Never Hurts to Ask

Yesterday I blogged about my concerns with a free Google Apps extension that required the very scary googleapis.com/auth/drive permission. When you give a Google Apps extension this permission, it can read, write, or delete any documents you have access to in Google Drive.

I inquired why the extension needed so much authorization, and the developer replied quickly. He agreed! The permission was only required for a specific feature that didn’t seem super important for the free version.  So he removed the feature and permission requirement. In less than 24 hours!

Three take-aways for me:

  1. Use your brain when giving an app or website permission to access your information in the cloud. Why do they need the authorization they are requesting? This is particularly true when using Facebook or Google+ to login to other sites.
  2. Push back, you never know when you’ll find somebody reasonable on the other end. Or maybe you will learn more about why the authorization is necessary.
  3. Definitely try ProjectSheet Planning from forScale and support reasonable developers who understand cloud security concerns.

Now I’m happy and can white list the extension for my company to use.

Trusting the Cloud

I’m a big advocate of cloud data security. Cloud service providers are, in general, better at security than their customers. So your data is safer in the cloud than it is on your local machine or network.

This is what you need to make a GANTT chart?
This is what you need to make a GANTT chart?

However, it doesn’t feel that way, does it? Yesterday a colleague showed me a cool plug-in for Google Sheets that creates simple GANTT charts using spreadsheet data. When I installed the plug-in, it prompted me for the permissions it needed to function. Take a look at the list on the right (click to enlarge).

  1. Know who you are on Google
  2. View your email address
  3. View and manage spreadsheets that this application has been installed in.
  4. View and manage the files in your Google Drive
  5. View and manage data associated with the application
  6. Allow this application to run when you are not present
  7. Connect to an external service

Numbers 1 to 3 are not a big deal to me. I’m happy to have this plug-in work on the files where I use it. Number 4 is scary: this plug-in can look at ALL my google drive files. Number 6 and 7 make it even scarier: this thing can run whenever it wants and connect to an external service.

This plug-in appears fine today. But tomorrow, an evil developer could change their software without telling anyone. The software could start to scan any of my Google Drive documents and send that data to an external service.

I’m going to do more research on these permissions and see if my concerns are real or just cloud paranoia. Stay tuned.

Pragmatic and More

I came across a great blog post about startups through a friend of mine. He helped me start (and stop) a company with some similarities to ContractBlast.

https://medium.com/startup-lesson-learned/why-i-turned-down-500k-pissed-off-my-investors-and-shut-down-my-startup-2645c4ca1354#.f1fvf6tm9

My filter for startup ideas typically revolves around the Pragmatic Marketing dogma. There are 3 critical hurdles a new idea needs to clear.

  1. The problem I’m going to solve is pervasive in an industry. Lots of people have the problem and can quickly realize it as a problem if approached with my solution.
  2. The problem is urgent. Solving it provides immediate benefit. Waiting to solve it is a real threat to the customer’s business.
  3. The customer is willing to pay. This is where my buddy and I fell down last time. We created a great productivity tool and everyone agreed on the benefits, but it had a “should be a free app” feel.

ContactBlast missed on #2: solving the problem of contracting efficiency wasn’t urgent. The benefit would be realized over the long term, but that meant a longer sales cycles and greater commitment from customers.

Using the Pragmatic filters can sound discouraging for entrepreneurs, but I find it the opposite. The filters keep me refining my ideas until they meet all 3 conditions, and that can save a huge amount of time, money and energy.

Salesforce Makes Sense

I’ve been working with Salesforce.com since 2005 and I’ve made a few eyebrow raising comparisons over the years…

Salesforce is like Microsoft Access on the web. It lets IT Admins create applications that scale.

or

Salesforce is the least powerful, most expensive on-demand platform in the world.

Here is the crazy part. I meant it all as a compliment! Salesforce figured out early on that regular business people, not software engineers, are the ones who know their business best.  Giving non-developers the ability to customize or even create applications is worth a lot to a profitable company.  Hence Salesforce costs more in every dimension (per user, per GB, etc.) than other platforms.

Wait, not every dimension. I’m betting that total cost of ownership (TCO) is lower on most Salesforce.com apps. If you’ve got a problem that fits the Salesforce UI paradigm, then it definitely saves money over Amazon or Google App Engine.

The most recent example is Salesforce rolling out Lightning (Aura framework) capabilities with a super secure container configuration called LockerService. This is great news because it prevents less skilled developers from accidentally creating security holes.

So when comparing TCO for on-demand platforms, make sure you are taking into account security, implementation, and support costs. You’ll be surprised how cost effective Access for the Web can be.

Anti-Ransomware Advice

Here is a really good list of steps to help keep you safe from Ransomeware. The article is long, but stick with it and read all the headings – there are some good ideas you can easily implement. There are also some suggestions that are hard to stomach, but knowledge is power.

The Anti-Ransomware Protection Plan You Need to Follow Today

Personally, I use Time Capsule (network backup solution) for my Mac and it is a bummer to think that Ransomeware could find this network device and encrypt my backups too. I’ve taken to making a monthly snapshot on a USB drive for worst case recovery.

FDIC disabling removable storage

The US FDIC has recently come under fire for a series of insider data leakages. Getting hacked by your own employees is the elephant in the room for every organization. We harden our organizations from outside attacks, but insiders need efficient access to data in order to do their jobs.

FDIC to Enhance Cyber Security after Insider Attacks

One of the big changes happening at FDIC is disabling removable storage like USB keys and drives. I’ll be curious to see how this works from both an efficiency and effectiveness standpoint.

In most of my dealings (with smaller companies), the thought of clamping down on removable media is impractical.  Anyone who has millennials in their workforce know that restrictive technology policies are anathema to these energetic workers. Check out this excerpt from Fortune magazine.

The companies that top Great Place to Work’s first-ever ranking of the 100 Best Workplaces for Millennials stand out for their ability to engage this generation, recognize their talents and give them a significant role where they can make a difference. At these companies, pay, profit sharing, and promotion decisions are executed fairly; everyone gets a shot at special recognition; and workers have a say in decisions that affect them. These workplaces exhibit strong, open, two-way communication; a high tolerance for risk-taking; high levels of cooperation and support among employees; and reduced roadblocks to innovation, such as internal politics.

The best solutions I’ve found for insider threats are training and strong corporate culture. Make sure your employees know the policies and that your culture promotes the benefits of protecting all that information they are entrusted to access.  Protecting your organization from insider leaks with technology is super difficult — and it won’t prevent a determined insider from getting data out.

Most Exploited Bugs

A new major study conducted by Hewlett Packard Enterprise has some really good information. Get your copy here:

http://techbeacon.com/resources/2016-cyber-risk-report-hpe-security

My favorite finding from ReversingLabs is that the most exploited bug in 2015 was the same as in 2014 — it was discovered in 2011 and patched in 2012 and again in 2015. CVE-2010-2568 is an old Windows shell bug with .pif files.  Patch this now!

Not sure exactly what it says about ReversingLabs’ clients that they have all this data and yet can’t deploy this patch.

 

Father of Bitcoin?

Australian Chris Wright has claimed to be Satoshi Nakamoto — the creator of Bitcoin. If true, this puts an end to one of the biggest cyber mysteries of the 21st century.

http://www.economist.com/news/briefings/21698061-craig-steven-wright-claims-be-satoshi-nakamoto-bitcoin

The Bitcoin faithful will spend the next year on conspiracy theories, but I’m guessing the Economist and BBC did their homework before publishing.

If Chris Wright is Satoshi, then I’d love to hear his take on Bitcoin being the payment method of choice for illegal activity like ransomeware and money laundering.

UPDATE May 24, 2016: The hoax is on.  Or is it?  Check out how Wright is keeping the story alive.  Lots of room for belief and disbelief.

How Craig Wright Privately ‘Proved’ He Created Bitcoin

 

Three Lessons from the NFL Draft

It should have been a great night for Laremy Tunsil, the offensive lineman from Ole Miss. He was drafted #13 by the Miami Dolphins in the 2016 NFL Draft.

Unfortunately, his Twitter and Instagram accounts where “hacked”.  Looks to me like somebody got access to his iPhone. Three possible lessons from an information security perspective:

  1. Make sure you have a passcode or biometric security on your phone. Nobody should know your code; not your best friend, not your girlfriend, not your kids, maybe your spouse.
  2. Strong, unique passwords and two factor authentication can prevent somebody who discovers one password (like Twitter), from logging into other accounts (like Instagram). Of course this doesn’t matter if a mean person has your unlocked phone.
  3. Never post anything to social media unless you’d be happy to see it on the front page of the NY Daily News.

http://www.nydailynews.com/sports/football/laremy-tunsil-twitter-shows-man-smoking-bong-nfl-draft-article-1.2618248

There are lots of other lessons to be gleaned from this incident. I’ll leave that to the sports writers.  However, I hope the media shines a spotlight on the system and not just a kid who accidentally disclosed the realities of high stakes college athletics.

Two Factor Auth is Necessary

I just read that Facebook employees can login to their internal systems with only a username and password.  See:

http://www.mirror.co.uk/tech/facebook-hacked-security-researcher-stumbles-7829312

Cyber criminals have so many tools that we need an additional layer of protection.  If Facebook can have hackers lurking inside their network for months, what makes you so sure your network is safe?

I’m advising all my clients and companies to enable 2-Factor Authentication on all systems.  This and strong unique passwords gives me piece of mind that a compromise of my username and password does not expose me to cascading risks in other systems.