Avast blog: A tale of two breaches: Comparing Twilio and Slack’s responses

We recently learned about major security breaches at two tech companies, Twilio and Slack. The manner in which these two organizations responded is instructive, and since both of them published statements explaining what happened, it’s interesting to observe the differences in their communication, along with some lessons learned for your own breach planning and response. You can read more about the situations in my latest blog post for Avast.

Using a third-party clipping/portfolio service for freelancers

This post originated with some online discussions with my freelancer peers on keeping track of your clips or portfolio spurred me to do further research. There are six major providers that I know of, broken into two rough categories. I have provided links to my own sites in the case of the free providers, and showcase those who have paid for their sites.

Those that are mostly about the clips:

Those that offer a bunch of other features besides tracking your clips: 

I went overboard with my page in Contently, putting more than 400 article links together.  I think they have the best of the three systems. Not sure that after you have more than 25 stories in your portfolio if it really matters and then you still have to weed out the dead links manually.  I was into them early on, when they offered a decent wage (defined as >$1/word). They mostly offer much, much less. A recent inquiry from an assignment editor for this rate resulted in no real response back from the actual client, so consider that before you invest much time here.

I was also early into Skyword, and they have suffered much the same fate as Contently, including moving to the cheap side of the fee structure. So steer clear if you can. 

MB has a bunch of different services, including a database of FL opps, a page of links to your published work (which you have to manually construct), links to various editorial mastheads and edit cals, tons of online courses (such as fact checking for journalists, essential digital journalism skills, and building your brand voice), and ways to build your career. You can sign up for a 14-day trial. Here is Esther Shein’s site. She told me that like Contently and Skyword, she got a lot of business early on but now uses it mostly for maintaining her clips. 

My recommendations? First, if you haven’t built a portfolio page somewhere online, now is the time to get started. Take a couple of days, find 10 (or whatever) of your best pieces, and just collect the URLs (if they are still online) or construct a page of PDFs (if not, if you can reconstruct them somehow). Find some images that would be relevant to attach each piece, and decide how you are going to present yourself. Dan Dern has a lot of comments about different ways to do this that could be helpful if not overwhelming.

Besides the vendors mentioned above, you have a few other choices. I still recommend you set up your own clips website outside of these systems for complete control (I use my own hosted WordPress for this:  blog.strom.com, and a mailing list hosted using mailman.) You also can construct various LinkedIn pages that showcase your work. 

Second, if you want to maintain a historical and automatic archive of your work, look at either MuckRack or Authory. The other four require you to manually enter your piece, which wears thin after the initial effort to get things setup. MuckRack is free, it mostly will find your bylined pieces (there doesn’t seem to be any method to what gets found and what doesn’t), and you don’t have to do anything once you set up your page. Authority will cost you, and you have to tell them what pub to look for your stuff, but then they collect the piece and preserve it forever, even if the pub moves or deletes your cheese (that is a problem for the other four providers, where you have to manually maintain the links). Todd Weiss’ Authority page can be found here for reference. Also, both Authory and MuckRack will connect to your social feeds and display what you post there. 

Another use for these providers is to track who views your purple prose. Contently, Skyword, and MediaBistro don’t have any. The other three have some — MuckRack has the best analytics, Clippings.me integrates with Google Analytics, and Authory has some data. 

Finally, and I can’t emphasize enough, this effort for building a portfolio should be complemented by constructing and regularly writing an email newsletter. That is the single best thing that I ever did to build my business, and continues to pay dividends 25 or so years later. 

Avast blog: Dave Piscitello working to make the internet a more secure place

Dave Piscitello of Interisle Consulting Group: 5 Things You ...I first met Dave Piscitello in the late 1990s when we served together on the Interop+Networld conference program committee, and collaborated on several consulting reports. He went on to create his own conference on internet security that ran from 1997-2000, then went on to work on security for ICANN until 2018. He serves on several international do-gooder infosec boards and is part of a consultancy called the Cybercrime Information Center that produces some very excellent reports on the state of malware, phishing, and domain name abuses. The most current report is on phishing, which shows that monthly attacks have doubled since May 2020. What makes his report powerful is that includes data from four commercial information sources, which collected more than a million unique attacks and publish their own blocklists. I wrote about his work and the state of phishing for my latest Avast blog here.


CNN Underscored: Best mobile payment apps reviewed

Mobile payment apps can be a convenient way to send and receive money using your smartphone or smartwatch. Paying for items this way has never been easier, thanks to the availability of numerous mobile payment apps, better payment terminal infrastructure, and wider support for Bluetooth/near-field communication (NFC) contactless credit cards by American issuers. The coronavirus pandemic has also helped to make contactless “everything” more compelling. I tested out five different mobile payment apps: Apple Pay, Google Pay, Samsung Pay, Venmo (by PayPal) and Cash App (by Block, formerly Square) recently, and wrote my review for CNN/Underscored here.

How to choose the best MFA methods to help stop ransomware

Interest in multi-factor authentication (MFA) has risen in the past few years, spurred by the increasing frequency and severity of data breaches and destructive attacks. When Covid-19 happened, ransomware actors proliferated. Recently, MFA has received a boost from various supporters, including Google, the US federal government, GitHub and Microsoft. When evaluating the various MFA products and technologies on the market today, it’s important to understand the tradeoffs in security, scalability and usability inherent in each option. Additionally, it can be helpful to understand your available choices in the context of how MFA has developed over time.

In this ebook I co-authored with Evan Krueger, the engineering manager of Token, we track the evolution of MFA, the work of the FIDO Alliance to bring the industry together and provide new authentication standards, and some suggestions on how to choose the right MFA technology that you carry with you, that understands your biometrics, and can be married to your identity without any operator intervention. Ransomware and data theft are only increasing in severity. It’s time for the defenders to up their game as well.

Avast blog: More developments on NSO’s Pegasus spyware


Last summer, I wrote about a major international investigation of the NSO Group and its Pegasus spyware. We described how it works and what you can do to protect your phone. NSO has gone through some difficult times as a result of that analysis. NSO was almost purchased by an American company that is closely linked to intelligence operations until the US Government put them, along with another Israeli spyware vendor Candiru, on a special block list that prevents both from obtaining government contracts. Candiru, you might recall, was discovered to be doing its own zero-day spying by Avast researchers.

In my post today for Avast’s blog, I review what transpired at a recent hearing held by the House Intelligence Committee. There were three witnesses who emphasized the threat of spyware to various democracies around the world, and provided lots of specifics about how Pegasus has operated.

Tracking the web of misinformation and copycats

How fast does misinformation spread across the web? Turns out, when it comes to the Kardashians, pretty darn fast. But even for those of us who are mere mortals and write about boring stuff like tech, still plenty fast. Let me explain.

Shelly Palmer also writes about tech stuff, and one of his articles quoted Kim and Kylie from an article in CNBC The quote contained a typo, namely, “Strop trying to be tiktok I just want to see cute photos of my friends.” Note the italics. He saw the typo and called CNBC, and within minutes the typo was fixed. No matter. By that short moment in time, hundreds of sites picked it up and included the original typo. Shelly used the typo as a “misinformation DNA marker,” as he puts it, to track who was more diligent about the typo and who could care less. It’s all about the clicks, and when it comes to Kim and Kylie, well, that can supercharge a story.

Shelly found the original phrase, with correct spelling, on a Change.org petition the women signed. What is interesting about his investigation was showing exactly how there are still close to 200 sites that haven’t changed the typo when I did my own search just now.

I feel for both Shelly and the CNBC reporter Jonathan Vanian who admitted to making the typo. I have found copycat websites all over the place that have taken my stories and posted exact replicas — some including my own byline — as if they were syndicating my content legally. They are not. It helped that I included (unintentionally at first, but now more deliberately) my own misinformation DNA marker in the form of a link to a previous blog post on my own blog. WordPress does a very solid job of tracking when someone else is posting to another WordPress blog with a link back to my content. I have seen dozens of these copycat posts, some within minutes of my story going live on the corporate blogs that have paid me to write for them. Of course, I notify my editors, but there is really very little that they can do. These copycat sites are often in other countries, and getting a takedown notice is nearly impossible, expensive, time-consuming, or all three.

Miss Manners: If I'd wanted your opinion, I'd have asked | News, Sports, Jobs - Daily HeraldAll this talk about copycat websites reminds me of a story from my early career at PC Week back in 1988. I wrote a column for the paper that envisioned the advice columnist Miss Manners giving out computing advice for common situations of that era. I have to say, first, I got her tone and style down cold (I will tell you why in a moment). And second, the piece has held up well after all these years, even though it uses terms that many contemporary PC users might never have heard of before. About a month after the piece ran in PC Week, I got a cease and desist letter from her syndicate’s lawyers. That to me was one of the high moments of my tenure at the pub, and an indication of how well the parody had gotten things.

Now, if any of you dear readers would like to try your hand at parodying my own style, please have it. I promise not to engage any lawyers.


Avast blog: How to prepare for a hacking incident

The initial phases of a breach are often the most critical: The intruder is counting on your confusion, your lack of a plan or a clear chain of authority, and any early missteps. Given that it’s only a matter of time before a breach happens, what can you do after encountering an incident to minimize the damage?

For businesses of all sizes, incident response planning infrastructures have gotten very complex, with many interconnected relationships that might not be immediately obvious — until something goes wrong. In this blog for Avast, I outline how you can prepare for an incident in a well-thought-out and organized manner.

CNN Underscored: Best cloud personal storage apps

It used to be that 1 TB of storage was a lot, but now this amount of storage is quite common to find on even the least expensive laptops. Over the years, a number of cloud-based storage vendors have begun to support the TB era and now many of them offer monthly storage plans for a reasonable price. We tested five different cloud-based storage apps—Apple iCloud+, Box, Dropbox, Google One, and Microsoft OneDrive—to see which one is the best cloud-based storage app for you. OneDrive comes out on top and it was easier to install on Macs than on some of our Windows PCs that had additional browser-based security that blocked the desktop client downloads.

You can read my full review here.

Your car has become yet another subscription service

The Verge has this piece about how carmakers have discovered subscription pricing, thanks in part to the leadership of Tesla. I have always thought of Tesla as a software company that installs their code in a big computer that happens to look a lot like a car. Now the traditional car companies have gotten more interested in selling subscriptions. For GM, these generate $2B annual revenues, which works out to customers paying around $40 a month for various options such as OnStar or SiriusXM.

But as Hawkins points out in his piece, this has fast become a nightmare for those citizens that don’t want to debug their car’s software and just want to drive them from one place to another. BMW was selling subs overseas to turn on the option for heated seats. Granted, most of the subs are for things like entertainment or driver-assisted features.

The problem with subscription cars is that the Netflix (or choose your favorite SaaS supplier) model breaks down quickly. There are several reasons. First, the software that comes with your car is most certainly out of date, sometimes by about a year even if you buy the current year’s model when it first goes on sale the previous fall. This is because it takes time to design the car and get subs it from the factory to your dealer and then to you. But another reason is that the car companies are not doing nightly software builds or set up like software companies — until Tesla came along.

Second, the car needs connectivity to update itself, and until lately that connectivity was either expensive (for cellular broadband) or inconvenient (such as using Bluetooth to get to your phone), or both.

Third, car subscribers are often paying to remove a software block on a functionality that already exists when the car rolled off the line. That can be frustrating for consumers, although Tesla owners seem ok with it for now.

Next, unlike SaaS vendors, you can’t usually try before you buy the subscription. Some of the car companies do offer enticement — when I got my used GM car from the dealer, they bundled in SiriusXM for a limited time. But for the most part, they haven’t fully embraced the SaaS model. Plus, the collection of features for the “free pricing tier” — if such a thing existed to the extent that it does in the SaaS world — is just brutally hard to figure out. It is hard to figure out a decent price point (see BMW’s mistakes charging upwards of $80/month for some of their services). It is hard to price something (like a heated seat) that was in the “free forever ” tier. And it is hard to support. Call your dealer? Yeah, right.

That brings up another point. How do you recover from a car’s software error? No one wants to see a blue screen in their car. My aging car’s GPS gets “lost” and has me driving through empty places on its map, which is somewhat disconcerting. It is one thing to wait for a file to download from some cloud server but another thing if you are going along at 70 mph down the freeway. Can I get a software update on my GPS? Nope.

Finally, the biggest issue is that carmakers are looking at subscriptions as found money when they should be dropping prices and using them as a way to amortize the vehicle sale. As prices on vehicles is rising faster than (insert your favorite supply chain metaphor here), you would think this is obvious. But no. This just adds to the distrust many of us have when the time comes to buy our next car and have to enter the 12 circles of hell otherwise known as the showroom.

Still, there is Tesla. Like I said, not your dad’s Buick.