with the screens that form the background of the show. This isn’t your grandfather’s PowerPoint, baby: images zoom in and out and video animations roll across the screens. There are catchy infographics that rotate and fade in, and all the other tricks that we have come to expect in the average Marvel or Pixar movie. Only it is a TV talk show. I think it is pure genius. After you watch this show, every other talk show looks dull as dishwater by comparison.

My interest here is also personal: as a professional speaker, what the team that produces this show is doing is showing how we can use technology to truly immerse an audience into a performance. It is as big a sea change as when I swapped out my black-only “foils” for color PowerPoint for my speeches. Only better.

I interviewed two of the folks that are responsible for the show. Granted, any show is a collaboration of many, many people, including a dozen different animators, designers, and pre-visualization specialists, not to mention all the writers and other usual TV production folks. If you aren’t familiar with pre-viz, as it is called, this is an interesting part of the entertainment universe. As more filming has gone digital, pre-viz folks become very important, because they give directors the ability to see exactly how a scene will look like in its final form before anyone has touched a camera. Think of it like a virtual scene — you can manipulate all sorts of stuff without having to actually build it in real life. I’ll get to why this is important in a moment.

I first spoke to Greg Bloxham, who is the computer operator for the show. That title doesn’t really do his role justice, which is critical to the whole operation. I then exchanged emails with Marc Janowitz, who is the Production and Lighting Designer for the show. Both guys have developed the look and feel and chose the technologies that are used each week.

If you are a fan of Minhaj’s standup, you probably have seen his Netflix special, Homecoming King. Janowitz was involved in that production, which really was a beta test of what the TV series is doing.  “Patriot Act is more like a deep dive into a particular subject that requires intense visual aids to help support the thesis. We had this desire to delve into a style of visual narrative that blends imagery, form and structure and helps to immerse the audiences in the material,” said Janowitz. And as I said earlier, the studio audience is immersed. “A big part of the design impetus for this show was to capture the energy of a live performance with an audience,” he said. Basically, they have turned the tired model of anchorperson-behind-a-desk on its head.

Bloxham spends two days a week on each episode, one day for basic rehearsals, the next day for more detailed rehearsals and then the live-to-tape final run through. He has had a long career in lighting and media design, starting with the Oprah show and then moving into doing live music events and other extravaganzas. “This was a field that was pretty obscure a few years ago, but is now getting to be more common,” he told me. If you remember Oprah, she had video screens around her studio, but not to the extent that Minhaj uses on his show, and certainly not to the extent that they are run in real time.

One of the reasons for the look and feel of the show has to do with Minhaj’s personal preferences. He is very involved in the pre-viz process, naturally, and also has a lot of opinions in how the final shows appear. “It is nice that he is so deeply involved,” Bloxham told me. The show takes a lot of collaborative work, because as you might imagine having such powerful tech means that writers can change things pretty much up to the last minute. He takes the content from the animators and then puts it all together so that they can run the visuals in real time during the actual performance. If you look carefully at any of the episodes, you’ll see the set lighting change colors in synch with what is shown on the video screens. “You can literally program things to move in time with each beat,” he said.

The gear that they use is the Disguise 4x4Pro, which is a specialty piece of hardware that is pretty much the gold standard in the industry and used in many concert venues to drive their complex lighting and visual effects. “The Disguise system is what allows the set to exist as a 3D immersive visual display and can map these different surfaces into a cohesive image,” said Janowitz. “The set design is composed out of multiple different styles and resolutions of LED video displays.’

This system costs tens of thousands of dollars, but what you’ll find inside is a couple of 16-core Xeon CPUs and 32GB of RAM, running Windows embedded 8.1. It outputs 4096×2160 video streams to the various LED screens that are part of the show’s set. “We are certainly pushing a lot of pixels,” Bloxham told me, although I was surprised that this is well within the reach of a typical high-end PC server. “The tech has gotten approachable,” he told me. Each summer he runs a boot camp in Vegas to teach video designers some of the tricks of his trade.  “Your average PC with a good graphics card can do a lot today.”

Actually they have two media servers, one for backup. “Tech always has a risk, and this way I can switch over to the backup system with just a push of a button,” said Bloxham. He has a control console board  that is custom built, and includes the lighting controls as well. Given the number of people involved in producing the show, paying for a second server is a wise investment.

So check out Patriot Act on Netflix and let me know what you think. I think years from now we will be talking about its influence, just as we wax on about The Sopranos today.