A little reverse psychology, eh? Don’t worry, trying to get this faux fortune will only cost you $450 from the spammers… or maybe more. Interesting that the name of the contact, Mr.James Richard, has the same spacing throughout, which is a telltale sign of either a bad copy/paste or a machine-generated form letter.

Delete messages like this; don’t reply to them.

From: “Mrs. CYNDY BANKS”

Subject: YOU ARE ADVISED TO STOP CONTACTING THEM!!!

Date: May 29, 2017 at 2:36:50 AM MST

 

Great News, YOU ARE ADVISED TO STOP CONTACTING THEM!!!

I am Mrs. CYNDY BANKS, I am a US citizen, 42 years Old. I reside here in Spring City, Pennsylvania. My residential address is as follows. 3663 Schuylkill Rd# 1, Spring City, Pennsylvania, United States, am thinking of relocating since I am now rich. I am one of those that took part in the Compensation in Troy Illinois many years ago and they refused to pay me, I had paid over $52,000 while in the United States trying to get my payment all to no avail.

I decided to travel down to Troy Illinois with all my compensation documents and i was directed to meet Mr.James Richard he is among the member of the COMPENSATION AWARD COMMITTEE, I contacted him and he explained everything to me. He said whoever is contacting us through emails are fake because the Inheritance/Compensation Law clearly states that the beneficiary/recipient is exempt from paying any out of pocket fees or charges to receive said funds.

Mr.James Richard took me to the paying bank for the claim of my Compensation payment. Right now I am the happiest woman on earth because I have received my compensation funds of $9,500,000.00 (nine million five hundred thousand dollars).

Moreover, Mr.James Richard showed me the full information of those that are yet to receive their payments and I saw your name and email address as one of the beneficiaries that is why I decided to email you to stop dealing with those people, they are not with your funds, they are only making money out of you. I will advise you to contact Mr.James Richard you have to contact him directly on this information below.

COMPENSATION AWARD HOUSE

Name: Mr.James Richard

Email:james.richard1155@gmail.com

Listed below are the name of mafias and banks behind the non release of your funds that I managed to sneak out for your kind perusal.

1) Prof. Charles soludo

2) Senator David Mark

2) Micheal Edward

3) Chief Joseph Sanusi

3) Sanusi Lamido

4) Dr. R. Rasheed

5) Mr. David Koffi

6) Barrister Awele Ugorji

7) Mr. Roland Ngwa

8) Barrister Ucheuzo Williams

9) Mr. Ernest Chukwudi Obi

10) Dr. Patrick Aziza Deputy Governor – Policy / Board Member

11) Mr. Tunde Lemo Deputy Governor – Financial Sector Surveillance/Board Member

12) Mrs. W. D. A. Mshelia Deputy Governor – Corporate Services / Board Members

13) Mrs. Okonjo Iweala

14) Mrs. Rita Ekwesili

15) Barr Jacob Onyema

16) Dr. Godwin Oboh: Director Union Bank Of Nigeria.

17) Mr. John Collins: Global Diplomat Director.

18) Foreign fund diplomatic courier

19) Barr. Becky Owens

20) Rev. Steven Jones

21) Mr. Alfred james

22) Mrs. Sherry Williams

23) Mr. Scott Larry

You really have to stop dealing with those people that are contacting you and telling you that your fund is with them, it is not in anyway with them, they are only taking advantage of you and they will dry you up until you have nothing. The only money I paid after I met Mr.James Richard was just $450 for the delivery charges, take note of that.

(NOTE: TELLING YOU TO PAY FOR ANY DELIVERY OR COURIER CHARGE IS ALL NOTHING BUT LIES, I REPEAT THE ONLY MONEY YOU WILL HAVE TO PAY AND WHICH I ALSO PAID IS $450 FOR THE DELIVERY CHARGES IMPOSED BY THE GOVERNMENT AND YOUR PACKAGE CONTAINING YOUR CERTIFIED BANK DRAFT CHEQUE WILL BE REACHING YOU THROUGH THE EXPRESS COURIER SERVICE).

Once again stop contacting those people, I will advise you to contact Mr.James Richard so that he can help you to deliver your funds instead of dealing with those liars that will be turning you around asking for different kind of money to complete your transaction.

“Someone is waiting just for you / Spinnin’ wheel, spinnin’ true.”

Those lyrics to a 1969 song by Blood, Sweat & Tears could also describe 2017 enterprise apps that time-out or fail because of dropped or poor connectivity. Wheels spin. Data is lost. Applications crash. Users are frustrated. Devices are thrown. Screens are smashed.

It doesn’t have to be that way. Always-on applications can continue to function even when the user loses an Internet or Wi-Fi connection. With proper design and testing, you won’t have to handle as many smartphone accidental-damage insurance claims.

Let’s start with the fundamentals. Many business applications are friendly front ends to remote services. The software may run on phones, tablets, or laptops, and the services may be in the cloud or in the on-premises data center.

When connectivity is strong, with sufficient bandwidth and low latency, the front-end software works fine. The user experience is excellent. Data sent to the back end is received and confirmed, and data served to the user front end is transmitted without delay. Joy!

When connectivity is non-existent or fails intermittently, when bandwidth is limited, and when there’s too much latency — which you can read as “Did the Internet connection go down again?!” — users immediately feel frustration. That’s bad news for the user experience, and also extremely bad in terms of saving and processing transactions. A user who taps a drop-down menu or presses “Enter” and sees nothing happen might progress to multiple mouse clicks, a force-reset of the application, or a reboot of the device, any of which could result in data loss. Submitted forms and uploads could be lost in a time-out. Sessions could halt. In some cases, the app could freeze (with or without a spinning indicator) or crash outright. Disaster!

What can you do about it? Easy: Read my article for HP Enterprise Insights, “How to design software that doesn’t crash when the Internet connection fails.”

 

Movie subtitles — those are the latest attack vector for malware. According to Check Point Software, by crafting malicious subtitle files, which are then downloaded by a victim’s media player, attackers can take complete control over any type of device via vulnerabilities found in many popular streaming platforms. Those media players include VLC, Kodi (XBMC), Popcorn-Time and strem.io.

I was surprised to see that this would work, because I thought that text subtitles were just that – text. Silly me. Subtitles embedded into media files (like mp4 movies) can be encoded in dozens of different formats, each with unique features, capabilities, metadata, and payloads. The data and metadata in those subtitles can be hard to analyze, in part because of the many ways the subtitles are stored in a repository. To quote Check Point:

These subtitles repositories are, in practice, treated as a trusted source by the user or media player; our research also reveals that those repositories can be manipulated and be made to award the attacker’s malicious subtitles a high score, which results in those specific subtitles being served to the user. This method requires little or no deliberate action on the part of the user, making it all the more dangerous.

Unlike traditional attack vectors, which security firms and users are widely aware of, movie subtitles are perceived as nothing more than benign text files. This means users, Anti-Virus software, and other security solutions vet them without trying to assess their real nature, leaving millions of users exposed to this risk.

According to Check Point, more than 200 million users (or devices) are potentially vulnerable to this exploit. The risk?

Damage: By conducting attacks through subtitles, hackers can take complete control over any device running them. From this point on, the attacker can do whatever he wants with the victim’s machine, whether it is a PC, a smart TV, or a mobile device. The potential damage the attacker can inflict is endless, ranging anywhere from stealing sensitive information, installing ransomware, mass Denial of Service attacks, and much more.

Here’s an infographic from Check Point:

This type of vulnerability is reminiscent of steganography, where secret data is hidden inside image files. We have all become familiar with malicious macros, such as those hidden inside Microsoft Word .doc/.docx or Microsoft Excel .xls/.xlsx files. Those continue to become more sophisticated, even as antivirus or anti-malware scanners becomes more adept at detecting them. Similarly, executables and other malware can be hidden inside Adobe .pdf documents, or even inside image files.

Interestingly, sometimes that malware can be manually destroyed by format conversations. For example, you can turn a metadata-rich format into a dumb format. Turn a Word doc into rich text or plain text, and good-bye, malicious macro. Similarly, converting a malicious JPEG into a bitmap could wipe out any malware in the JPEG file’s header or footer. Of course, you’d lose other benefits as well, especially if there are benign or useful macros or metadata. That’s just how it goes.

See you at the movies!

March 2003: The U.S. International Trade Commission released a 32-page paper called, “Protecting U.S. Intellectual Property Rights and the Challenge of Digital Piracy.” The authors, Christopher Johnson and Daniel J. Walworth, cited an article I wrote for the Red Herring in 1999.

Here’s the abstract of the ITC’s paper:

ABSTRACT: According to U.S. industry and government officials, intellectual property rights (IPR) infringement has reached critical levels in the United States as well as abroad. The speed and ease with which the duplication of products protected by IPR can occur has created an urgent need for industries and governments alike to address the protection of IPR in order to keep markets open to trade in the affected goods. Copyrighted products such as software, movies, music and video recordings, and other media products have been particularly affected by inadequate IPR protection. New tools, such as writable compact discs (CDs) and, of course, the Internet have made duplication not only effortless and low-cost, but anonymous as well. This paper discusses the merits of IPR protection and its importance to the U.S. economy. It then provides background on various technical, legal, and trade policy methods that have been employed to control the infringement of IPR domestically and internationally. This is followed by an analysis of current and future challenges facing U.S. industry with regard to IPR protection, particularly the challenges presented by the Internet and digital piracy.

Here’s where they cited yours truly:

To improve upon the basic encryption strategy, several methods have evolved that fall under the classification of “watermarks” and “digital fingerprints” (also known as steganography). Watermarks have been considered extensively by record labels in order to protect their content.44 However, some argue that “watermarking” is better suited to tracking content than it is to protecting against reproduction. This technology is based on a set of rules embedded in the content itself that define the conditions under which one can legally access the data. For example, a digital music file can be manipulated to have a secret pattern of noise, undetectable to the ear, but recorded such that different versions of the file distributed along different channels can be uniquely identified.45 Unlike encryption, which scrambles a file unless someone has a ‘key’ to unlock the process, watermarking does not intrinsically prevent use of a file. Instead it requires a player–a DVD machine or MP3 player, for example–to have instructions built in that can read watermarks and accept only correctly marked files.”46

Reference 45 goes to

Alan Zeichick, “Digital Watermarks Explained,” Red Herring, Dec. 1999

Another paper that referenced that Red Herring article is “Information Technology and the Increasing Efficacy of Non-Legal Sanctions in Financing Transactions.” It was written by Ronald J. Mann of the the University of Michigan Law School.

Sadly, my digital watermarks article is no longer available online.

According to a depressing story in Harvard Business Review, venture capitalists consider female entrepreneurs to be quite different than males. The perceived difference is not good. According to the May 17, 2017, story, “We Recorded VCs’ Conversations and Analyzed How Differently They Talk About Female Entrepreneurs”:

Aside from a few exceptions, the financiers rhetorically produce stereotypical images of women as having qualities opposite to those considered important to being an entrepreneur, with VCs questioning their credibility, trustworthiness, experience, and knowledge.

This research was done in Sweden in 2009-2010, and used transcribed discussions by a diverse panel of VCs considering 125 venture applications. The story continues,

Men were characterized as having entrepreneurial potential, while the entrepreneurial potential for women was diminished. Many of the young men and women were described as being young, though youth for men was viewed as promising, while young women were considered inexperienced. Men were praised for being viewed as aggressive or arrogant, while women’s experience and excitement were tempered by discussions of their emotional shortcomings. Similarly, cautiousness was viewed very differently depending on the gender of the entrepreneur.

The results were what you would expect:

Women entrepreneurs were only awarded, on average, 25% of the applied-for amount, whereas men received, on average, 52% of what they asked for. Women were also denied financing to a greater extent than men, with close to 53% of women having their applications dismissed, compared with 38% of men.

Read the HBR paper, you’ll be unhappy with what you see. Credit for the research goes to Malin Malmstrom, professor of Entrepreneurship and Innovation at Luleå University of Technology; Jeaneth Johansson, professor of Accounting and Control at Halmstad University and Luleå University of Technology; and Joakim Wincent, professor of Entrepreneurship and Innovation at Luleå University of Technology and Hanken School of Economics.

From eWeek’s story, “Proposed Laptop Travel Ban Would Wreak Havoc on Business Travelers,” by Wayne Rash:

A current proposal from the Department of Homeland Security to mandate that large electronic devices be relegated to checked luggage is facing stiff resistance from airlines and business travelers.

Under the proposal, travelers with electronic devices larger than a cell phone would be required to carry them as checked luggage. Depending on the airline, those devices may either be placed in each passenger’s luggage, or the airline may offer secure containers at the gate.

While the proposed ban is still in the proposal stage, it could go into effect at any time. U.S. officials have begun meeting with European Union representatives in Brussels on May 17, and will continue their meetings in Washington the following week.

The proposed ban is similar to one that began in March that prohibited laptops and other large electronics from passenger cabins between certain airports in the Middle East and North Africa.

That ban has resulted in a significant reduction in travel between those countries and the U.S., according to a report by Emirates Airlines. That airline has already cut back on its flights to the U.S. because of the laptop ban.

The new laptop ban would work like the current one from the Middle East, except that it would affect all flights from Europe to the U.S.

The ban raises a series of concerns that so far have not been addressed by the Department of Homeland Security, most notably large lithium-ion batteries that are currently not allowed in cargo holds by many airlines because of their propensity to catch fire.

The story continues going into detail about the pros and cons – and includes some thoughtful analysis by yours truly.

Technical diligence starts when a startup or company has been approved for outside capital, but needs to be inspected to insure the value of the technology is “good enough” to accept investment. The average startup has something like 1/100 odds of receiving funding once they pitch a VC firm, which is why if investment is offered the ball shouldn’t be dropped during technical diligence. Most issues in technical diligence can be prevented. Since technical diligence is part of the investigation process to receiving venture capital, any business in theory could proactively prepare for technical diligence.

So advises my friend Ellie Cachette, General Partner at CCM Capital Management, a fund-of-funds specializing in venture capital investments. In her two-part series for Inc. Magazine, Ellie shares insights — real insights — in the following areas:

  • Intellectual property and awareness
  • Scaling
  • Security
  • Documentation
  • Risk management
  • Development budget
  • Development meeting and reporting
  • Development ROI
  • Having the right development talent in place

Here are the links:

Five “Business Things” to Understand for Technical Diligence: Part One

Five “Tech Things” to Understand for Technical Diligence: Part Two

While we’re at it, here’s another great article by Ellie in Inc.:

When Your Customers Want One Thing — And Your Investors Want Another

Got a business? Want to do better? Learn from Ellie Cachette. Follow her @ecachette.

The endpoint is vulnerable. That’s where many enterprise cyber breaches begin: An employee clicks on a phishing link and installs malware, such a ransomware, or is tricked into providing login credentials. A browser can open a webpage which installs malware. An infected USB flash drive is another source of attacks. Servers can be subverted with SQL Injection or other attacks; even cloud-based servers are not immune from being probed and subverted by hackers. As the number of endpoints proliferate — think Internet of Things — the odds of an endpoint being compromised and then used to gain access to the enterprise network and its assets only increases.

Which are the most vulnerable endpoints? Which need extra protection? All of them, especially devices running some flavor of Windows, according to Mike Spanbauer, Vice President of Security at testing firm NSS Labs. “All of them. So the reality is that Windows is where most targets attack, where the majority of malware and exploits ultimately target. So protecting your Windows environment, your Windows users, both inside your businesses as well as when they’re remote is the core feature, the core component.”

Roy Abutbul, Co-Founder and CEO of security firm Javelin Networks, agreed. “The main endpoints that need the extra protection are those endpoints that are connected to the [Windows] domain environment, as literally they are the gateway for attackers to get the most sensitive information about the entire organization.” He continued, “From one compromised machine, attackers can get 100 per cent visibility of the entire corporate, just from one single endpoint. Therefore, a machine that’s connected to the domain must get extra protection.”

Scott Scheferman, Director of Consulting at endpoint security company Cylance, is concerned about non-PC devices, as well as traditional computers. That might include the Internet of Things, or unprotected routers, switches, or even air-conditioning controllers. “In any organization, every endpoint is really important, now more than ever with the internet of Things. There are a lot of devices on the network that are open holes for an attacker to gain a foothold. The problem is, once a foothold is gained, it’s very easy to move laterally and also elevate your privileges to carry out further attacks into the network.”

At the other end of the spectrum is cloud computing. Think about enterprise-controlled virtual servers, containers, and other resources configured as Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS). Anything connected to the corporate network is an attack vector, explained Roark Pollock, Vice President at security firm Ziften.

Microsoft, too, takes a broad view of endpoint security. “I think every endpoint can be a target of an attack. So usually companies start first with high privilege boxes, like administrator consoles onboard to service, but everybody can be a victim,” said Heike Ritter, a Product Manager for Security and Networking at Microsoft.

I’ve written a long, detailed article on this subject for NetEvents, “From Raw Data to Actionable Intelligence: The Art and Science of Endpoint Security.”

You can also watch my 10-minute video interview with these people here.

Our beautiful little echinopsis has a second flower. Here you can see it opening wide over a 22-hour period. Sad to think that it’s nearly finished. Thursday or Friday the closed-up blossom will drop off the cactus.

Tuesday, 5:20pm

Tuesday, 6:37pm

Wednesday, 7:10pm

Wednesday, noon.

Wednesday, 3:10pm

Many IT professionals were caught by surprise by last week’s huge cyberattack. Why? They didn’t expect ransomware to spread across their networks on its own.

The reports came swiftly on Friday morning, May 12. The first I saw were that dozens of hospitals in England were affected by ransomware, denying physicians access to patient medical records and causing surgery and other treatments to be delayed.

The infections spread quickly, reportedly hitting as many as 100 countries, with Russian systems affected apparently more than others. What was going on? The details came out quickly: This was a relatively unknown ransomware variant, dubbed WannaCry or WCry. WannaCry had been “discovered” by hackers who stole information from the U.S. National Security Agency (NSA); affected machines were Windows desktops, notebooks and servers that were not up to date on security patches.

Most alarming, WannaCry did not spread across networks in the usual way, through people clicking on email attachments. Rather, once one Windows system was affected on a Windows network, WannaCry managed to propagate itself and infect other unpatched machines without any human interaction. The industry term for this type of super-vigorous ransomware: Ransomworm.

Iturned to one of the experts on malware that can spread across Windows networks, Roi Abutbul. A former cybersecurity researcher with the Israeli Air Force’s famous OFEK Unit, he is founder and CEO of Javelin Networks, a security company that uses artificial intelligence to fight against malware.

Abutbul told me, “The WannaCry/Wcry ransomware—the largest ransomware infection in history—is a next-gen ransomware. Opposed to the regular ransomware that encrypts just the local machine it lands on, this type spreads throughout the organization’s network from within, without having users open an email or malicious attachment. This is why they call it ransomworm.”

He continued, “This ransomworm moves laterally inside the network and encrypts every PC and server, including the organization’s backup.” Read more about this, and my suggestions for copying with the situation, in my story for Network World, “Self-propagating ransomware: What the WannaCry ransomworm means for you.”

If you’re in London in a couple weeks, look for me. I’ll be at the NetEvents European Media Spotlight on Innovators in Cloud, IoT, AI and Security, on June 5.

At NetEvents, I’ll be doing lots of things:

  • Acting as the Master of Ceremonies for the day-long conference.
  • Introducing the keynote speaker, Brian Lord, OBE, who is former GCHQ Deputy Director for Intelligence and Cyber Operations
  • Conducting an on-stage interview with Mr. Lord, Arthur Snell, formerly of the British Foreign and Commonwealth Office, and Guy Franco, formerly with the Israeli Defense Forces.
  • Giving a brief talk on the state of endpoint cybersecurity risks and technologies.
  • Moderating a panel discussion about endpoint security.

The one-day conference will be at the Chelsea Harbour Hotel. Looking forward to it, and maybe will see you there?

Los informes llegaron rápidamente el viernes por la mañana, 12 de mayo – la primera vez que leí una alerta, referenciaba a docenas de hospitales en Inglaterra que fueron afectados por ransomware (sin darse cuenta que era ransomworm), negando a los médicos el acceso a los registros médicos de sus pacientes, causando demoras en cirujías y tratamientos en curso dijo la BBC,

El malware se propagó rápidamente el viernes, con el personal médico en el Reino Unido, según se informa, las computadoras “una por una” quebadan fuera de uso.

El personal del NHS compartió capturas de pantalla del programa WannaCry, que exigió un pago de $ 300 (£ 230) en moneda virtual Bitcoin para desbloquear los archivos de cada computadora.

A lo largo del día, otros países, principalmente europeos, reportaron infecciones.

Algunos informes dijeron que Rusia había visto el mayor número de infecciones del planeta. Los bancos nacionales, los ministerios del interior y de la salud, la empresa estatal de ferrocarriles rusa y la segunda mayor red de telefonía móvil, fueron reportados como afectados.

Las infecciones se diseminaron rápidamente, según se informa golpearon hasta 150 países, con los sistemas rusos afectados aparentemente más que otros.

Read the rest of my article, “Ransomworm golpea a más de 150 Países,” in IT Connect Latam.

Some recent photos from our garden here in Phoenix. Enjoy!

 

In the United States, Sunday, May 14, is Mother’s Day. (Mothering Sunday was March 27 this year in the United Kingdom.) This is a good time to reflect on the status of women of all marital status and family situations in information technology. The results continue to disappoint.

According to the Unites States Department of Labor, 57.2% of all women participate in the labor force in the United States. 46.9% of the people employed in all occupations are women. So far, so good. Yet when it comes to information technology, women lag far, far behind. Based on 2014 stats:

  • Web developers – 35.2% women
  • Computer systems analysts – 34.2% women
  • Database administrators – 28.0%
  • Computer and information systems managers – 26.7%
  • Computer support specialists – 26.6%
  • Computer programmers – 21.4%
  • Software developers, applications and systems software – 19.8%
  • Network and computer systems administrators – 19.1%
  • Information security analysts – 18.1%
  • Computer network architects – 12.4%

The job area with the highest projected growth rate over the next few years will be information security analysts, says Labor. A question is, will women continue to be underrepresented in this high-paying, fast-growing field? Or will the demand for analysts provide new opportunities for women to enter into the security profession? Impossible to say, really.

The U.S. Equal Employment Opportunity Commission (EEOC) shows that the biggest high tech companies lag behind in diversity. That’s something that anyone working in Silicon Valley can sense intuitively, in large part due to the bro culture (and brogrammer culture) there. Says the EEOC’s extensive report, “Diversity in High Tech,”

Modern manufacturing requires a computer literate worker capable of dealing with highly specialized machines and tools that require advanced skills (STEM Education Coalition).

However, other sources note that stereotyping and bias, often implicit and unconscious, has led to underutilization of the available workforce. The result is an overwhelming dominance of white men and scant participation of African Americans and other racial minorities, Hispanics, and women in STEM and high tech related occupations. The Athena Factor: Reversing the Brain Drain in Science, Engineering, and Technology, published data in 2008 showing that while the female talent pipeline in STEM was surprisingly robust, women were dropping out of the field large numbers. Other accounts emphasize the importance of stereotypes and implicit bias in limiting the perceived labor pool (see discussion below).

Moughari et al., 2012 noted that men comprise at least 70 percent of graduates in engineering, mathematics, and computer science, while women dominate in the lower paying fields. Others point out that in this is not uniformly the case in all science and math occupations and that, while underrepresented among those educated for the industry, women and minorities are more underrepresented among those actually employed in the industry. It has been shown, for example, that men are twice as likely as women to be hired for a job in mathematics when the only difference between candidates is gender.

and

Women account for relatively small percentages of degree recipients in certain STEM fields: only 18.5 percent of bachelor’s degrees in engineering went to women in 2008.

Women Heading for the Exit

The EEOC report is very discouraging in its section on Existing Tech & Related Fields:

Over time, over half of highly qualified women working in science, engineering and technology companies quit their jobs. In 2013, just 26 percent of computing jobs in the U.S. were held by women, down from 35 percent in 1990, according to a study by the American Association of University Women. Although 80 percent of U.S. women working in STEM fields say they love their work, 32 percent also say they feel stalled and are likely to quit within a year. Research by The Center for Work-Life Policy shows that 41 percent of qualified scientists, engineers and technologists are women at the lower rungs of corporate ladders but more than half quit their jobs.

This loss appears attributable to the following: 1) inhospitable work cultures; 2) isolation; 3) conflict between women’s preferred work rhythms and the “firefighting” work style generally rewarded; 4) long hours and travel schedules conflict with women’s heavy household management workload; and 5) women’s lack of advancement in the professions and corporate ladders. If corporate initiatives to stem the brain drain reduced attrition by just 25 percent, there would be 220,000 additional highly qualified female STEM workers.

Based on a survey and in-depth interviews of female scientists, the report observes:

  • Two-thirds of women report having to prove themselves over and over; their success discounted and their expertise questioned.
  • Three-fourths of Black women reported this phenomenon.
  • Thirty-four percent reported pressure to play a traditionally feminine role, including 41 percent of Asian women.
  • Fifty-three percent reported backlash from speaking their minds directly or being outspoken or decisive.
  • Women, particularly Black and Latina women, are seen as angry when they fail to conform to female stereotypes
  • Almost two thirds of women with children say their commitment and competence were questioned and opportunities decreased after having children.

The EEOC report adds that in tech, only 20.44% of executives, senior officials and managers are women – compared to 28.81% in all private industries in the U.S. Women certainly are succeeding in tech, and there are some high-profile women executives in the field —think Meg Whitman at HP, Marissa Mayer at Yahoo (now heading for the exit herself with a huge payout), Sheryl Sandberg at Facebook, Susan Wojcicki at YouTube, Virginia Rometty at IBM, Safra Catz at Oracle, and Ursula Burns at Xerox. That’s still a very short list. The opportunities for and presence of women in tech remain sadly underwhelming.

Ping! chimes the email software. There are 15 new messages. One is from your boss, calling you by name, and telling him to give you feedback ASAP on a new budget for your department. There’s an attachment. You click on it. Hmm, the file appears to be corrupted. That’s weird. An email from the CEO suggests you read a newspaper article. You click the link, the browser seems to go somewhere else, and then redirects to the newspaper. You think nothing of it. However, you’ve been spearphished. Your computer is now infected by malware. And you have no idea that it even happened.

That’s the reality today: Innocent and unsuspecting people are being fooled by malicious emails. Some of them are obvious spammy-sorts of messages that nearly people would delete — but a few folks will click the link or open the attachment anyway. That’s phishing. More dangerous are spearphishing message targeting individuals in your organization, customized to make the email look legitimate. It’s crafted from a real executive’s name and forged return address, with details that match your company, your family, your job, your personal interests. There’s the hook… there’s the worm… got you! And another computer is infected with malware, or another user was tricked into providing account names, passwords, bank account information or worse.

Phishing and spearphishing are the delivery method of choice for identity theft and corporate espionage. If the user falls for the malicious message, the user’s computer is potentially compromised – and can be encrypted and held for ransom (ransomware), turned into a member of a botnet, or used to gain a foothold on a corporate network to steal intellectual property.

Yet we’ve had email for decades. Why is phishing still a problem? What does the worst-case scenario look like? Why can’t training solve the problem? What can we do about it?

Read my story for NetEvents, “Blunting the Tip of the Spear by Blocking Phishing and Spearphishing.” It’s a long-form feature – quite in depth.

Also watch a video that I recorded on the same subject. Yes, it’s Alan on a video!

I have a new research paper in Elsevier’s technical journal, Network Security. Here’s the abstract:

Lock it down! Button it up tight! That’s the default reaction of many computer security professionals to anything and everything that’s perceived as introducing risk. Given the rapid growth of cybercrime such as ransomware and the non-stop media coverage of data theft of everything from customer payment card information through pre-release movies to sensitive political email databases, this is hardly surprising.

The default reaction of many computer security professionals to anything that’s perceived as introducing risk is to lock down the system.

In attempting to lower risk, however, they also exclude technologies and approaches that could contribute significantly to the profitability and agility of the organisation. Alan Zeichick of Camden Associates explains how to make the most of technology by opening up networks and embracing innovation – but safely.

You can read the whole article, “Enabling innovation by opening up the network,” here.

To those who run or serve on corporate, local government or non-profit boards:

Your board members are at risk, and this places your organizations at risk. Your board members could be targeted by spearphishing (that is, directed personalized attacks) or other hacking because

  • They are often not technologically sophisticated
  • They have access to valuable information
  • If they are breached, you may not know
  • Their email accounts and devices are not locked down using the enterprise-grade cybersecurity technology used to protect employees

In other words, they have a lot of the same information and access as executive employees, but don’t share in their protections. Even if you give them a corporate email address, their laptops, desktops, phone, and tablets are not covered by your IT cybersecurity systems.

Here’s an overview article I read today. It’s a bit vague but it does raise the alarm (and prompted this post). For the sake of the organization, it might be worth spending some small time at a board meeting on this topic, to raise the issue. But that’s not enough.

What can you do, beyond raising the issue?

  • Provide offline resources and training to board members about how to protect themselves from spearphishing
  • Teach them to use unique strong passwords on all their devices
  • Encourage them to use anti-malware solutions on their devices
  • Provide resources for them to call if they suspect they’ve been hacked

Perhaps your IT provider can prepare a presentation, and make themselves available to assist. Consider this issue in the same light as board liability insurance: Protecting your board members is the good for the organization.

In 2016, Carnival Cruises was alleged to have laid off its entire 200-person IT department – and forced its workers to train foreign replacements. The same year, about 80 IT workers at the University of California San Francisco were laid off, and forced to trained replacements, lower-paid tech workers from an Indian outsourcing firm. And according to the Daily Mail:

Walt Disney Parks and Resorts is being sued by 30 former IT staff from its Florida offices who claim they were unfairly replaced by foreign workers— but only after being forced to train them up.

The suit, filed Monday in an Orlando court, alleges that Disney laid off 250 of its US IT staff because it wanted to replace them with staff from India, who were hired in on H-1B foreign employee visas.

On one hand, these organizations were presumably quite successful with hiring American tech workers… but such workers are expensive. Thanks to a type of U.S. visa, called the H-1B, outsource contractors can bring in foreign workers, place them with those same corporations, and pay them a lot less than American workers. The U.S. organization, like Carnival Cruises, saves money. The outsource contractor, which might be a high-profile organization like the Indian firm Infosys, makes money. The low-cost offshore talent gets decent jobs and a chance to live in the U.S. Everyone wins, right? Except the laid-off American tech workers.

This type of bargain outsourcing is not what the H-1B was designed for. It wasn’t for laying off expensive U.S. workers and hiring or contracting with lower-paid foreign workers. It was intended to help companies bring in overseas experts when they can’t fill the job with qualified local applicants. Clearly that’s not what’s happening here.

It’s Not Supposed to Be About Cheap Labor

Also, the goal was definitely not to let companies reduce their payroll costs. To quote from the U.S. Citizenship & Immigration Services website about H-1B requirements:

Requirement 4— You must be paid at least the actual or prevailing wage for your occupation, whichever is higher.

The prevailing wage is determined based on the position in which you will be employed and the geographic location where you will be working (among other factors).

The challenge is the way that H-1B visas are allocated – which is in a lottery system, based on the number of applications. There’s a cap of only 65,000 visas each year. Outsourcing companies flood the system with hundreds of thousands of applications, whereas the companies that truly need a few specialized tech experts ask for a relative handful. (There are separate rules for educational institutions, like universities, and for those hiring workers with advanced post-graduate degrees.)

H-1B visas have been in the news for decades, as tech companies lobby to increase the quota. Everyone, remember, likes the H-1B visa, except for American tech workers whose jobs are displaced.

Most recently, the U.S. government has warned about a crackdown on H-1B abuses. According to CNN,

While H-1B visas are used to fill the U.S. skills gap, the Trump administration has voiced concerns about abuse of the program. In some cases, outsourcing firms flood the system with applicants, obtaining visas for foreign workers and then contracting them out to tech companies. American jobs are sometimes replaced in the process, critics say.

In response, Infosys, the Indian outsourcing giant, has revealed plans to hire U.S. workers. Says Computerworld,

IT offshore outsourcing giant Infosys — a firm in the Trump administration’s H-1B reform bulls eye — said Tuesday it plans to hire 10,000 “American workers” over the next two years.

The India-based Infosys will hire those employees in four separate locations in the U.S., first in Indiana, which offered the company more than $30 million in tax credits. The other locations weren’t announced.

Look for the H-1B visa issue to remain in the U.S. news spotlight all year during the battle over immigration, employment, and the power of Silicon Valley.

It has been proven, beyond any doubt whatsoever, that flame decals add 20-25 whp (wheel horsepower) to your vehicle, and of course even more bhp (brake horsepower). I know it’s proven because I read it on the Internet, and everything we read on the Internet is true, not #fakenews. Where did I read it? This incredibly informative blog entry here.

Not sure about the acronyms?

  • whp is wheel horsepower, measured at (duh!) the wheels. It takes into account power lost in the drive train, including the transmission and differential, as well as the alternator, air conditioning compressor, wheel mass, etc. It is measured by spinning the wheels on a dynamometer (dyno). In other words, whp is what matters.
  • bhp is brake horsepower, measured at the engine crankshaft (not at the brakes). The “brake” part of the term refers to the Prony brake, an early device used to measure power output. The bhp value is always higher than the whp value, because it is only measures gross engine output. These days, the bhp value is usually quoted as SAE net horsepower. Knowing bhp allows you to evaluate engines and engine modifications — not whole-vehicle upgrades like performance clutches, underdrive pulleys, light-weight wheels, huge spoilers, and of course, flame decals.

Get yourself some flame decals and feel the burn!