Jan 17

The cult of tribalism and the death of the United States

“Death of the United States?”, you ask, shaking your head at the lunacy of a blog post that dares to suggest such a thing.

As we sit here in 2017, days into a new administration, we are faced with a dangerously narcissistic man in the White House who has suggested voter fraud based on no provable facts, but instead based on his own opinion; a press secretary who parrots whatever he is told, whether it is provably false or not; a chief strategist who has openly discussed destroying the republic; and an advisor/press liaison who openly suggested that “alternative facts” are anything other than a lie.

A few weeks ago, I met with a friend for drinks. I shared with him a thesis that I had come up with earlier in the day, which went as follows:

There is an opportunity cost to immediate information. Connectedness, absent mindfulness, equals insanity.

What do I mean by that? I mean, with our rapid information consumption, through Twitter, Facebook, other social media, “always on” news, and innumerable sites competing for our eyes with rapid fire information that is rarely checked for accuracy, if we don’t stop to question things, reality disappears, and we wind up bathing in a cult of our own tribalism.

If you aren’t familiar with it, I encourage you to read Thinking, Fast and Slow to get a frame of reference here. Here’s a good summary.

In a nutshell, the two parts of our brain are constantly at odds – this entire presidential campaign, rather than being grounded in debate, logic, and considered thought (System 2), was grounded in emotion (System 1).

If you look carefully at the statements that DJT used throughout the campaign, and that he continues to use, there’s a common refrain. What is that refrain?


His entire campaign was about fear. His speeches preyed upon emotion, rather than logic. He was a fast-twitch candidate, if you will. His bold, often demonstrably false, claims fed the fears of his base. ISIS. Refugees. Immigrants. Overregulation. Jobs. Rampant crime/shootings/carnage. Voter fraud. (A card he continues to play, as it resonates, due to the popular/electoral mismatch.) But the same base that lovingly digested those lies would push back diligently throughout the campaign at press that questioned that “truth”, because doing so would make them question their own beliefs, and their own comfortable reality they had created.

As my friend and I talked, he suggested something I hadn’t considered. Maslow’s hierarchy. Humans crave food first – and only at the top are they able to become self-actualized. In other words, “I’m going to watch out for my own interests until I can ensure they’re safe.” In this cult of tribalism I discussed above, people refuse to question their tribe… to question their beliefs. I mean, sure, you should fear ISIS. But good grief. You’re throwing away the very foundation this country was built on if you say “immigrants aren’t welcome here”.

That’s just it. We’ve got this selective reality in this country now, where the hard left will tell you one thing, the hard right will tell you something completely different, the news media all digests it and spits it back out at high velocity. How on earth is anyone supposed to end up with anything but a subjective opinion that mirrors their own existing reality???

We choose whether to listen to others, or to close off and say “my way is right.” And I’ll admit, it’s going to be pretty hard to get someone to see something when their livelihood depends on them not seeing it. People in coal and petroleum industries will fight you tooth and nail about climate change, because their literal reality depends on your literal reality not being true?

How the hell are we supposed to move forward as a country, if we can’t all stop, and think for a moment? A friend used the expression “low vibration minds” as a gentle way to refer to people who are unable to, or unwilling to, think beyond themselves. That’s really what this all comes down to – a level of mindfulness. But if someone doesn’t want to listen – if listening means that you question, and or destroy the very fabric of who they are?

  • How do you get someone to listen?
  • How do you get someone to listen to the truth? (By this, I mean a calculated, proven, truth.)
  • How do you get someone to listen to the truth that undermines the truth as they understand it, and reality as they want it to be?

When we would fly as kids, I would often ask my mother what made the sky so blue. My brother would say, “It’s not blue. It’s pink.” This used to annoy the hell out of me, because it was provably false. As we find ourselves in this weird alternative reality, it’s important to realize the exact antics and approach being used by Steve Bannon and others occupying the White House who seem to, in my opinion, not have the best interests of the country in mind with their actions.

Fear is a powerful thing. It fed the marginal approval for Brexit. It fed the marginal approval for DJT. In fact, it’s important to unwind a truism before both of these votes – that they were polling that they weren’t going to pass. Why? My opinion is… fear. Those willing to vote for these actions, based upon ungrounded, potentially irrational, fears, weren’t willing to have those views questioned. With such overt xenophobia, racial hatred, and anger driving both – and the ricochet of hate that resulted from both, it’s not hard to see why someone might want to be a closet Brexit or Trump backer. Cowardly, IMHO, but not hard to understand – again, the position for pushing for both being based upon fear.

Unfortunately, as we already see six days into this administration, those leading it – not necessarily the guy in the chair – choose to continue the antics that played well to his base as standard operating procedure.

However, I would like to offer a few words of advice on dealing with the propaganda-based approach being deployed by this White House administration:

  1. It’s very important for all media, regardless of their political bent, to question provably false statements coming from them.
  2. But understand that when you do, you will be confronted by his staff, and challenged on it, because you are not endorsing the message they want to resonate.
  3. If you continue to try and question, you will in turn be questioned. Like a football star accused of sexual assault, their defense will focus not on debasing your statement, but on debasing you. Be strong, stand firm, and defend the truth.

I also think that it is critically important at this moment in time, that Americans – “left” or “right”, regardless of faith, gender, race, age, economic strata… that all Americans – including those who represent us in Congress – need to start listening to others, and understanding why they feel the way they feel, why they believe the way they believe, and why they fear the way they fear. We will not move forward as a country with this “my way or else” bullshit. We must work together, even where a precise common ground does not, or likely cannot, exist.

I started out this post with a bold claim. I genuinely believe we are at a dangerous point in our beautiful country’s life, when the men running this country are willing to blatantly lie for their own benefit, and to the detriment of the country, its citizens, and the world at large.

Jul 14

You have a management problem.

I have three questions for you to start off this post. I don’t care if you’re “in the security field” or not. In fact, I’m more interested in your answers if you aren’t tasked with security, privacy, compliance, or risk management as a part of your defined work role.

The questions:

  1. If I asked you to show me threat models for your major line of business applications, could you?
  2. If I asked you to define the risks (all of them) within your business, could you?
  3. If I asked you to make a decision about what kind of risks are acceptable for your business to ignore, could you?

In most businesses, the answer to all three is probably no, especially the further you get away from your security or IT teams. Unfortunately, I also believe the answer is pretty firmly no as you roll up the management chain of your organization into the C-suite.

Unless your organization consists of just you or a handful of users, nobody in your organization understands all of the systems and applications in use across the org. That’s a huge potential problem.

The other day I was talking with three of our customers, and the conversation started around software licensing, then spun into software asset management, auditing, and finally to penetration testing and social engineering.

At first glance, that conversation thread may seem diverse and disconnected. But they are so intertwined. Every one of those topics involves risk. Countering risk, in turn, requires adequate management.

By management, I mean two things:

  1. Management of the all components involved (people, process, and technology – to borrow a line from a friend)
  2. Involvement of management. From your CEO or top-level leadership, down.

You certainly can’t expect your C-level executives to intimately know every application or piece of technology within the organization. That’s probably not tractable. What is crucial is that there is accountability down the chain, and trust up the chain. If an employee responsible for security or compliance says there’s a problem that needs to be immediately addressed, they need to be trusted. They can’t run their concern up the flagpole and have someone who is incapable of adequately assessing the technical or legal (or both) implications of hedging on addressing it, and cannot truthfully attest to the financial risk of fixing the issue or doing nothing.

  • If you hire a security team and you don’t listen to them, what’s the point of hiring them? Just run naked through the woods.
  • If you hire a compliance team (or auditor) and don’t listen to them, what’s the point of hiring them? Just be willing to bring in an outside rubber-stamp auditor, and do the bare minimum.
  • If you have a team that is responsible for software asset management, and you don’t empower them to adequately (preemptively) assess your licensing posture, what’s the point of hiring them? Just wait and see if you get audited by a vendor or two, and accept the financial pit.

If you’re not going to empower and listen to people in your organization who with risk management skills, don’t hire them. If you’re going to hire them, listen to them, and work preemptively to manage risk. If you’re going to try and truly mitigate risk across your business, be willing to preemptively invest in people, processes and technology (not bureaucracy!) to discover and address risk before it becomes damage.

So much of the bullshit that we see happening in terms of unaddressed security vulnerabilities, breaches (often related to vulns), social engineering and (spear)phishing, and just plain bad software asset management has everything to do with professionals who want to do the right thing not being empowered to truly find, manage, and address risk throughout the enterprise, and a lack of risk education up and down the org. Organizations shouldn’t play chicken with risk and be happy with saving a fraction of money up front. It can well become exponentially larger if it is ignored.

Jun 13

What’s the deal with Facebook advertising?

For a site that has been tracking my life for years, Facebook’s advertising is horrible. Not just weak, not just bad, but horrible. During the last presidential campaign, I started to realize how bad Facebook’s advertising was, when (as a pretty outspoken liberal) it offered me a Mitt Romney ad every single time I logged on.

But take a look below. You really couldn’t get more broken in terms of targeted advertising:

Where to begin? Let’s just look at each:

  1. I have a Yammer basic subscription – using the same email address of mine as Facebook already has.
  2. I have two cats, but don’t have a dog. I haven’t had one since I was a kid.
  3. I haven’t subscribed to cable since 2010.
  4. I don’t take photos with a camera anymore. Heck, my only digital camera and camcorder both gather dust while I use my iPhone for most photography and video.
  5. I hardly ever play games. I have an original Xbox that gathers dust, and a Wii that the kids sometimes use, but even it is rarely used vs. the iOS devices in the house.
  6. I have one watch. I wear it when I fly, so I know when the flight took off and what time it will land. Otherwise, I never wear a watch.
  7. As noted, I don’t play games. I’m also pretty outspoken about not being a fan of Walmart.
Bad Facebook ads

So here Facebook had 7 opportunities to knock it out of the park based on all of the personal information of mine they have. Yet they got 100% wrong. Way to go, Facebook!

May 13

Twitter zombies? My favorite.

Within the last few weeks, a very annoying trend on Twitter began to pique my curiosity. I saw random accounts that don’t follow me marking some of my tweets as favorites. What was weird though was the tweets that were getting marked weren’t, frankly, my best work. But I started noticing more about these accounts.

First of all, as I said, the accounts that seemed odd were generally marking odd tweets as favorites. Take this tweet for instance, which has three weird accounts that have favorited it (and my friend, who was just being punchy). A few other examples that friends on Twitter noted are here, here and here. While I thought it was interesting that this one of mine was the last tweet of the day for me, it wasn’t in the case of my friends, although the tweets do tend to be marked in the evening.

The second thing I noticed about the accounts marking these was that they always had names that were nonsensical given their username. Take this one for instance. Username is Rossiengkh, name is Rosalina Harrey. The usernames of these accounts seem to consist of a first name and generally 3, 4, or 5 gibberish characters appended. The more I looked, the more often I found that the names on the account were completely unrelated to the username – or pictures that were even of the wrong gender. Pictures of men with female account names, etc.

Next, I noted that all of these accounts had few tweets (generally less than 20) and were created recently (May 3, 2013, in the case of the account above).

Upon examining each of these accounts when they marked a favorite, I found that most of them had quite a few accounts they were following, and quite a few accounts following them. The patterns I noticed with my initial favorite zombie continued through all of the accounts they were following. For example, look at all of the accounts Rossiengkh is following. When it came to their followers, the story was different. All of their earliest followers match the pattern as well (again, see those of Rossiengkh).

It’s here that I’d like to theorize why these bots don’t spam, but rather favorite tweets instead. It’ll make sense in a minute. First, imagine you’re a really new user on Twitter. Suddenly, out of the blue, some user, likely following more people than you, and more followers than you, favorites one of your tweets. You maybe poke at their account a bit, notice their followers/followees, and that they have a few tweets. So you follow them. NOOOOOO!!!!!!!!

That’s why these zombies all have nobody they are following that is legitimate, and their accounts all began with a similar stack of zombie followers, to add cred. While some of us who have been on Twitter for a while noticed the funky smell from these accounts, new users aren’t generally aware that there are people gaming Twitter.

What’s most interesting is that many of these zombies are marking tweets as favorites that existed before their account did (the account above, created in early May, has favorites dating back into at least 2012). I didn’t even know you could mark tweets that existed before your account did as favorites, though I guess on some plane it makes sense.

So… Why all this trouble? Why build out a network of accounts following other accounts, following other accounts? Favoriting random things on Twitter? To sell followers, of course!

Follower counts generally aren’t vetted – people don’t go through and scan your followers to see if there are real people following you or not (well, not always). But buying followers, as questionable as it is, appears to be a thing to artificially add credibility to an account. I think it’s pretty sleazy and frankly devalues Twitter.

So let’s talk about one more thing almost all of the zombies have in common. Not all of them, mind you, but most of them. A short URL in their Twitter bio that at first glance appears relatively unique, and uses either bit.ly, tiny.cc, or tinyurl.com (the latter of which has now seemingly killed off the use of their service for this scam). I haven’t tabulated how many unique URLs there are (let alone how many zombies there are), but I can only assume there are quite a few. But more importantly, these URLs are not actually unique underneath.

If you click on the URLs, the final destination that you wind up with is followersdelivery.com (no link because I don’t want them to get SEO). However, they appear to have a layover along the way, at bestgod.info. Followersdelivery.com was registered through GoDaddy on February 24 of this year, with a one year registration. The registrant is an individual in Zagreb, Croatia, with – I believe – a postbox. More interestingly, bestgod.info was registered on March 24 of this year, and was last edited two days ago, on Friday, May 24. Even more interesting? That domain was registered with fake credentials through Wild West Domains, LLC. The Spurger, TX address used to register the domain doesn’t exist, and the phone number is dead.

The initial bestgod.info domain appears to do a client-side redirection to the final destination. I’ve seen this trick done before, and there’s often logic thrown in on the client side (or even before then in the server redirection) that may be defeating Twitter’s ability to detect or block this URL (assuming they’re trying to). I mentioned over a year ago the risks of trying to unwind URL shorteners when it comes to really knowing what site is at the end of the link.

But the funniest part of this exercise has to be reading the followersdelivery.com site. The site advertises (shocker) all of the following for sale in bulk:

  • Twitter followers
  • Facebook likes
  • YouTube views
  • Instagram followers

The price of Twitter followers?

  • $20 – 1,000 followers (within 24 hours)
  • $50 – 5,000 followers (within 24 hours)
  • $80 – 10,000 followers (within 48 hours)
  • $170 – 30,000 followers (within 48 hours)
  • $420 – 100,000 followers (within 3 days)

My favorite part of the followersdelivery.com site, though, has to be the following, on their FAQ page:

Can I trust Followers Delivery? Are you a reputable company?
For many people, our services seem too good to be true, so we get this question asked all the time. Followers Delivery offers very popular social media services, low pricing and excellent customers support. We believe in offering an exceptional service to all of our customers and clients. Read the reviews that our customers have left us, we are sure you’ll be impressed.

And this little gem (underline emphasis mine):

Are these real users? How do you gather the followers?
Absolutely! We guarantee that these Twitter followers are real people and that no bots or proxies will be used in the delivery of your Twitter Followers.We rely purely on proprietary marketing and promotion techniques to get the job done right. We also own and operate a few high traffic Fan pages, Twitter accounts, Youtube channels and website which we use to generate real social media users for our customers.

<SPIT TAKE/> Yes. I’m sure that those are all real people that I’ve called out above. The Twitter undead.

It gets more interesting, though, as Followersdelivery.com was explicitly called out for their role in Michelle Malkin’s Twitchy site investigating Rachel Maddow. Note that even then the site had recently been suspended by the registrar hosting it. I’m not exactly sure who paid for what in that instance either (and frankly, given the low cost of buying followers, I can imagine someone paying to have an opponent’s Twitter presence defamed by “throwing” fake followers at their account). Regardless, I hope that Twitter does something to block this service relatively soon.

Mar 13

You’re only as safe as your last backup

This week, for the second time in a year, I lost the hard drive in my main computer, a 2010 ThinkPad W510 running Windows 8. I swear I was good to the computer – I don’t know why this second Seagate 500GB drive (yes, the first one was too!) decided to hit the floor. I’ve had so many hardware problems with this system – BSODs, weird display problems, and more, over the last year, that rather than try to jam it back together for one more gig with the band, I am putting my ThinkPad out to pasture, and have replaced it.

I’ll tell you what – when you have a HDD fail, Twitter is all aflutter with people offering posthumous advice on what you could have done to avoid data loss. SkyDrive, CrashPlan, Dropbox, Windows 8 backup utilities… Like free advice, everybody had wisdom to offer… Unfortunately, it was too late. The damage was done. While I didn’t lose the latest draft of my book (THANKS SkyDrive!!!), I did lose an article draft I had been working on for some time. I’m not happy about that. Here’s how it happened.

On Wednesday morning, the date of my PC’s demise, I got up early, as I often have to do, to take my eldest to ice skating before school. The day before, I had checked out a key work file from our work file server (classic SMB Windows server file share, not SharePoint). Failure 1: I skipped a step, and pulled it locally, instead of archiving it to the server and making a copy. Our process is arcane and complex at times, but it works. The document was a rather complex outline for a lengthy piece around SharePoint Search.

While I was working at the skating rink, I wrote a good 1,000 words, getting towards more than half of the article. Failure 2: I was working with the file on my desktop, not my SkyDrive folder. Failure 3: I wasn’t on the Internet while I was at the skating rink – they have no free WiFi available. As I wrote the piece, I noticed that my system was behaving really erratically. Apps were hanging and whitescreening, only to eventually come back. Running Process Explorer, I couldn’t see anybody pegging the CPU, so I couldn’t find an obvious culprit to blame. Looking back, the warning signs of impending HDD failure were all there. I had a bunch of USB Flash Drives (UFDs) with me, so I could have, and should have copied the file off. At the moment, I’m so terrified of HDD data loss, that I’m saving things into synchronized folders all over the place, and backing up everything to everywhere.

When my daughter was done skating, we headed home, and my wife took her and her sister to school as I headed to the office. I logged on, and my computer failed to resume – it was hibernated, and tried starting – only to BSOD. After the BSOD, it just hung at the Windows 8 whirligig on the boot screen. Once put in any other machine, the drive simply clicks away, and fails to mount. Dead.

Fortunately, I had been using Windows 8’s File History to back up my files. Failure 4: Because I was using it with an external USB HDD, I was inconsistent about backing it up, and hadn’t done so in a week. Meaning my outline file was dead. Gone. MIA.

I have to look back at my criticism of Windows To Go and even renew it a bit. The thought of creating content on the go, unless you have WiFi or 3G/4G connectivity back to SharePoint, SkyDrive, Dropbox, etc, it’s an invitation to lose work as I did.

I often say that if you make a user opt-in to a process, they never will. My new backup mechanism involves technologies that all happen in the background, automatically, and don’t let me opt out, as I had done with Windows 8’s File History. Though nothing aside from me bailing the file before the HDD died on Wednesday could have saved it, at least I would have had the outline from backing it up earlier. But through a series of lazy step skipping on my behalf, I hosed myself. I am disappoint.

Given that I’ve had three HDDs die on me over the last year, and have lost a spot of data during all of them other than my iMac dying (thanks to Time Machine), I still ponder why modern operating systems seem to have inadequate or ineffective means to tell the user that their drive is failing and about to die.

Mar 13

Shut up and eat your GMOs

It’s with a fair amount of disappointment (disbelief?) that I read Bruce Ramsey’s article about Initiative 522 (Washington’s GMO labeling proposition) in the Seattle Times.

My belief, after reading this piece, is that Mr. Ramsey should generally refrain from writing when his familiarity with the topic at hand leads him to include the disclaimer “I am a novice”, as he did with the statement early in this article, “I am a novice on genetically modified organisms”.

There are three modalities of belief in the GMO (genetically modified organism) debate – or in any discussion of where our food comes from). Heck, it really applies to almost any topical debate.

  1. Apathy (no real concern one way or another – perhaps no familiarity to base an opinion on)
  2. Agreement (tolerance or fanaticism for the practice)
  3. Antipathy (some disagreement or more with the practice)

In my experience, when it comes to their food, Americans generally seem to fall contentedly into the category of apathy. Happy to ignore the complexities of where their food comes from, most Americans ignore the ugly underbelly of our industrialized food system until the evening news enlightens them to a new E. coli outbreak in antibiotic-laden, undercooked beef from a CAFO, or they latch on to a buzzword used by reporters like pink slime or “meat glue”. They happily go along with the ethos that, “Everything is okay until it’s not okay.” But when that concern passes, most turn back to their bread and circuses, and spend more energy focused on reality shows than what’s in the food their family is eating.

Mr. Ramsey’s piece clearly puts him in the “agreement” camp that GMOs are acceptable because, as he states, “People are trying to make an economic case in a matter that is mostly about belief.” and that they don’t need labels “…if it makes no difference to people’s health?” But it boggles my mind that Mr. Ramsey elected to prognosticate about the need to label GMOs – one way or the other – when he clearly has no background on the topic, or why labeling efforts ever came to be. Instead, he simply dismisses the debate about GMOs as if it were a figment of the imagination of those behind 522 – just ignorance on their part, or even moreso, some evil conspiracy by “Big Organic” to foist its way of life upon the rest of the world. I don’t get where this idea can even begin to come from.

My own belief, based upon years of trying to understand the complexities of our food system, and trying to not turn a blind eye to the unpleasantness of it all, is that all of us in the US are being deceived about whether GMOs are or are not harmless – we are told “it’s fine” – but the people telling us that are the people making the GMO seed, and the profits as a result. There was no opportunity to question at the inception, and even as we face the impending likely approval of a GMO salmon, even with a huge public outcry, it appears that business may win out over unknowable, unanswerable questions about long-term health effects or environmental detriment from this fish being approved.

I’m clearly in the disagreement camp, and I am a firm believer that consumers should be transparently made aware of the possible risks of genetic modification, and given the option to know what foods (or often “foods”) contain GM crops.

Long ago, our government decided to look the other way about GMOs. Using a methodology called substantial equivalency, even over the objections of 9 FDA scientists, the FDA accepted the GMO industry’s stance that there is no difference between conventional breeding (hybridization) and bioengineering. Now maybe you have, but I’ve never seen a salmon mate with an eel, and I’ve never seen a bacterium mate with a papaya. Yet among other genetic cross-breeding, that’s what we’ve got today. If someone tells you there is no difference between hybridization and biotechnology, they’re lying to you (or trying to sell you GMO seed, and likely a pesticide cocktail to go with it).

The use of substantial equivalency is entirely biased towards the needs of producers rather than the general public. It is based around the (non-scientific) philosophy that a new food is like an old food, unless it isn’t. Dismissed by many scientists as not a safety assessment, rather a means to rubber-stamp new foods until otherwise proven hazardous, substantial equivalency has enabled GMO producers to throw countless food components onto our plates simply claiming they are safe, using a categorization called Generally Regarded As Safe (GRAS) until found to be otherwise – note the earlier article where the FDA has even turned a blind eye towards food that was found to not be safe. They aren’t even treated as an additive. Frankly, we’re still just learning what kind of baggage even comes along with GMOs. Note the two paragraphs in that Durango Herald article:

“Monsanto’s own feeding studies, however, showed that the genetic material in GMO corn that makes it pest-resistant was transferred to the beneficial bacteria in the intestinal tract of humans eating GMO corn. This potential for creating a pesticide factory in the human gut has gone untested.”

Followed by:

“Recent research has shown that GMO corn insecticidal proteins are found in the blood of pregnant women and their fetuses. Animal research has shown intestinal, liver, kidney and reproductive toxicity from both GM corn and soy. This does not bode well for the assertion of ‘substantial equivalence.’”

Yet GMOs are in almost everything you eat. Conventional corn, soy, canola, and likely soon, farm-raised, (antibiotic-laden) salmon!

People in the yes on GMO camp generally decry people saying no as “anti-science” or “nutcases”. I’m hardly anti-science, and I like to think I’m reasonably rational and well-balanced. But I believe as a species, we often jump into hasty “great ideas” only to later regret that idea. Radium. Thalidomide. Vioxx. History is littered with pharmaceuticals rushed to market only to be pulled back after fatalities exceeded the manufacturer’s clinical trials. I believe that often, our government officials err on the side of the businesses that pay for influence, rather than on the side of consumers, who merely vote them into office. In the case of GMOs in our foods, the rush to judgment isn’t on the side of the naysayers, it’s on the side of the government and industrial agricultural giants, who have foisted GMO crops on consumers, without ever questioning the long-term side effects, or offering consumers any other option aside from buying organically labeled foods, where GM ingredients are forbidden by definition.

If you don’t read anything else, Mr. Ramsey, I hope you will read this. There is no independent testing of GMOs. None. There is no long-term testing of GMOs. None. Independent or black-box at the vendor. As a consumer, you have absolutely no way, outside of eating exclusively organic, that you are not regularly ingesting GMOs. You dismissed the need for 522 not because you investigated and understood why GMOs are not good for us (let alone the planet), but because you inquired with one geneticist and a company trying to sell a GMO apple. Isn’t that rather like asking a WSU student what kind of education UW can provide? Yet GMOs are in almost everything you eat. You trivialize the need for labels, and point the finger at a local Co-op, Whole Foods, and other organic food proponents as renegades trying to force their world on you.

California’s recently failed proposition to label GMOs was, much as Washington’s was, created by volunteers. California’s was crushed under the weight of conventional food and agribusiness giants. They don’t want GMO labeling because, for the food producers, it will result in high cost for ingredients (for example, replacing high-fructose corn syrup, predominantly GM, with non-GM sugars), packaging changes, and reformulation costs. The agribusiness giants? Because it crushes their revenue stream. That’s why Monsanto spent millions to defeat the initiative, and surely will here as well.

I’m not exactly sure why you elected to land on the side of supporting GMOs, given your self-admitted naiveté. But I hope that in the future you will examine and understand the whole debate before injecting yourself into it and using your column to create (my belief) wrong-headed, uninformed public opinion.

The organizations and companies you finger pointed at being “behind 522”? Sure – they stand to make more profit if GMOs are labeled. But I honestly don’t believe that’s why PCC (a local Co-operative), among them, is doing it. They are backing it because consumers deserve to have a choice – to be pulled from their apathy that the industrial food suppliers have happily created – to understand what is in the foods that they buy, and make healthier and more sustainable choices. In the end, it won’t matter if 522 passes. Whole Foods has already decided to label all GMO foods in their stores by 2018. That’s still too far away, but it’s a light at the end of the tunnel.

I can go on discussing the unsustainability of GMOs at length – contrary to the public relations slogan, GMOs are not the only solution to feeding the world (http://www.huffingtonpost.com/jeffrey-smith/vilsack-mistakenly-pitche_b_319998.html). With their seed licensing costs, creation of a biologically unsustainable monoculture, high cost for other inputs matched to many of them, increasing requirements for more volume and higher toxicity herbicides and pesticides to accompany them as pests and weeds develop natural resistance, GMOs as the key to “feeding the world” are a myth.

Mar 13

Windows desktop apps through an iPad? You fell victim to one of the classic blunders!

I ran across a piece yesterday discussing one hospital’s lack of success with iPads and BYOD. My curiosity piqued, I examined the piece looking for where the project failed. Interestingly, but not surprisingly, it seemed that it fell apart not on the iPad, and not with their legacy application, but in the symphony (or more realistically the cacaphony) of the two together. I can’t be certain that the hospital’s solution is using Virtual Desktop Infrastructure (VDI) or Remote Desktop (RD, formerly Terminal Services) to run a legacy Windows “desktop” application remotely, but it sure sounds like it.

I’ve mentioned before how I believe that trying to bring your legacy applications – applications designed for large displays, a keyboard, and a mouse, running on Windows 7/Windows Server 2008 R2 and earlier – are doomed to fail in the touch-centric world of Windows 8 and Windows RT. iPads are no better. In fact, they’re worse. You have no option for a mouse on an iPad, and no vendor-provided keyboard solution (versus the Surface’s two keyboard options which are, take them or leave them, keyboards – complete with trackpads). Add in the licensing and technical complexity of using VDI, and you have a recipe for disappointment.

If you don’t have the time or the funds to redesign your Windows application, but VDI or RD make sense for you, use Windows clients, Surfaces, dumb terminals with keyboards or mice – even Chromebooks were suggested by a follower on Twitter. All possibly valid options. But don’t use an iPad. Putting an iPad (or a keyboardless Surface or other Windows or Android tablet) in between your users and a legacy Windows desktop application is a sure-fire recipe for user frustration and disappointment. Either build secure, small-screen, touch-savvy native or Web applications designed for the tasks your users need to complete, ready to run on tablets and smartphone, or stick with legacy Windows applications – don’t try to duct tape the two worlds together for the primary application environment you provide to your users, if all they have are touch tablets.

Feb 13

Delight the customer

At an annual Microsoft company meeting early in my Microsoft career (likely around 1999), Steve Ballmer interrupted the lively flow of the event to read a few letters that had been sent to him from executives around the world. As I recall, Microsoft technology was not working perfectly for these customers, and they weren’t happy. After he read the letters, Steve broke into a speech about “delighting the customer” – a mantra he adopted for some time, and I continue to use to this day. Unfortunately, while that credo ran for a few years, I distinctly remember not hearing it for the last several years of my career at Microsoft before I left in 2004. Instead, the saying I remember hearing more was about shareholder value. Perhaps I over-remember the negative aspects, but that’s what sticks in my head.

My father helped me land my first job as a teenager. I worked at a Taco Bell in Montana that was privately owned. While many corporate-owned and franchised stores had a very forgiving policy on taco sauce packets (the customer always being right and all) and offered free refills, we included only two packets of hot sauce unless you paid for more, and had the soda fountain behind the counter – refills weren’t full-price, but they weren’t free either. The owner was steadfast about these policies, and became quite irate if you violated them – even when a customer became upset at these policies that differed wildly from any other Taco Bell they had ever been to. I hated it, and so did my peers, and our customers.

As I’ve mentioned before, my first job after college was selling VW’s and Subarus. The dealership I worked at was notoriously stingy, and they would “roll you” as the terminology for selling you a car goes, without floor mats (even the ones that had come in the car from the manufacturer) or a full tank of gas – unless the customer specifically asked for them. Customers would inevitably leave the dealership pissed, and possibly in a position where they wouldn’t be likely to return to us in the future for sales or service. Inevitably, I decided to play a few games with the sales process, and began telling customers, “You’re going to want to ask me about floor mats and a full tank of gas.” Inevitably, they’d reply back, “What about floor mats and a full tank of gas?” – and I’d say, “Great! We’ll make sure you’ve got floor mats and a full tank of gas.” It didn’t come out of my pocket in the sale, and frankly, I felt it wasn’t the dealership’s money to keep. More important to me, I even understood then that sales is all about making your customer feel great about their purchase – not making your customer feel like they just got shafted. Customers don’t tell friends, “Hey, I got shafted at that dealership on floor mats and gas. You should buy your car there.” No. They don’t do that.

For the past year or so, my VW GTI has had a slow leak in a tire on the driver’s side. Whenever the temperature dropped, I knew that the tire pressure management system (TPMS) would kick in and tell me that the tire had finally dropped enough pressure to be a problem. For the last 3 days beginning on Friday, this has gotten progressively worse, and I’ve had to inflate the tire every day (yes, I’m getting it fixed tomorrow).

On my way to work, in the northern end of Kirkland, there’s a 76 gas station that offers incredible service. Most importantly for me, they offer free air and water for your car if you need it – no purchase necessary.

This last Saturday morning, I had to stop by my office in Kirkland to pick up a coat that I had left there before my eldest daughter and I went skiing. As we left, I realized I needed to inflate the tire before I left town. I looked in my wallet, knowing I would have to pay $1.00 at the nearby Shell station to fill up the tire. Only three quarters, and $3 in single bills. Digging deeper, I found two dimes and a nickel. I headed over to the Shell station where I would blow $1 on 20 lbs of pressure for one tire – for the day.

I pulled the car up, and – since the machine only took quarters, headed in to the station for a quarter. The attendant was talking quite loudly on the phone, and even though he saw me, continued rambling on his (personal) call while I waited at the counter… for a quarter. After a minute or so, he asked, “What do you need?” in a terse tone. I said, “Need to swap this change for a quarter for the air machine.” He huffed at me, got up, opened the till and swapped my change do a quarter. I left, filled up the tire, got in the car, and told my daughter, “I’m never stopping here again for air – or gas.

I don’t have a problem with someone charging me for air or water. It’s their business. But then don’t be an a-hole when the extent of my transaction with you for the day is that purchase of air. The 76 station in Kirkland gives away air and water. Not because buying that equipment or running those services is free. No, it’s a loss leader. You give those away and when a customer needs gas, they’ll keep you front of mind. Delight your customer. Tonight, as I drove home, I had to fill up my tire again before I can take it in for service in the morning. I stopped and filled up my gas tank while I was there as thanks to them.

When you nickel and dime your customers, you make their lives more complex, you can frustrate them, and make them angry and vengeful. They don’t forget that. When you treat your customers with respect – and go out of your way to help them – they also don’t forget that. Delight your customers.




Nov 12

Why no news on winappupdate.com? I’ve been traveling!

Apologies for the lack of updates recently. While the Windows Store has been growing by ~500 apps per day worldwide, only a fraction of these are truly stellar apps, and filtering out the wheat is still a manual process – something I can only do when time allows. Similarly, my rollup reports of the store are a relatively manual process that I hope to automate someday. That day is not today. Given a subtle jab that might seem to infer a lack of news by me here is a lack of anything important in the Windows Store, I thought I’d clarify. I do try to check on on Twitter several times per day, but only do updates here when there is really major news or I’ve had time to do a major report.

This past month has been relatively insane for me, with Build, PASS Summit 2012, SharePoint Conference 2012, and vacation to the Internet-weak wilds of Wyoming for Thanksgiving with family last week. Real work has to come first for me, so that didn’t leave a lot of time for updates on the Windows Store. Combined with the lack of real huge news on the store (besides raw number growth, which I’m trying to move away from emphasizing, since it isn’t the most important metric by any means), there wasn’t much to post here, or time to post it. If you get lonely for updates here, please check Twitter!

I will be doing a rollup report this week, where I’ll discuss the state of the store, categories, which markets are strongest, and a few other details. Stay tuned.

Nov 09

iPhone Security

I like opening with that subject – because it’s two words that Apple seems to never want to see next to each other.

On Slashdot today, an article covered my friends from F-Secure discussing the barriers that are precluding the antivirus industry from making inroads in protecting iPhones from malware.

Indeed, they are correct, you cannot build A/V into the iPhone platform – the API is explicitly designed to forbid that. However, I have to counterpoint. I mentioned in a tweet several days ago:

The constraints keeping security s/w from diving deeper into the iPhone platform are the same ones precluding any need for them.

Yes, you read that right. I’m saying that the iPhone doesn’t need antivirus. Instead, Apple’s bigger problem is the lack of a mature platform management solution for the iPhone. Let me show you why.

When I went to Winternals, we rapidly discovered a giant chasm in security as Mark and I discussed how UAC (LUA at the time) would fall far short of creating a security boundary for Windows Vista (and continues to do so for Windows 7). The chasm is the latency between these steps:

  1. Exploit is identified
  2. Malware is authored and released
  3. Malware spreads
  4. Malware is identified
  5. Malware can be contained

You see, the flaw is that step 4 has to exist at all.

The fundamental flaw is blacklisting. Instead of fighting the good (but intractable) fight trying to identify all of the bad code, whitelisting relies on the premise that only known good, known trusted, code can start at all.

At Winternals, we created Protection Manager to respond to this hole in the security market. The key goals of the product were to only let known trusted code run, and to optionally run it with least privilege. In 2006, Microsoft acquired Winternals and, regrettably, discontinued the Protection Manager product. While Windows 7 features AppLocker, which theoretically applies whitelisting to Software Restriction Policies, I believe AppLocker has some fundamental shortcomings that I’ll discuss in a future post. Some aspects of Protection Manager, most notably the premise that a Digital Signature (code signing) is the best way of authenticating that code is:

  1. From a trusted source and
  2. Not been tampered with since publication

After Winternals, I worked on whitelisting again at CoreTrace, where the Bouncer product evolved to also recognize the importance of Digital Signatures, as one of the sources of Trusted Change. Only known trusted code is allowed to execute first off, and only code with specific properties is allowed to enable new code to be added to the whitelist.

Today, you hear mention all over the Internet of the rickrolling iPhone worm. Many have mimicked the code created on a whim by Ashley Towns, the worm’s creator. But the fundamental issue here isn’t the iPhone’s susceptibility to malware. Nope. Not at all.

You see, all existing worms that have compromised the iPhone rely on the fact that the iPhone must be both jailbroken and it must then have SSH installed, with an unmodified root password. Both qualify as best of breed “worst practices” from a security perspective.

In fact, those of us who haven’t jailbroken our iPhones (not arguing the ethics of that – that’s a separate conversation for another time) were not, and are not, susceptible at all. Why? Because the iPhone infrastructure as defined by Apple utilizes whitelisting. Only applications signed by software vendors that Apple has authorized (and that have signed the code) are ever countersigned by Apple and pushed through the App Store to be downloaded for purchase. Similar, but not as restrictive, constraints exist for Apple’s Enterprise program for application publishing.

To date, I have not seen any published malware that runs on an iPhone that has not been jailbroken or otherwise forced to run unsigned code (see Law #1 in the 10 Immutable Laws of Security. Any hack that does ever do so will rely on somehow compromising the signature infrastructure used for application publishing on the iPhone by Apple.

You may recall my original point – that the problem was the lack of enterprise management software of the iPhone itself. At CoreTrace, we were approached by an organization we were already working with that was realizing the growing number of Macs – and of even more concerning, the number of “rogue” iPhones (phones brought in by employees, and connected to the local wireless network and/or Exchange Server without IT ownership at any level).

The more we dug into it and researched, including the limited analysis necessary of the iPhone API and two fun, but largely circular conversations with Apple in Cupertino, the more we realized that they weren’t asking for, nor could we deliver (at least on non-jailbroken hardware) any form of “Bouncer for iPhone”.

Instead of security, the problem posed to an enterprise admin by the iPhone is that as an organization, you don’t need to control what is running on your iPhones from a “bad code” perspective, rather that the iPhone needs hardcore, Apple provided (and secured) management in order to control how “renegade” the devices themselves are. That means the ability to:

  1. Prevent connectivity of jailbroken hardware to an organization (Exchange, wireless, Bluetooth, or other)
  2. Prevent jailbreaking of connected hardware (or sever connectivity at a hardware level when it occurs)
  3. Explicitly control which Apple or Enterprise published applications can be downloaded or run on connected iPhones (don’t allow games, allow only these 10 applications, etc)
  4. Explicitly control the iPhone’s software image, configuration, and settings (much as Group Policy can do with Microsoft Windows systems) – NOT trying to reverse engineer how images get pushed out in a decentralized way via iTunes itself
  5. Explicitly control how applications can access any PII on the device or in documents (GPS location, email addresses, address book or call history info, etc)
  6. Explicitly control document DRM on the platform as IRM/RMS can do for Microsoft Office and Windows

Today (even following those conversations with Apple), KACE is the only vendor I’m aware of that performs any aspect of this kind of work, besides Apple’s weak Configuration Utility. KACE’s is very comprehensive – but both approaches suffer from the fact that they are after the fact management solutions, not built into the hardware and software of the iPhone itself.

From the time that I was at Microsoft, I kept hearing more and more “security experts” talk about how the impending doomsday was coming for handhelds. It still hasn’t really come. I believe that through their native use of whitelisting, Apple has fended this threat off for the foreseeable future for the iPhone platform. Instead, I believe that the biggest problem facing the iPhone isn’t “potential attackers” – there will be plenty of those – but their chance of success is very low.

Instead, it is the iPhone’s impending success eating into the enterprise market from the bottom up that is the problem. The lack of an enterprise management solution that is built into the deepest aspects of the system will not preclude the iPhone’s success at building up a rogue enterprise following. But it will both leave a bad taste in the mouth of the IT admins fighting the good fight to try and keep their organizations secure, and potentially introduce some bad compliance-related headaches in organizations already struggling to keep/retain compliance, due to the lack of DRM and platform control over the device itself and any information on it.

Apple itself needs to come to terms that the iPhone (and the Mac platform itself, frankly) need proper security and policy management at the lowest levels, or de-emphasize their viability as an enterprise platform on both counts.

Sorry for the length of this post – but this topic has been burning in me for a bit – I needed to get it all down for the record.