Remembering AIM

Posted on by
Reply

AOL is eliminating its AIM service after a 20 year run. It is sort of an ignominious end to the once-popular IM platform. Many of us were teens (or parents thereof) when AIM was in its heyday, and I was a big user back in the early 2000s when I worked at CMP to communicate with our far-flung staff (and even the folks sitting a few feet away from me too). That brings up how IM can bring together work teams to collaborate, and how IM has been an essential tool with many of my jobs since then. Just this morning I was using IM to “talk” to my editor in Pittsburgh and another researcher in Europe for my Inside Security newsletter. Like many of you, I take these conversations for granted and like many tech companies, Inside.com has standardized on Slack, and indeed I participate in numerous other Slack groups now.

More than ten years ago, I wrote this story for the NY Times, The I.M. Generation Is Changing the Way Business Talks. In it, I describe the opportunities and challenges that IM faced in the modern business. To me, the timing of this article points out that there still were plenty of businesses that hadn’t even considered any IM tools. IBM was quoted in the piece as using its own IM tool for sending millions of messages daily, and eliminating voice mail tag. In my article, I called IM “the new black,” meaning it was trendy back then.

Today my phone rarely rings — to the point that I haven’t had a “desk” office phone in so long that I can’t even remember. Between IM and emails, there really isn’t any need to “talk” to anyone anymore.

One of the reasons why businesses loved IM is that its own workers literally grew up on the service. “AIM was a domain parents didn’t understand, giving it a feeling of clandestine cool.” This is from Tech Crunch, which has this tribute. In that link is a clip with a reminder of its pernicious sound effects. Boy does that bring back memories. One of my favorites was when my daughter was a pre-teen, deeply steeped into using AIM to communicate with 100 of her closest friends. I had trouble getting her to sign off when it was bed time, and so told her that she was going to get kicked off the system promptly at 10 pm. I had set up a firewall rule on our home router to block access to IP port 5190 at that time. She didn’t think I could do that, and after a few warnings I remember her realizing that I meant business when the hour struck. Being a parent back in that era was a lot easier than today, to be sure.

Speaking of pre-teens, I found this awkward story about making dating decisions using AIM. Again, a typical use case from back in that era.

But while AIM set the standard for IM, it didn’t keep up with the times. Ironically, as more users became mobile, they migrated to other IM tools because AOL’s mobile clients were late to the party and under-powered. They were slow to provide APIs, something Slack does in spades and one of the reasons you can find Slack “bots” for all sorts of add-on applications. And as users migrated to other IM services, AOL itself stopped using the service for its own internal communications, at one point using Slack itself. That is bad news when you can’t even find the tool capable for your own people.

AIM was also victim to SMS services and smartphones. As more people used both, the use cases blurred further between personal and corporate messaging. My daughter, who is now in her late 20s, told me that she hasn’t used AIM in years. Now she uses WhatsApp for both business and personal reasons, and that can be an issue when she is trying to get her work done and can’t easily find a conversation.

Well before Facebook-stalking was a thing, AIM profile stalking became slang for many users. This Ars writer recalls he had his “first taste of how the Internet could enable asynchronous self-expression and personal broadcasting amid a tight-knit social group.” That was before blogs, before MySpace even. So while I haven’t used AIM in a long time, I am sad that it is actually getting turned off soon.

iBoss blog: Implementing Better Email Authentication Systems

Posted on by
Reply

To provide better spam and phishing protection, a number of ways to improve on email message authentication have been available for years, and are being steadily implemented. However, it is a difficult path to make these methods work. Part of the problem is because there are multiple standards and sadly, you need to understand how these different standards interact and complement each other. Ultimately, you are going to need to deploy all of them.

You can read my latest blog for iBoss here to find out more.

Protecting your Windows endpoints with VIPRE Endpoint Security Cloud

Posted on by
Reply

VIPRE offers a nice package for small and medium-sized businesses that is easy to use and manage with a wide array of protective features.

We tested VIPRE on a series of different Windows clients during September 2017. It supports all versions of Windows desktop since v7 and servers since v2008R2. It currently protects more than six million endpoints and finds more than a million daily malware infections. VIPRE also sells an on-premises endpoint solution that also includes patch management features.

Pricing starts from $30/yr/seat with significant volume discounts. VIPRE offers free phone based US support during business hours.

Software shouldn’t waste my time

Posted on by
2

One of my favorite tech execs here in St. Louis is Bryan Doerr, who runs a company called Observable Networks that recently was acquired by Cisco. (Here is his presentation of how the company got started.) One of the things he is frequently saying is that if a piece of software asks for your attention to understand a security alert, we don’t want to waste your time. (He phrases it a bit differently.) I think that is a fine maxim to remember, both for user interface designers and for most of us that use computers in our daily lives.

As a product reviewer, I often find time-wasting moments. Certainly with security products, they seem to be designed tis way on purpose: the more alerts the better! That way a vendor can justify its higher price tag. That way is doomed.

Instead, only put something on the screen that you really need to know. At that moment in time. For your particular role. For the particular device. Let’s break this apart.

The precise moment of time is critical. If I am bringing up your software in the morning, there are things that I have to know at the start of my day. For example, when I bring up my calendar, am I about to miss an important meeting? Or even an unimportant meeting? Get that info to me first and fast. Is there something that happened during the night that I should jump on? Very few pieces of software care about this sort of timing of its own usage, which is too bad.

Part of this timing element is also how you deal with bugs and what happens when they occur. Yes, all software has bugs. But do you tell your user what a particular bug means? Sometimes you do, sometimes you put up some random error message that just annoys your users.

Roles are also critical. A database administrator has a lot different focus from a “normal” user. Screens should be designed differently for these different roles. And the level of granularity is also important: if you have just two or three roles, that is usually not enough. If you have 17, that is probably too many. Access roles are usually the last thing to be baked into software, and it shows: by then the engineers are already tired about their code and don’t want to mess around with things. Like anything else with software engineering, do this from writing your first line of code if you want success.

Finally, there is understanding the type of device that is looking at your data. As more of us use mobile devices, we want less info on the screen so we can read it without squinting at tiny type. In the past, this was usually called responsive design, meaning that a web interface designer would build an app to respond to the size of the screen, and automatically rearrange stuff so that it would make sense, whether it was viewed on a big sized desktop monitor or a tiny phone. If your website or app isn’t responsive, you need to fix this post-haste. It is 2017 people.

iBoss blog: What Is WAP Billing and How Can It Be Exploited?

Posted on by
Reply

An old scam to separate people from their money has been gaining more popularity. It uses a cellphone protocol called WAP billing to steal your money. You have a hint from its name that it has something to do with wireless network protocols, but the idea is to save folks some time when they want to pay for something online by having the charges go directly on the user’s phone bill. I explain the exploit and how it is being used in my latest blog post for iBoss here. One infection point is a “battery optimizer” app that conceals the WAP billing trojan.

HPE blog: What developers can learn from the best museum designers about UX

Posted on by
Reply

Putting together a museum exhibit is a lot like writing code: you have to understand your audience, engage the user or visitor in a number of interesting ways, and have a clear message to impart. As an avid museumgoer over the years I have had the opportunity to see some fascinating exhibits all over the world. Let’s look at some of these more memorable exhibits and what museums and app developers can share and learn from each other in terms of improving the user experience (UX).

Most museum exhibits, like most software, is usually focused on what you can see. And often this means a lot of reading, which is why many of us get “museum fatigue” and get distracted after an hour or so when we visit a typical museum. The same is often true of many software programs: we don’t want to read lengthy tracts on our screens and need something else to draw our attention or get us engaged with our other senses.

One of the earliest commonalities is when museums employ “digital artists” to create interesting data visualizations as exhibits. Sheldon Brown’s video installation Scalable City was shown in 2008 at San Francisco’s Exploratorium. The Cooper Hewitt Smithsonian design museum has had a series of data visualization exhibits for years. And then there is the work of Jer Thorp and the Office of Creative Research in New York City, which I described in an article that I wrote several years ago for ITworld here.

But to get a better understanding of UX isn’t just looking at pretty pictures. You need to combine two or more of our senses to make the exhibit more interesting and memorable. Let me give you a few examples.

The City Museum in St. Louis is a very unique place and opened in 1997. It actually isn’t a museum in the strict sense of the word but more of an indoor playground for kids and adults alike. It was the creation of Bob Cassilly who came up with the idea for the place and designed many of its exhibits. The museum is built inside an old shoe factory and reuses many materials found in the factory and other industrial buildings. These include a set of three-story ramps that were turned into slides and other rooms that showcase artwork constructed from abandoned and reclaimed building materials.

The City Museum is a prime example of the architectural term adaptive reuse, which means taking something that was designed for one purpose and using it for something else. What can a coder learn from this? Even the best app developer can reuse bits of code for other purposes.

The Lincoln museum in Springfield, Ill. opened in 2005 and has several exhibits that take their cues from the world of theater. The museum’s designer was BRC Imagination Arts of Burbank, Calif.

One of my favorite rooms is the scene depicting the death of Lincoln’s son, which happened during the Lincoln presidency. The room’s temperature is deliberately cooled five degrees from the rest of the museum so you get a slight chill as you walk into the space. This makes the experience more eerie and realistic. In another room is an interpretation of the four candidates running during the 1860 election, which was filmed in Tim Russert’s “Meet the Press” studios in Washington. As in a control room, it displays TV monitors showing video clips, historical still photos and commercials created from the perspectives of each candidate and conveying their particular political positions.

Obviously, there wasn’t any broadcast TV during Lincoln’s time but the exhibit works because of this conflict of context between that era and today. Software developers also have to be careful of context switching in their apps, to make sure that users don’t get lost in the process or that a particular execution thread can be resumed properly. Many malware writers take advantage of context switching to introduce viruses or to take remote control over an app when a context switch is broken.

At the Chopin Museum in Warsaw the exhibits were designed by Migliore+Servetto Architetti Associates, along with the British firm Centre Screen. The problem they were trying to solve was how to present information in different languages, given that most of their guests were coming from outside the country. They came up with a rather clever solution. Each guest receives an RFID badge that encodes the guest’s language preference and whether they are adults who want longer narratives or children with shorter attention spans. There is also an option for the visually impaired visitor. This allows for a personalized visit: as you walk around the various galleries, your badge will change what is shown on the walls to suit your preferences – and it is done automatically, without you having to hunt down the right language for exhibit descriptions and explanations on the walls.

“The idea is a simple one: there is too much information to put on a wall label, so let’s direct the visitor to a virtual resource where they can learn more,” says this article on how RFID tech is changing museums. This “personalization gives greater insight into visitors’ interests and enables the museum to build a more engaged community.”

For a software developer that is looking to have a multi-lingual audience, this shows how you can make the experience less of a chore. Many websites have buttons on the top of their home pages with small flag icons to indicate languages that are available. Another way to do this is to read cookies that are saved on the computer for a language preference.

The personalization aspect is also something that has been used often in the software community. Many websites ask visitors to sign so they can personalize the browsing experience: Amazon’s recommendation engine is one notable example. But a programmer could also geo-sense the possible language to be shown based on the location of a visitor’s IP address or other computer data. Google does this when you bring up its home page around the world, and redirects you to the page and language preferences of that country, for example.

Given its focus, another challenge for the Chopin Museum was how to present his music in a way that could make it more accessible to non-musicians. The designers created a set of audio booths that patrons could enter and select various tracks from a touchscreen interface (using the patron’s language and interest preferences). While playing the music, the touchscreen shows a variety of video and still images to complement the piece.

Another exhibit has a series of drawers in a table: each drawer contains a different composition, with a link to a photographic projection on the table of the actual score that Chopin wrote and links to play the music and highlight the portion of the manuscript being played.

With both of these exhibits you have the visitor use multiple senses (seeing, touching and hearing) – this is a great way to increase the overall experience and get the visitor more engaged in your content.

As you can see, you can draw inspiration from many places when you are writing code and developing your app. And the best UX comes from ordinary life experience, including walking through a museum.

iBoss blog: Understanding the Differences Between Anonymity and Privacy

Posted on by
1

Balancing anonymity and privacy isn’t an either/or situation. There are many shades of gray, and it is more of an art than science. Making sure your users understand the distinction between the two terms and setting their appropriate expectations of both should be a critical part of any job managing IT security.

Most users when they say they want anonymity really are saying that they don’t want anyone –whether it be the government or an IT department — to keep track their web searches and conversations. They will say they want some amount of privacy when they are at work, whether they are using their computers and phones for work-related tasks or not.

Certainly, part of the problem is that people today over-share online: they post photos of themselves at various restaurants, or are tagged by their social media “friends” in awkward situations, or post their travel itineraries down to the exact hotels they stay at. How hard would it be to intercept their communications, break into an unoccupied home, or steal a laptop from their hotel room with this information?

But part of the problem is that controlling our privacy is complex: Take a look at the typical controls offered by Twitter. How can any normal person figure these out, let alone remember to change any of them as their needs change? It is hopeless.

As I wrote about this for another blog post, many enterprises are deleting their most sensitive data so they don’t have to worry about potential and embarrasing leaks. Some are also making sure they own their own encryption keys, rather than trust them in the hands of some well-meaning third party. And Apple has recently announced changes to its iOS 11 that will make it harder for law enforcement to extract your personal data.

Sometimes, the purported solutions to privacy controls only make things worse. Windows 10 comes with a series of “personalization” settings that are enabled for the maximum intrusion into our lives by default. One of them – letting ads access a specially-coded ID that is stored on your computer to personalize messages for you – is presented in a way to “improve your experience.” If you choose this route, this translates to increasing the creepiness factor, as ads are served up online based on your browsing history.

As another example, technology often gives us a false sense of security. Just because your users enable private browsing or connect to the Internet through a proxy server doesn’t mean people can’t figure out who you actually are or target ads to your browsing history. Recently, researchers have found flaws in the extension APIs of all browsers that make it easier to fingerprint anyone. Called the WebExtensions API, this protects browsers against attackers trying to list installed extensions by using access control settings in the form of the manifest.json file included in every extension. This file blocks websites from checking any of the extension’s internal files and resources unless the manifest.json file is specifically configured to allow it. But it could be leveraged through this flaw.

Even when this is patched, big data has made it almost absurdly easy to figure out supposedly anonymous users. Remember this New York Times article? Reporters chose a single random user from this list of 20 million Web search queries collected by AOL back in 2006. The Times was able to track her down, a 62-year-old widow who immediately recognized her web searches. So much for being anonymous! And that was back in 2006: imagine other data repositories and tools that are available now to track down individuals with relative ease.

So, realize that privacy isn’t the same as anonymity. Just because I do not know you are does not mean that you have any privacy. Someone who captures my face when I am out on a remote hiking trail can still expose my location and my name through the auspices of Facebook’s facial recognition algorithms, and I could be tagged without my knowledge.

IT needs to understand the differences between privacy and anonymity, and be able to clearly communicate this information to its users. Part of this is having a clearly stated privacy policy on the corporate webpage – and then following it. (This one from email vendor Mailpile is exemplary.) They need to set policies for how the enterprise will track cookies, browsing sessions, metadata and the actual private details of their employees, if these items are tracked.

FIR B2B podcast #81: GETTING REAL ABOUT SOCIAL MEDIA’S VALUE

Posted on by
Reply

This week we discuss several aspects of social media: how to use and abuse analytic tools, whether your CEO should have social media accounts, and understanding the differences between using social media as a “narrowcast” one-way medium vs. having actual interactions and conversations across various networks. We cite two different studies.

Domo and CEO.com released their annual CEO social media survey earlier this summer. They found that 40 of the Fortune 500 CEOs have a Facebook page, down from 57 two years ago. We don’t think the drop is necessarily a thing. Every corporate executive should have a solid account and profile on LinkedIn – and we suggest that CMOs should take some time to review those accounts to ensure that they reflect well on both the individual and the corporation – but engaging on social media creates an obligation to continue that engagement, and not all CEOs are comfortable with that idea.

We also examine a Forrester report from earlier this year. (PDF here) on how to measure social programs. The authors point out that many marketers say they haven’t been able to show the impact of social at all, and that it can be hard to pin down its actual impact. Marketers mistakenly expect social metrics to parallel digital performance channels rather than augment these channels help guide their efforts and add color or feedback at the appropriate places. If you expect social media to deliver an immediate boost to sales, you’re probably barking up the wrong tree.

Listen to our 16 min. podcast here.

FIR B2B podcast #80: THE EQUIFAX DISASTER AND PR PITCHING TACTICS

Posted on by
Reply

The Equifax data breach that was revealed last week has so far been an unmitigated disaster – for the company. While we could spend the entire show talking about the firm’s missteps, we just touch quickly on the lowlights, including poor IT management, the lousy breach notification, a confusing website that was constructed in haste and with overwrought legalese, the lack of quality reporting from the general and security trade press about the incident, and how hard it is to find out whether your own personal information has been compromised. Sadly, this breach will be a case study of what not to do in marketing communications for years to come.

We move on to something that we both have spoken and written about frequently, keyed to a piece that ran this week on Sam Whitmore’s Media Survey (We’d give you a link, but the site is behind a paywall.) It’s about David’s attitude toward PR pitches. He and Paul go over some of his their preferences on things like the length of pitches, whether to mention competitors, how pitch use metaphors and the value of third-party support endorsements. One thing we agree on: Re-pitching – or following up on an earlier pitch – is a good way put yourself in the doghouse. and end up in the deleted email pile.

HPE Enterprise.Nxt: The rise of ransomware

Posted on by
Reply

Ransomware is a troubling trend. Novice criminals with little technical savvy and cheap software can generate big payouts and impact enterprise operations. Here’s what you need to know about the changing ransomware landscape. Ransomware happens to be the fifth most common form of malware, and is expected to see a 300 percent increase this year, according to MWR InfoSecurity. 

You can read my analysis here on HPE’s Enterprise.Nxt site. I review some of its history, highlight a few of the recent innovations with ransomware-as-a-service (such as this web dashboard from Satan shown here), and make a few suggestions on how to prevent it from spreading around your company.