Network World review: securing the smart home

Posted on by
Reply

Today I begin a series of reviews in Network World around smarter home products. Last year we saw the weaponized smart device as the Mirai botnet compromised webcams and other Internet-connected things. Then earlier this year we had Vizio admit to monitoring its connected TVs and more recently there was this remote TV exploit and even dishwashers aren’t safe from hackers.

Suddenly, the smart home isn’t smart enough, or maybe it is too smart for its own good. We need to take better care of securing our homes from digital intruders. The folks at Network World asked me to spend some time trying out various products and using a typical IT manager’s eye towards making sure they are setup securely.

Those of you that have read my work know that I am very interested in home networking: I wrote a book on the topic back in 2001 called The Home Networking Survival Guide and have tried out numerous home networking products over the years. My brief for the publication is broadly defined and I will look at all sorts of technologies that the modern home would benefit from, including security cameras, remote-controlled sensors, lighting and thermostats, and more.

Smart home technology has certainly evolved since I wrote my book. Back then, wireless was just getting started and most homeowners ran Ethernet through their walls. We didn’t have Arduino and Pi computers, and many whole house audio systems cost tens of thousands of dollars. TVs weren’t smart, and many people were still using dial-up and AOL to access the Internet.

Back in the early 2000’s, I visited John Patrick’s home in Connecticut. As a former IBMer, he designed his house like an IBM mainframe, with centralized control and distributed systems for water, entertainment, propane gas, Internet and other service delivery. He was definitely ahead of the time in many areas.

When I wrote about the Patrick house, I said that for many people, defining the requirements for a smart home isn’t always easy, because people don’t really know what they want. “You get better at defining your needs when you see what the high-tech toys really do. But some of it is because the high-tech doesn’t really work out of the box.” That is still true today.

My goal with writing these reviews is to make sure that your TV or thermostat doesn’t end up being compromised and being part of some Russian botnet down the road. Each article will examine one aspect of the secure connected home so you can build out your network with some confidence, or at least know what the issues are and what choices you will need to make in supporting your family’s IT portfolio of smart Things.

Since I live in a small apartment, I asked some friends who live in the suburbs if they would be interested in being the site of my test house. They have an 1800 sq. ft. three bedroom house on one level with a finished basement, and are already on their second smart TV purchase. One of them is an avid gamer and has numerous gaming consoles. Over the past several months (and continuing throughout the remainder of this year), we have tried out several products. In my first article posted today, we cover some of the basic issues involved and set the scene.

FIR Podcast: New life for fake news and how the “like” button is ruining the Internet

Posted on by
Reply

Shel Holtz is globe-trotting this week, so Paul Gillin and I take the reins of his FIR podcast. Our guests are Todd Van Hoosear, a well-known social media figure in Boston and elsewhere, and Barbara Selvin, associate professor at the Stony Brook University School of Journalism, where she created and teaches a course on the changing busness models of the news industry. We cover a wide range of topics in the more than an hour discussion, including:

You can listen to our podcast here.

Lessons learned from building software at scale

Posted on by
1

So you have read The Lean Startup. Suffered through following several agile blogs (such as this one). You think you are ready to join the cool kids and have product scrums and stand-up meetings and all that other stuff. Now you need an implementation plan.

Maybe it is time to read this post by Paul Adams on the Intercon blog. He describes some of the lessons he and his development team have learned from building software and scaling it up as the company grows. I asked a few of my contacts at startup software firms what they thought of the post and there was mostly general agreement with his methodology.

Here are some of Adams’ main points to ponder.

Everyone has a different process, and the process itself changes as the company matures and grows. But his description is for their current team size of four product managers, four software designers, and 25 engineers. Like he says: “it’s not how we worked when we had a much smaller team, and it may not work when we have doubled our team.”

Create a culture where you can make small and incremental steps with lots of checkpoints, goals, and evaluations. “We always optimize for shipping the fastest, smallest, simplest thing that will get us closer to our objective and help us learn what works.” They have a weekly Friday afternoon beer-fueled demo to show how far they have gotten in their development for the week. Anyone can attend and provide comments.

Facetime is important. While a lot of folks can work remotely, they find productivity and collaboration increases when everyone is in the same room in a “pod.” Having run many remote teams, certainly local pods can be better but if you have the right managers, you can pull off remote teams too. It appears IBM is moving in this “local is better” mode lately.

Have small teams and make them strictly accountable. Adams has a series of accountability rules for when something goes wrong. Create these rules and teams and stick by them. “We never take a step without knowing the success measurement,” said one friend of mine, who agrees with much of what Adams says in his post. My friend also mentions when using small teams, “not all resources have a one-to-one relationship in terms of productivity; we find that we that the resources we use for prototyping new features can generally float between teams.”

Have a roadmap but keep things flexible and keep it transparent. “Everything in our roadmap is broken down by team objective, which is broken down into multiple projects, which in turn are broken down into individual releases,” said Adams. They use the Trello collaboration tool for this purpose, something that can either be a terrific asset or a major liability, depending on the buy-in from the rest of the team and how faithful they are to keeping it updated.

However, caution is advised: “The comprehensive approach that Adams describes would be entirely too much overhead for most startups,” says my friend. This might mean that you evaluate what it will take to produce the kind of detail that you really need. And this brings up one final point:

Don’t have too many tools, though. “Using software to build software is often slower than using whiteboards and Post-it notes. We use the minimum number of software tools to get the job done. When managing a product includes all of Google Docs, Trello, Github, Basecamp, Asana, Slack, Dropbox, and Confluence, then something is very wrong.”

Email encryption has become almost frictionless

Posted on by
Reply

As you loyal readers know (I guess that should just be “readers” since that implies some of you are disloyal), I have been using and writing about email encryption for two decades. It hasn’t been a bowl of cherries, to be sure. Back in 1998, when Marshall Rose and I wrote our landmark book “Internet Messaging,” we said that the state of secure Internet email standards and products is best described as a sucking chest wound.” Lately I have seen some glimmers of hope in this much-maligned product category.

Last week Network World posted my review of five products. Two of them I reviewed in 2015: HPE/Voltage Secure Email and Virtru Pro The other three are Inky (an end-to-end product), Zix Gateway, and Symantec Email Security.cloud. Zix was the overall winner. We’ll get to the results of these tests in a moment.

In the past, encryption was frankly a pain in the neck. Users hated it, either because they had to manage their own encryption key stores or had to go through additional steps to encrypt and decrypt their message traffic. As a consequence, few people used it in their email traffic, and most did under protest. One of the more notable “conscientious objectors” was none other than the inventory of PGP himself, Phil Zimmerman. In this infamous Motherboard story, the reporter tried to get him to exchange encrypted messages. Zimmerman sheepishly revealed that he was no longer using his own protocols, due to difficulties in getting a Mac client operational.

To make matter worse, if a recipient wasn’t using the same encryption provider as you were using, sending a message was a very painful process. If you had to use more than one system, it was even more trouble. I think I can safely say that these days are soon coming to an end, where encryption is almost completely frictionless.

By that I mean that there are situations where you don’t have to do anything, other than click on your “send” button in your emailer and off the message goes. The encryption happens under the covers. This means that encryption can be used more often, and that means that companies can be more secure in their message traffic.

This comes just in time, as the number of hacks with emails is increasing. And it is happened not only with email traffic, but with texting/instant message chats as well. Last week Checkpoint announced a way to intercept supposedly encrypted traffic from What’s App, and another popular chat service Confide was also shown to be subject to impersonation attacks.

So will that be enough to convince users to start using encryption for normal everyday emailing? I hope so. As the number of attacks and malware infections increase, enterprises need all the protection that they can muster and encrypting emails is a great place to start.

What I liked about Zix and some of the other products that I tested this time around was that they took steps to hide the key management from the users. Zimmerman would find this acceptable, to be sure. Some other products have come close to doing this by using identity-based encryption, which makes it easier to on-board a new user into their system with a few simple mouse clicks.

I also found intriguing is how Zix and others have incorporated data loss prevention (DLP) and detection into their encryption products. What this means is that all of these systems detect when sensitive information is about to be transmitted via email, and take steps to encrypt or otherwise protect the message in transit and how it will ultimately be consumed on the receiving end.

DLP has gone from something “nice to have” to more essential as part of business compliance and data leak hacks, both of which have increased its importance. Having this integration can be a big selling point of making the move to an encrypted email vendor, and we are glad to see this feature getting easier to use and to manage in these products.

Finally, the products have gotten better at what I call multi-modal email contexts. Users today are frequently switching from their Outlook desktop client to their smartphone email app to a webmailer for keeping track of their email stream. Having a product that can handle these different modalities is critical if it is going to make a claim towards being frictionless.

So why did Zix win? It was easy to install and manage, well-documented and had plenty of solid encryption features (see the screenshot here). It’s only downside was no mobile client for composing encrypted messages, but it got partial credit for having a very responsive designed webmailer that worked well on a phone’s small screen. Zix also includes its DLP features as part of its basic pricing structure, another plus.

We have come a long way on the encrypted email road. It is nice to finally have something nice to say about these products after all these years.

FIR B2B #69 podcast: Fighting comment trolls and tracking CMO spending trends

Posted on by
Reply

We start off by exploring how to fight comment-trolling. While trolls have been around since before the dawn of the internet, it seems we have few ways to fight them and restore civility, or at least move towards some semblance of it. A story on Neiman Lab’s blog tell how as Norwegian site is “taking the edge off rant mode” by making readers pass a quiz before commenting. Their theory is that if readers actually read an article and prove that they understand the basic issues, their comments will be more meaningful. It is a nice start. (see screenshot here)

Then there is this new protocol from Google that harnesses machine learning techniques to help publishers thwart abusive comments online. Google has published an API and has a demonstration on its website that shows you how you can use it. Paul and David debate whether it is safe to turn on comments on your own blog, and recommend some kind of human oversight to keep things on point. Sadly, you still have to fight off the trolls for now.

Our next item comes from Shel, who pointed out a survey that shows 80% of B2B companies overlook customer renewal messaging. We don’t understand why this very important audience continues to be overlooked by marketers. There is this tidbit: 42% of respondents say their companies invest less than 10% of their marketing budgets on renewal messaging efforts. “Research shows the story you need to tell to protect existing customer relationships is actually the antithesis of the disruptive, attention-grabbing story you need to tell to acquire net new customers.” 

Finally, we examine the latest Fuqua/Duke Biz school CMO survey. It found that spending on marketing analytics is expected to leap from 4.6% to almost 22% of marketing budgets in the next three years. But marketers say barely a third of available data is used because managers lack the tools to measure the success of analytics and people who can link the data to marketing practice. We opine on why this is so and why social media continues to be stuck in a perennial “almost ready” status.   

You can listen to our 17 minute podcast here:

How St. Louis has become a startup mecca

Posted on by
Reply

Over the past several years, St. Louis has been recognized by a number of national publications as one of the fastest growing startup locations in the country. Having lived here for more than a decade, I have observed this first-hand, working as a volunteer mentor to dozens of new ventures as part of the IT Entrepreneur’s Network (ITEN). I had a chance recently to interview many of the founders of new companies and thought I would provide a few insights into why my adopted city has taken a leadership position in the startup world.

One reason is certainly an expanding ecosystem to support entrepreneurs. There is a critical mass of mentors, potential founders, funders, and startup-oriented resources that continues to feed on itself. Ten years ago, there weren’t many organizations or resources for startups. That has changed dramatically.

Another reason is that the cost of living here is low, especially when compared to both coasts. “It is less expensive to make the mistakes that you are inevitably going to make, and the range of people invested in your success is huge,” said Mark Sawyier, who launched his company Bonfyre in 2011. “The only thing you know for sure about your initial business plan is that is wrong. You have to be flexible and adaptable and have a greater appreciation for getting advice. The way a business responds to failure isn’t a single moment in time, but how they can retain what they have learned from that experience and move on.”

The coasts do offer some advantages, however. “Coastal investors are more comfortable with a SaaS model than their midwestern counterparts. But they also need you to be at a certain level of scale,” says Chris Deck, who has run his own ecommerce venture for almost 20 years. “The challenge to being in St. Louis is that the model to raise funds from the tech perspective is different, and you spend a lot of time talking about metrics that aren’t applicable to the SaaS business model.” Some startups have a hybrid hiring model, and ended up having salespeople based in the Bay Area just for this reason, but still have the remainder of their staff here.

Another reason why St. Louis is rising is because it is getting easier to find local talent. While that used to be more difficult, many of the founders I spoke to no longer had that issue. Sawyier said, “There is this misconception that there isn’t any local talent in St. Louis. That is not true at all. It amazes me that people are always surprised at the concentration of IT-related organizations around the area. These businesses are continually creating talent and new opportunities.”

One way to track the growth of the ecosystem is in the number of co-working spaces around the region. When I first arrived, there were none, now there are at least 20 and new ones are popping up regularly. Most of the spaces are operating at near capacity, and what is more important than the number of offices is that many companies have outgrown their initial space and have moved into new offices, with some even buying their own buildings.

Another is the sheer dollars that local funds are investing in startups. The amount has risen over the past several years, and while it isn’t at the level of a Austin, Boston, or Sand Hill Rd., it is enough to motivate many founders to relocate here for their business.

One of the ITEN programs that I have been involved with is called Mock Angels. A founder pitches his business as if he or she were appearing before a group of VCs, and afterwards they comment on the pitch and what can be improved. The theory is that this helps refine the pitch so when a real VC is at the receiving end the founder will be prepared and get funding. This isn’t unique to St. Louis: they can be found in other places. But what is different is that the Mock Angels do more than just carp about the slide deck. What I have seen is that these meetings are a good jumping off point for many founders to receive intensive mentoring from the Angels: one startup ended up talking to 20 different mentors to get a better take on what to do next.

As an example, let’s look at the story of Focalcast, a startup that provides live collaboration among tablet computers. They began by being accepted into the Capital Innovators accelerator program and moved to the St. Louis area. Then they came to ITEN and graduated from Mock Angels, and then got an Arch Grant and additional funding from the Missouri Technology Corporation. With each agency, they improved their pitch, refined their product offering, interacted with potential investors, mentors, and other specialists. “We couldn’t have gotten as far as we did without all this support from the various St. Louis programs,” said Devin Turner, their CEO. “All of them were instrumental in our success, and we have enormous respect for the St. Louis startup ecosystem. Each of these programs complements the others and works well for startups. We think St. Louis is a pretty special place and is a really great place for a young company to be located.” Turner’s pitch was torn up at his first Mock Angel session. “But we ended up working with one of the participants who went from saying that our business model didn’t make any sense to being a big advocate and a huge help for us to go to market and raise funds.”

As another example, look at Amanda Patterson, the CEO of a health-care training-related startup called The Call List. She received a great deal of mentoring from the folks she met at ITEN. “I was able to refine my business plan and introduce myself to people in the healthcare community that could apply my technology. When I first applied, I thought of Mock Angels as more of a gateway that I needed to pass through so I could apply for venture funding, but I realized that it is a way to develop a sustainable model and to train me to become a better business leader. Even the mentors that were the most negative about my pitch had useful thoughts that helped shape my business.”

Another company that benefited from the local startup scene is Label Insight. They provide a database of food ingredients for a variety of vendors. “Before we came to St. Louis, we were mostly working out of our garages and on our own,” said Anton Xavier, one of their co-founders. “We really needed to put our company on steroids and grow into a real viable business. We found St. Louis an ideal place for this growth, and the second we came into contact with the startup ecosystem here, we flourished and were able to escalate our growth.”    

St. Louis has really blossomed as a startup mecca. When I first got here, it was a rare week that had any startup-related event, and it was easy to attend most of them and get to know the community. Now there are numerous events each evening, a testimonial to how rich a community we have invented.

You can check out the Tech Startup Report from ITEN here if you want to read more about ITEN’s services and the St. Louis tech startup scene.

Network World review: Email encryption products are improving

Posted on by
Reply

Email encryption products have made major strides since I last looked at them nearly two years ago in this review for Network World. This week I had an opportunity to revisit these products, and found that they have gotten easier to use and deploy, thanks to a combination of user interface and encryption key management improvements. They are at the point where encryption can almost be called effortless on the part of the end user.

I reviewed five products: the two that I reviewed in 2015 (HPE/Voltage Secure Email and Virtru Pro) and three others (Inky, Zix Gateway, and Symantec Email Security.cloud). The overall winner was Zix (shown here). It was easy to install and manage, well-documented, and the encryption features were numerous and solid. The only drawback was that Zix lacks a separate mobile client to compose messages, but having a very responsive mobile web app made up for most of this issue.

You can read the complete review in Network World here, and you can watch a screencast video comparing how three of the products handle data leak protection:

FIR B2B Podcast #68: We are feeling grumpy today

Posted on by
Reply

This week Paul is crabby because of some bad PR experiences. He had an interview with one company that probably had seen “All the President’s Men” too many times and was confused about when something can go on background or off the record. Once something has been said, it is on the record.

Another all-too-common tactic is to send multiple follow up emails, “hope you had a nice weekend” (it is Tuesday, thank you very much) “and check back with you.” Really?

In the news last week was the Amazon S3 outage. Paul got several emails with offers of sources to comment on the dire state of affairs of the Internet. (Didn’t you know? Neither did we.)

To round out our sourpuss series, we have this report from the DC-based policy think tank called the Information Technology and Innovation Foundation. The study shows the tenor of tech reporting has become more pessimistic over the years, with a number of contributing factors such as more realistic understanding about the effects of tech, more sensationalist headlines, or just more people (including some news organizations) who want to use tech threats for their own particular purposes.

The rise of blockchain-as-a-service

Posted on by
Reply

With the announcement last week of the Enterprise Ethereum Alliance, it is timely to look at what is going on with blockchain technologies. The Alliance was formed to try to encourage a hybrid kind of blockchains with both public and private aspects. Its members include both cutting-edge startups along with established computer vendors such as Microsoft and major banks such as ING and Credit Suisse. As mentioned in this post by Tom Ding, a developer at String Labs, the Alliance could bring these disparate organizations together and find best-of-breed blockchain solutions that could benefit a variety of corporate development efforts.

When Bitcoin was invented, it was based on a very public blockchain database, one in which every transaction was open to anyone’s inspection. A public chain also allows anyone to create a new block, as long as they follow the protocol specs. But as blockchains matured, enterprises want something a bit more private, to have better control over the transactions for their own purposes and to control who is trusted to make new blocks.

This isn’t a mutually exclusive decision, and what is happening now is that many blockchain solutions use aspects from both public and private perspectives, as you can see from this infographic from Let’s Talk Payments.

You want the benefits of having multiple programmers hammering against an open source code base, with incentives for the blockchain community to improve the code and the overall network effects as more people enter this ecosystem. You also gain efficiencies as the number of developers scales up, and perhaps have future benefits where there is interoperability among the various different blockchain implementations. At least, that is theory espoused in a recent post on Medium here, where R Tyler Smith writes: “One thing that blockchains do extremely well is allow entities who do not trust one another to collaborate in a meaningful way.”

The Ethereum Alliance is just the latest milepost that blockchains are becoming more potentially useful for enterprise developers. Over the past year, several blockchain-as-a-service (BaaS) offerings have been introduced that make it easy to create your own blockchain with just a few clicks. Back in November 2015, Microsoft and ConsenSys built the first BaaS on top of Azure and now have several blockchain services available there. IBM followed in February 2016 with their own BaaS offering on BlueMix. IBM has a free starter plan that you can experiment with before you start spending serious money on their cloud implementations. Microsoft’s implementation is through its Azure Marketplace. There is no additional charge for blockchain services other than the cloud-based compute, network and storage resources used.

IBM’s BlueMix isn’t the only place the vendor has been active in this area: the company has been instrumental in supporting open source code regarding blockchain with large commitments to the Apache Hyperledger project. Not to be left out of things, the Amazon Web Services marketplace offers two blockchain-related service offerings. Finally, Deloitte has its own BaaS service offering as part of its Toronto-based blockchain consulting practice.
If you want to get started with BaaS, here is just one of numerous training videos that are available on the Microsoft virtual academy that covers the basics. There is also this informative white paper that goes into more details about how to deploy the Microsoft version of BaaS. IBM also has an informative video on some of the security issues you should consider here. (reg. req.)