News Flash! Security Measures Only Work if Actually Implemented
July 14, 2021
Best practices are there for a reason but it seems many companies are not following them. According to TechRadar, “Ransomware Is Not Out of Control’ Security Teams Are.” Reporter Mayank Sharma interviewed Optiv Security VP and former FBI Information and Technology official James Turgal, who puts the blame for recent ransomware attacks squarely on organizations themselves. In answer to a question on the most common missteps that pave the way for ransomware attacks, Turgal answered:
“Every business is different. Some older and more established organizations have networks and infrastructure that have evolved through the years without security being a priority, and IT shops have traditionally just bolted on new technology without properly configuring it and/or decommissioning the old tech. Even startups who begin their lives in the cloud still have some local technology servers or infrastructure that need constant care and feeding. Some of the themes I see, and the most common mistakes made by companies, are:
1. No patch strategy or a strategy that is driven more by concerns over network unavailability and less on actual information assurance and security posture.
2. Not understanding what normal traffic looks like on their networks and/or relying on software tools. Usually too many of them overlap and are misconfigured. The network architecture is the company’s pathway to security or vulnerability with misconfigured tools.
3. Relying too much on backups, and believing that a backup is enough to protect you. Backups that were not segmented from the network, were only designed to provide a method of restoring a point in time, and were never designed to be protected from an attacker. Backups need to be tested regularly to ensure the data is complete and not corrupted.”
Another mistake is focusing so narrowly on new projects, like a move to cloud storage, that vulnerabilities in older equipment are neglected. See the article for more of Turgal’s observations and advice. Surely he would like readers to consider his company’s services, and for some businesses outsourcing cybersecurity to experienced professionals (there or elsewhere) might be a wise choice. Whatever the approach, organizations must keep on top of implementing the most up-to-date security best practices in order to stem the tide of attacks. Better to spend the money now than pay out in Bitcoin later.
Cynthia Murrell, July 14, 2021
Milestones in Management: Twitter and India
July 14, 2021
When I graduated from a so-so university, I participated in an interview day. I signed up with some companies which seemed interesting to me. One of them was an outfit engaged in manufacturing massive earthmoving equipment painted what today would be a NASCAR color. I spoke with the individual representing the company, and that individual asked me what my major was. I replied, “Medieval religious poetry.” The recruiter laughed, and I felt as if I were a total failure. How could that human resources professional not see the direct correlation between my knowledge of religious poetry and the design and engineering of sheep foot rollers. (You drag or push these gizmos over trees and the irrelevant bounty of nature is crushed like a bird run over by a tractor trailer on I-80.)
I wish I had known about the job “resident grievance officer.” I learned about this thrilling position in the article “Twitter Appoints Resident Grievance Officer in India to Comply with New Internet Rules.” The write up explains:
Twitter identified Vinay Prakash as its new resident grievance officer and shared a way to contact him as required by India’s new IT rules, which was unveiled in February this year and went into effect in late May. Twitter has also published a compliance report, another requirement listed in the new rules. Earlier this week, the Indian government had told a local court that Twitter had lost the liability protection on user generated content in the country as it had failed to appoint compliance, grievance, and a so-called nodal contact officials to address on-ground concerns.
What are the qualifications for this lofty and crucial role? My thought is medieval religious poetry. Here’s my logic. The part-time leader of Twitter needs an individual able to make sense of Christianity and the Celtic legend of King Arthur. Creating the mental bridge between a nation state and a high flying technology giant requires imagination. One cannot just follow the rules. One must elaborate, understand metaphors, and appreciate the value of short items of information, opinion, and fiction which can be marshaled to create a reality for some users.
Alas, I missed an opportunity to apply for this Twitter job. I can hear the words of this unknown writer now:
Ech day me comëth tydinges thre,
For wel swithë sore ben he:
The on is that Ich shal hennë,
That other that Ich not whennë,
The thriddë is my mestë carë,
That Ich not whider Ich shal farë.
Lucky person, that Vinay Prakash. Grievance officer and a nodal contact to boot.
Stephen E Arnold, July 14, 2021
Microgoof: JEDI Knight Defeated by Unknown Death Ray
July 14, 2021
Here’s an interesting passage:
More important than the money was that it gave the company a level of third-party validation, that its cloud-computing platform is on par with Amazon, the market leader. The Pentagon, arguably the world’s most sophisticated cyber customer, had chosen Microsoft over Amazon to fully revamp and modernize its tech ecosystem. That gave Microsoft credibility. Now, however, the Department of Defense says Microsoft’s offering wasn’t going to “meet its needs.”
The write up then indirectly links the death ray to none other than the mom and pop online bookstore:
Amazon challenged and eventually sued the federal government complaining that Microsoft was awarded the contract because of President Trump’s animosity towards the Washington Post, owned by Amazon’s founder and former CEO, Jeff Bezos.
Politics! Not technology! The write up points out:
Amazon controls roughly a third of the market and a host of government contracts, including with the Central Intelligence Agency. By comparison, analysts estimate Microsoft has cornered only around 20% of the market.
How could the defenses of the JEDI be breached? Was it the same weakness that causes printers to fail, supply chain attacks to thrive, and fuzzed communications about the minimum requirements for Windows 11?
No, no, no.
The Microgoof will take months, maybe years, to figure out. Where was Windows Defender when the Redmond giant needed its support? Maybe the service could not access Teams? Maybe the call did not go through because the parties were using a Windows Phone? Maybe the Windows update interrupted the system? What if the unknown death ray was crafted by the Bezos bulldozer now guided by Max Peterson who replaced the former Microsoftie Teresa Carlson, who is now a Splunker?
One thing is clear: First SolarWinds, the printer thing, then Windows 11, and now the JEDI zapper. I smell the exhaust from the Bezos bulldozer. Who else will?
Stephen E Arnold, July 14, 2021
Google and France: Whoa, Will Googlers Put That Trip to Provence on Hold?
July 13, 2021
Many news sources reported that the French government has put a price tag on Google’s content frivolities. The fine is in the neighborhood of $600 million. To put this in perspective, Google generates about $600 million a day in revenue, so no big deal.
CNBC’s “Google Hit with Record $593 Million Fine in France over News Copyright Battle” reports:
Google was ordered to present an offer of remuneration to publishers within two months, or risk facing fines of up to 900,000 euros per day.
From a practical point of view, Google will work out a plan. The plan will be discussed over numerous two-hour lunches, and then revised if warranted. If agreement is not reached, Google will seek redress in an appropriate manner. Google could write a check, threaten Apple-style to pull out of the country, or embrace the fascinating French legal system. Keep in mind that red tape is allegedly an invention of the Spanish has been a favorite method in France for centuries.
I found the Russian viewpoint interesting. “France slaps Google with Biggest Fine Ever of €500 Million for Failing to Comply with Copyright Rules” states:
The US company expressed upset at the French authority’s decision in a statement: “We have acted in good faith during the entire negotiation period. This fine does not reflect the efforts put in place, nor the reality of the use of news content on our platform.” The battle between Google and French publishers, including Agence France-Presse, has been going on since early 2020. Despite Google claiming that it has acted appropriately, French publishers insist that the company has used copyrighted articles and images without fairly paying the original authors under the EU “neighboring rights” rule. In February, Google was forced to pay out $76 million dollars to 121 French news outlets, with $22 million to be paid annually over three years.
The French fine might encourage other European Union entities to take a harder line with regard to what Google has been doing for the last 20 years. If that happens, the fines might consume a week or two of Google’s revenue. This begs the question, “What’s the point?” Either regulators take action that incentivizes different behavior at Google or just use the money, buy a good Beaujolais, rent a super yacht, and cruise to Antarctica to look at the big penguins.
Stephen E Arnold, July 13, 2021
Amazon Management Principles: Conceal and Coerce?
July 12, 2021
I read “Amazon Tells Bosses to Conceal When Employees Are on a Performance Management Plan.” Let’s assume the report is accurate and not the outputs from disgruntled individuals familiar with the online bookstore which sells a few other things to a couple of people on the Kitsap Peninsula.
The write up states:
Amazon instructs managers not to tell office employees that they are on a formal performance-management plan that puts their job in jeopardy unless the employee explicitly asks, according to guidance from an Amazon intranet page for managers.
I assume the intranet page is company confidential. If it is, what does access to the page by a “real news” professional say about Amazon security? The question is important because Amazon has floated above the cyber breach storms which are burning some organizations.
Next, the write up explains:
The policy, a copy of which was viewed by The Seattle Times, helps explain why some Amazon employees have described the experience of being on the performance-management plan, called Focus, as baffling and demoralizing. Some managers, too, question why they are asked to conceal that their employees are on a pathway that often leads out of the company. The secrecy surrounding performance management is one more reason why some Amazon office employees say the company is not living up to its April pledge to become “Earth’s Best Employer.”
What this passage suggests is that there is a disconnect between the marketing spin of a technopoly and the reality of the business processes in use at the organization.
This is a surprise? The Bezos bulldozer is a delicate machine. Unlike other largely unregulated, corporate entities, the bulldozer does not run over flowers, small creatures, and competitors. It’s a sensitive beast.
The most interesting factoid in the allegedly accurate write up may be this passage:
Some managers flout the rules and reveal to their subordinates that they are on Focus, according to two managers and documentation of one employee’s Focus plan seen by The Seattle Times. “I always broke the rule,” said one senior Amazon manager. “If I cannot share that an employee is on a coaching plan, how can I give him a fair evaluation?”
A similar management policy appears to apply at Google, the mom and pop online ad agency. “Senior Google Executive Who Opposed Work-from-Home to Move to New Zealand to Work Remotely” asserts:
CNET reported that Urs Holzle, Senior Vice President for technical infrastructure is moving to New Zealand to work remotely. Holzle told staff on June 29 that he will be moving to New Zealand. As per the report in CNET, Holzle had initially opposed WFH for staff who did not have a certain level of seniority in the organization.
Does this mean that those with seniority and maybe an elected office in the high school science club have a different rule book? Sure seems like it to me. But maybe Mr. Holzle is moving to Detroit or another Rust Belt location and New Zealand was a red herring.
If accurate, these two reports suggest that Amazon and Google may operate with three levels of high school management magic.
First, official procedures are not disclosed. Anyone remember the cockroach guy Kafka?
Second, employees are uncertain. Keeping people on edge is a clever way to exert control. There’s nothing like control, just ask a prison guard.
Third, the rules are differential; that is, those with power have a different set of guidelines.
Stephen E Arnold, July 12, 2021
Recursive Weirdness: How Technology Is Gnawing on Its Fingernails
July 8, 2021
I was scanning headlines this morning after a peculiar venture innovator meeting after work on July 7, 2021. Quick summary: I talked to 11 attendees at the Louisville, Kentucky, even and each person worked for a big firm and was prospecting for recruits, trying to sell accounting services, or offering their non venture expertise as a consultant. Wow. No wonder Louisville has been outpaced by Nashville, Tennessee, in the venture space.
Now to the childish habit of chewing on fingernails:
I assumed the adults of the technology industry were enjoying the good old summer time. As I zipped through the content in my Overflight system, I noticed a few sleeping policeman in the highway to the vacation resorts in Monopoly Land; for example:
- A trivial 36 states in America are now demonstrating their inability to be Googley.
- Top dogs at Facebook allegedly find the firm’s social kennel too confining, too small, and too uncomfortable.
- A former president is not happy with the Twitter thing.
- The government of China makes clear why old-fashioned capitalism may be a risky life choice in the Middle Kingdom.
But none of these stories is as intriguing as this one: “YouTube’s Recommender AI Still a Horror Show, Finds Major Crowdsourced Study.” The main idea is that YouTube recommends content which it then bans for violating its terms of service. The write up states:
New research published today by Mozilla backs that notion up, suggesting YouTube’s AI continues to puff up piles of “bottom-feeding”/low-grade/divisive/disinforming content — stuff that tries to grab eyeballs by triggering people’s sense of outrage, sewing division/polarization or spreading baseless/harmful disinformation — which in turn implies that YouTube’s problem with recommending terrible stuff is indeed systemic; a side effect of the platform’s rapacious appetite to harvest views to serve ads. That YouTube’s AI is still — per Mozilla’s study — behaving so badly also suggests Google has been pretty successful at fuzzing criticism with superficial claims of reform.
The write up and the study must be read in their entirety to appreciate the delicious business processes at work. Business processes, what are those? Here’s an example:
Mozilla’s report also underlines instances where YouTube’s algorithms are clearly driven by a logic that’s unrelated to the content itself — with a finding that in 43.6% of the cases where the researchers had data about the videos a participant had watched before a reported regret the recommendation was completely unrelated to the previous video.
This story is interesting to me because it illustrates how relatively simple methods can be used to generate revenue and keep users clicking. The notion of making informed decisions about content using artificial intelligence may be little more than magician tricks. It seems that audiences want to be mesmerized. Advertisers want to believe that online advertising works. Google wants to be the quantumly most supreme high-technology giant no matter what.
Sure seems like it. Each of the examples remind me of a confused sun bear chewing on its claws.
Stephen E Arnold, July 8, 2021
Amusing Confusing Wizards
July 7, 2021
More from the Redmond wizards’ humor generating machines.
Microsoft has found a way to deflect attention from yet another security issue. Do you print over the Internet? “Microsoft Acknowledges PrintNightmare Remote Code Execution Vulnerability Affecting Windows Pint Spooler Service” says:
IT Admins are also invited to disable the Print Spooler service via Powershell commands, though this will disable the ability to print both locally and remotely. Another workaround is to disable inbound remote printing through Group Policy, which will block the remote attack vector while allowing local printing.
So what distracts one from a print nightmare? That’s easy. Just try to figure out if your PC can run Windows 11? TPM, you say? Intel what?
PrintNightmare aptly characterizes Microsoft’s organizational acumen perhaps?
Stephen E Arnold, July 7, 2021
Institutional Knowledge: A Metric about the Google
July 6, 2021
I read an unusual “I left Google” essay called “Leaving Google.” I am not sure I understand how an apparently valued employee would find bureaucratic processes a reason for leaving what seems to be an okay job. You can read the write up by a Xoogler who worked at the mom-and-pop online ad company for 17 years.
I noted one factoid which struck me as quite interesting. Here it is:
At the time I left, out of ~150k employees, only ~300 had worked there longer than me.
That means that the institutional “knowledge” of Google, its thousands of technical components, its hundreds of thousands contracts, its millions of inter- and intra-process dependencies from the days of Backrub to the weirdness of solving death to the incredibly brilliant but Floc’ed solution to user tracking resides in exactly 0.1935 percent of the staff.
Perhaps some of Google’s more interesting behaviors, products, pronouncements, and personnel decisions have drifted from what the company was first engineered to deliver?
Questions:
- When a component buried deep in code created in 1999 goes wrong, who knows how to fix it?
- What if the issue cannot be fixed? What then?
- How much of modern Google is code wrappers slapped over something that mostly works?
- Are disconnects between engineering and marketing created by this loss of institutional knowledge?
I suppose one can use a Web search engine like Bing, Swisscows, or Yandex to seek answers. Google search is not particularly useful for this type of query.
Stephen E Arnold, July 6, 2021
Google and Personnel: Progress or Regress?
July 5, 2021
I read a write up from Verdict, a UK information service. The story “Google: We’re Hiring Lots of Minorities! Sadly They Are Leaving Even Faster” provides some useful information about Google’s management practices. The story reports:
Big Tech has a diversity problem, a fact underlined by Google’s latest diversity report revealing how minorities are leaving Mountain View in droves.
And from whence does this factoid come? Heh, heh, the information comes from the Google, if the Verdict story is on the money. Google issued an annual diversity report. I think this was the first one since the diversity report for 2014. Hey, we are on Internet time, so those seven years are really many, many more. Logically, if Google operates on Internet time and that “time” is accelerated, the Google is not late. Google is on time and on target. Non Googlers need to process Google’s definition of annual and understand that the faster you go, stuff slows down to observers. Hence, 2021 is simply the next annual report in the quantum supremacy world. Google uses a variation of this logic when it misses European regulators’ requests for documents by invoking the “dog ate my homework” enhancement.
Onward. The article includes this interesting passage:
True to form, the latest report kicks off by highlighting all the efforts that it’s made to ensure diversity among its staff. Some highlights to that end include how 84% of Google’s people managers have completed unconscious bias training and that Mountain View has spent $55m since 2014 to boost economic empowerment for women. To put that last figure into perspective: that’s 0.4% of Google’s total revenue of $13.059bn from 2020…
And there’s more:
Hiring among black employees jumped from 5.5% to 8.8% between 2020 and 2021. Similarly, hiring of Latin employees jumped from 6.6% to 8.8%. However, hiring of Asian employees shrunk from 48.5% to 42.8% and Native American hiring slumped from 0.8% to 0.7%. The hiring of white employees rose from 43.1% to 44.5%.
The article includes a somewhat negative statement too:
However, the report also reveals that Google is bleeding staff from ethnic minorities.
And here are the data presented by Verdict:
The biggest change was seen among its black staff. The attrition index demonstrated a jump from 112 in 2020 to 121 in 2021 among black employees. It was particularly bad for black women, whose attrition rate grew from 110 to 146 over the last year. For black men, the number decreased from 114 to 106. A similar increase was seen among Latin employees, with the rate of attrition increasing from 97 to 105 over the period. For women in the group, attrition decreased from 93 to 81. For the Latin men, it jumped from 98 in 2020 to 117 in 2021. For women in the group, attrition decreased from 93 to 81. For the Latin men, it jumped from 98 in 2020 to 117 in 2021. The attrition of Native American Google employees grew from 131 to 136. The increase was led by by Native American women whose attrition rate increased from 123 in 2020 to 148 in 2021 while the men in the group saw attrition decrease from 143 to 127.
Hmmm. The next report will be due next year. Please, don’t forget to calculate what annual means in Google speak.
Stephen E Arnold, July 5, 2021
Smart Software, Humans, and Personnel: The Ingredients for Management Success
July 2, 2021
I thought this paragraph was thought provoking:
A Deloitte survey found that while 71 percent of companies see people analytics as a high priority in their organizations (31 percent rate it very important), progress has been slow. After years of discussing this issue, only 8 percent report they have usable data; only 9 percent believe they have a good understanding of which talent dimensions drive performance in their organizations; and only 15 percent have broadly deployed HR and talent scorecards for line managers. One of the reasons for the low adoption of people analytics is that companies have a closed approach to analytics in HR, and readiness remains a serious issue.
This passage appears in “How People Analytics Can Create a Culture of Care and Success.” Let’s consider two organizations with smart software, oodles of data, and a pristine track record for making big bucks. The two outfits are Amazon and Google. Both of these exemplary institutions have done an outstanding job with their people management. As I recall, there were some distasteful blog posts about warehouse workers and plastic bottles, comments about smart cameras and GPS systems monitoring delivery truck drivers, and the phone booth in which an employee can lock away the world. Peace, calm, and care.
And the Google? Staff flips at DeepMind, the outfit which has some type of smart software supremacy. Then there is the trivial ethics thing and the textbook handling of the Timnit Gebru situation. And, lest I forget, the yacht death, the diploid cell assembly in the legal department, and the fumbled suicide attempt by a big wheel’s marketing associate. Protests? I could name a few. Petitions? Well, that Maven thing. Sigh.
It seems to me that the article, including the “hire us because we are HR experts” in the Deloitte PR set up are describing a future which sells consulting. It seems that employees are forcing change upon employers. Others are quitting. Another group is happy to collect government “pay for being alive” checks. Smart software to the rescue? Give me a break.
When two outfits equipped to create cultures of care and success cannot do basic personnel, reality is different from the silliness of surveys chock full of buzzwords. Don’t believe me? Ask an Amazon truck driver. Better yet, pose a question to Dr. Gebru.
Stephen E Arnold, July 2, 2021