This post originally appeared on the blog of startup guru Steve Blank.

I grew up in New York City and for a few years heaven on earth for me was going to Boy Scout camp in the summer near the Delaware River.  The camp had all the summer adventures a city kid could imagine: hiking, fishing, canoeing, etc. But for me the best part was the rifle range.  For a 12-year old kid from the city shooting target practice and skeet with a .22 rifle meant being entrusted by adults with something you knew was dangerous – because they were beating gun safety into our brains every step of the way.

From the minute we walked onto the shooting range to even before we got to touch a gun, we learned basic rules of handling weapons I still haven’t forgotten. You screwed up and you got yelled at and if you did it again you got escorted out of the rifle range.

While target practice and skeet shooting were fun, safety was serious.

Over the years I would learn how to shoot an M-16 in basic training in the military, go through a basic combat course to go to Southeast Asia (when we acted like this was a lark, our instructor stopped our drill and said, “For your sake I hope the guys shooting at you were screwing around in their combat course.”  It got our attention.)

When I bought the ranch, herds of wild boar still roamed the fields. While we were putting in the miles of fencing to keep them out, I bought much heavier weapons to deal with a charging 400-pound boar and hired an instructor to teach me how to safely use them.  Each time, gun safety was an integral part of training with new weapons.  For me, guns and gun safety became one and the same.

Hacking and Cyber Security

For consumers, online surfing, shopping, banking, and entertaining ourselves have become an integral part of our lives. And with that has come identify theft, hacking, phishing, online scams, bullying, and predators online. As well as a loss of privacy.

But for businesses, the threats are even more real. Go ask RSA, Northrop, Lockheed, Google, Amazon and almost every other company with an online presence. Intellectual property stolen, customer data hacked, funds illegally transferred, goods stolen, can damage a company and put them out of business.

I think we’re missing something.

In the last 20 years 3 billion people have gained access to the web. Yet for most of them safety online remains a problem for other people. It pretty clear that for a company going online today is equivalent to playing with a loaded gun. The analogy of comparing the net with guns might seem stretched, but I think it’s an apt one. Guns have been around for hundreds of years, to provide food as well as wage war, but it wasn’t until the 20^th century that gun safety rules were codified and taught.

I think we need the equivalent of gun safety training for online access.

We now know the basic tools online hackers use. We know enough to harden sites to stop the simple hacks and to educate employees about basic social engineering and phishing attempts. It’s time to teach Cyber Security as integral part of the high school and/or college curriculum – not as an elective. Companies need to make Cyber Security education an integral part of their on-boarding process.

The Air Force Academy basic Cyber Security course is a good place to start (Stanford and other schools have similar syllabi.) The class consists of basic networking and administration, network mapping, remote exploits, denial of service, web vulnerabilities, social engineering, password vulnerabilities, wireless network exploitation, persistence, digital media analysis, and cyber mission operations.

Lessons Learned

• The web is not a benign environment
• Companies, high schools and colleges ought to make a basic Cyber Security course a requirement of getting online access.

Steve Blank is a retired serial entrepreneur now teaching entrepreneurship at UC Berkeley, Stanford, and Columbia.

Photo credit: JSmith Photo via photopin cc

Sept. 9 - 10, 2013
San Francisco, CA

Early Bird Tickets on Sale

Cameron Peron is VP Marketing at Newvem, a cloud operations optimization service.

Amazon has launched a series of local Amazon Web Services summits across in key cities across the world. Capitalizing on the re:Invent conference in November of last year, the AWS summits are a great forum for local AWS users to learn about featured AWS services and meet partners exhibiting at the event itself.

The AWS Summit in San Francisco a number of days ago lived up to this expectation. Here are 5 insights from Amazon senior VP of web services Andy Jassy’s keynote, and the exhibition itself.

It’s all about the enterprise

Adoption of the public cloud by the enterprise was a key message through the introductory keynote.  In sharp contrast to the keynotes delivered in re:Invent in November, Andy Jassy emphasized the public cloud as part of an enterprise’s IT and cloud strategy as opposed to a complete alternative to on-premise and virtual private cloud.

Andy highlighted use cases of AWS services that the enterprise can use to both move workloads to the AWS cloud as well cooperate between on-premise and AWS environments.

Security = priority #1

Jassy stated that AWS is committed to providing a secure public cloud, highlighting the addition of advanced security controls, certifications and accreditations.

No doubt this was a direct message to enterprise level CIOs that are considering moving small variable workloads to the public cloud, but need to deal with security and compliance risks that run deep into their respective organizations.

Redshift, redshift, redshift

The keynote contained many use cases and examples of using AWS RedShift, a data warehousing and data analysis solution.

Based on an hourly pricing model, RedShift enables AWS customers to analyze large volumes of data with their existing business intelligence tools.  The RedShift use case was a common theme throughout Andy Jassy’s address, use cases delivered throughout the keynote, and breakout sessions. RedShift follows in the footsteps of enriched AWS services such as OpsWorks and Trusted Advisor.

Cost is still the driver for onboarding new business

Throughout the keynote Jassy championed many organic AWS services, as well as solutions provided through the AWS Partnership Network that enable companies to scale once on the AWS cloud.  Despite this, low cost is still king.

Just as Werner Vogel discussed cost savings in the beginning of the New York City keynote, Jassy emphasized that AWS lowered prices 31 times in the absence of competitive pressure to do so.  In line with the success of the Amazon.com model, Jassy implied that that AWS will continue to reduce prices.

Jassy also offered examples of customers reducing costs by using solutions beyond EC2, highlighting that Foursquare reduced their analytical cost by 50 percent with AWS.

Launch of the AWS Certification Program

Jassy also shared the launch of an AWS program that certifies solutions architects, SysOps Admin, and developers.

To qualify, applicants must complete an exam that covers both proficiency in AWS as well as general IT knowledge and experience.  The program should complement and reward AWS users who have championed both onboarding and scaling AWS within their organizations by mandating and regulating their skill sets throughout the career.

In other words DevOps and other AWS users can add AWS certification alongside experience and proficiency in code, such as Ruby and Python.

Cameron Peron is VP Marketing at Newvem, a cloud operations optimization service designed for cloud users. Offering a business view into a company’s public cloud operations, Newvem actively tracks cloud health in order to help reveal and solve cloud irregularities related to cost, security, utilization and availability.  Follow Cameron at @cameronperon

The multiplayer servers for EA’s hit shooter Battlefield 3 are not fully functional due to a Distributed Denial-of-Service attack.

Developer DICE is attempting to counter the attack by updating and improving its servers. In posts on its message boards, DICE says it doesn’t know why its game is under attack, and it will continue to work to get the game working properly.

“We have been working around the clock to mitigate the impact of an ongoing denial-of-service attack on our Battlefield 3 game infrastructure over the last several days,” reads a post from the DICE team. “While the motives are unclear, the focus of the attack has been interference with network communications preventing access to multiplayer gameplay.”

We’ve reached out to EA to ask if it knows who is responsible for the attack. We will update with its response.

The studio went on to assure fans that this blunt-force attack has not compromised user data.

A DDoS attack is when a person or a group of people use software to make repeated requests on a server. If enough requests are made, it will overwhelm the server and cause it to begin spitting out errors. It doesn’t require any hacking skills, but a coordinated attack like this does need a lot of different PCs all running the software at the same time.

That suggests this is either a group of people or that someone is hiding the code for the attack in other software.

“As a part of our efforts to resolve these issues, we’ve conducted rolling restarts of Battlefield infrastructure to apply some updates,” the Battlefield forum post reads. “Thank you for your patience and support while we work to get everyone back and playing Battlefield 3 as soon as possible.”

DICE promises to provide more updates as it makes progress.

---

GamesBeat 2013 is our fifth annual conference on disruption in the video game market. You'll get 360-degree perspectives from top gaming executives, developers, and analysts on what’s to come in the industry. Our theme this year is “The Battle Royal.” Check out full event details here, and grab your early-bird tickets here!

---

That’s going back to the future, according to Monetate: going back to a time when all commerce was personal.

But there is a yin and a yang here.

While we may want personalized experiences, and we want websites to be smart — to know us, essentially, and act as an intelligent, solicitous person might — privacy is part of the picture. A good third of us don’t want our website activity tracked, and a quarter of us don’t want the websites we shop to personalize our experience at all.

Monetate has four tips for online retailers:

1. Use marketing automation technology and big data to assist with personalization
2. Target segments with relevant content based on what you know about them
3. Don’t think of channels, think of customers first
4. Be in it for the long haul, not the quick win

All the data, in visual form:

photo credit: crsan via photopin cc

West Virginia legislators, led by Gary G. Howell (R), hoped to ban motorists from using Google Glass while driving in March. And as it has been revealed that Glass wearers could take a picture just by winking, pundits talk about Google Glass creeping them out, bars that no Glass-wearing geek would enter start banning Google’s wearable computer, and Las Vegas casinos have declared the device persona non grata. Pit bosses, apparently, have cold sweats about poker games being recorded and transmitted and players getting relayed instructions via Glass’ built-in bone subduction speakers.

Really, you wouldn’t have thought a proposal to Borg the entire human species would have met with such resistance.

Seriously, however, almost any individual thing Glass does now has been possible in the past.

Source: Steve Mann

Steve Mann’s computer-assisted vision system.

Memoto, the camera that hangs around your neck and takes a picture every 30 seconds, blew through its Kickstarter campaign goal by a factor of 10. It’s tiny, unobtrusive, and has no on-off switch — a voyeur’s delight in public bathrooms, pools, and who knows where else. Head-mounted cameras are nothing new.

Motorola Solutions — the part of Motorola that Google doesn’t own — demoed its wearable computing and head-mounted mobile computer to our own Dean Takahashi last year. And glasses with cameras are available from multiple manufacturers.

It’s probably the full-meal-deal package that Glass presents that is the problem — and the fact that it houses all of its startling capability in probably the first somewhat attractive device which someone not on the Star Trek convention scene might actually wear.

We’ve already seen the panic and anger that always-potentially-on technology can cause when Steve Mann, who wears a computer vision system, was assaulted in a Paris McDonald’s for failing to take the device off, even though it is permanently attached to his head. Glass promises to ignite that same fear, worry, and concern over privacy, multiplied by millions of potential wearers.

“Welcome to a world through Glass,” Google says in its introduction to what Glass does. “Record what you see. Hands-free. Even share what you see. Live.”

There’s no doubt that Glass is awesome, cool, and empowering, but every power that an individual gains is a power that might infringe on others … and a power that governments tend to want to control.

“This is just the beginning,” Los Angeles privacy lawyer Timothy Toohey told the NY Times. “Google Glass is going to cause quite a brawl.”

photo credit: Dunechaser via photopin cc

Security heavyweight McAfee has agreed to acquire network firewall business Stonesoft for $389 million in cash, the company announced today.

Helsinki, Finland-based Stonesoft offers a portfolio of firewalls, SSL VPN solutions, and prevention systems that are suitable to help both small and large businesses. It has more than 6,500 customers worldwide.

McAfee is most interested in Stonesoft’s next-gen firewall technology, and it’s saying that combining Stonesoft’s offerings with its own cloud-based Global Threat Intelligence service will give its customers even better network security.

“With the pending addition of Stonesoft’s products and services, McAfee is making a significant investment in next-generation firewall technology,” McAfee President Michael DeCesare said in a statement. “These solutions anticipate emerging customer needs in a continually evolving threat landscape. … We plan to integrate Stonesoft’s offerings with other McAfee products to realize the power of McAfee’s Security Connected strategy.”

Pile of money via HamsterMan/Shutterstock

Consumer antivirus maker Avast has acquired Secure.me, a Facebook-focused personal security startup.

“I am overwhelmed that our vision has reached its destination,” wrote Secure.me cofounder Mario Grobholz on the company blog. “The deal with Avast is the most crucial milestone in our company’s history.”

Secure.me launched in November 2011 as a way parents could keep their eyes on their offsprings’ Facebook activity, including outgoing and incoming messages, wall posts, and status updates.

Secure.me also searches for preset or user-created search terms, sending notifications when the terms pop up in Facebook content. And its photo recognition technology keeps a virtual eye out for pictures with specific people in them, whether or not that person has been tagged in the photo.

Then, last fall, the company launched App Advisor, a program to protect all Facebook users — not just kids — from third-party applications in the mood for personal data.

But with mixed business success and no immediate opportunities to take investment, the Secure.me team started looking around for other opportunities. Grobholz said his team will continue to focus on personal data security at Avast.

Avast was founded in Prague in 1988 by researchers Pavel Baudiš and Eduard Kučera. The terms of the acquisition were not immediately disclosed.

Cloud identity management company Ping Identity says that between those six or more corporate passwords and all the personal passwords we maintain, the average person has to remember 15 passwords. That’s probably a recipe for disaster, given the total information onslaught we face every day, which is why the majority of us — 61 percent — reuse passwords from site to site.

That’s what security companies call “password negligence,” and the results are costly.

Too many passwords and not enough memory contributes to 39 percent of all malicious hacking attacks, which can cost large enterprises $5.5 million each.

One solution, of course, is corporations requiring users to change their passwords every 30 to 60 days. That’s more secure, theoretically, but people often reuse an old password. Or, worse, if they’re worried they won’t be able to remember the new password, they may write it down.

The end result, unfortunately, can be less security than before the change.

All the data is below, in visual form:

photo credit: Simon Lieschke via photopin cc

Mani Gopalaratnam is head of innovation at business process outsourcing company Xchanging.

BYOD has been talked about ad nauseam, but now there’s a trend surfacing that will start to push BYOD out of the picture in the next few years. Corporately Owned, Personally Enabled (COPE) devices are the next big thing, and within the next three years, projections indicate 70 percent of global organizations will adopt it.

BYOD is a concept that was floated first in Asia, where CIOs were quick to embrace the trend, but also quick to realize its implications: challenges in securing corporate data, an increased need for IT resources and support, increased costs, difficulty maintaining network performance, and challenges in managing devices and applications.

Companies like BlackBerry, which was ahead of the curve in adopting BYOD, were also the first to try out COPE pilots, where the goal was essentially to show customers this model was a better, less risk-laden option for enterprise mobility than was BYOD.

BYOD vs COPE

The biggest difference between BYOD and COPE is the management of personal data on the device.

Employees own their devices with BYOD, hence Bring Your Own, which gives organizations less control over how they are being used. It goes without saying that this leads to massive potential for security issues. It also puts an organization in peril, especially with the sales force owning their own phone numbers.

With COPE, the end user has more flexibility, but the organization still has control over costs, security, and other areas of potential risk such as legal and HR implications. For example, corporations can dictate what carrier the organization uses and what devices can sit on the network but may, for example, allow users to indicate what apps they want on their phone, or may offer employees a device catalog to select from. This gives employees options, while also minimizing the need for IT to manage an overwhelmingly mixed range of devices

COPE also gives organizations the power to monitor policies and devices, beyond simply selecting which ones can be distributed. If the device is stolen, the company can send a wipe command. Organizations can also conduct automatic checks on malware and dangerous applications, sending warnings about certain apps to the device owner in order to proactively avoid potential issues.

Migrating to COPE

When helping our clients migrate to COPE, we’ve found a number of ways to aid organizations in further maximizing the benefits.

Some best practices to consider include:

• Take advantage of the ability to recycle devices as part of the contract. Alternatively, to keep costs down, buy in bulk. By doing so, you can negotiate substantial discounts.
• To take that one step further, beyond minimizing just the device costs, outsourcing enterprise mobility contracts also enables organizations to make the best use of resources and budgets. You can negotiate usage-based plans, for example, to minimize unnecessary spend.
• Understand the benchmarks from cost benefits, usage statistics, and device performance so you have a framework from which to measure and learn.  Benchmarking is important when making a transition in your mobility model, as it provides a measureable way to evaluate costs, usage, performance. and more. It enables executives within your organization to see the tangible benefits of a COPE model by clearly indicating the improvements in productivity, efficiency, and overall business execution from a numbers perspective.
• Be aware of potential hidden costs. While there are more hidden costs associated with BYOD than with COPE, costs to look out for include device management and maintenance, personal service partitioning and impacts, and migration expenses, among other things.
• Due to dramatic improvement in device software upgrades, it’s vital to ensure the internal systems are able to work with the latest software versions. This can have a bearing on how well COPE adoption can take place without a huge hidden migration cost.

While COPE enables organizations to better control corporate assets — over information, as well as tangible control — it also boosts employee satisfaction. This, in turn, results in a surge in employee productivity (evident from the days of BlackBerry) due to the shortening of decision support.

So while today BYOD buzz continues to dominate enterprise mobility discussions, you’ll soon start to see COPE fazing it out as more organizations realize the benefits and flexibility that can be achieved though this alternative model.

Mani Gopalaratnam heads the architect team at Xchanging, Inc. (XCH: LSE), a $1B business process and technology services provider and integrator. He is also Head of Innovation for the company and CTO for the region of Asia Pacific. To learn more, visit www.xchanging.com.

Actually, it’s not that difficult, according to mobile security company Fixmo’s CEO, Rick Segal.

“Despite the Bush years of let’s go play in another war, there’s a very tight, close alliance between Canada and the USA,” Segal says.

He can get away with saying that sort of thing more than most Canadians, because the CEO of this Toronto-based startup is a ex-patriate American who has spent the last 15 years in Canada. He’s building his business in Ontario because, he says, of the tax credits for high-tech companies, the influx of talent from the most-populous Canadian province’s 50+ universities, and the ability of Canadian governmental agencies to give him personalized attention in his efforts to break into new markets.

Such as sponsoring him to attend expensive international conferences like the one where he met “some NSA folks.”

Fixmo makes mobile security products that allow organizations to safely offer BYOD (bring your own device) policies that don’t imperil sensitive data and networks. The company, which had just three employees just a few years ago, offers an encrypted sandbox, digital fingerprint technology that can detect tampering to your mobile operating system, and compliance breaches like the installing of unauthorized apps on both iOS and Android. Built with 256-bit encryption, two-factor authentication, and remote wipe capability, Fixmo’s products are sold largely to governments.

And, interestingly, they’re built on software originally developed by the NSA.

“The US government and security agencies tend to view Canada as one of its own,” Segal says. “Eyebrows don’t get raised when a Canadian company does business with NSA … there’s no ‘it’s a foreign country’ kind of thing going on.”

It started — as so many things do — in Vegas.

While attending the wireless industry trade show CTIA in March 2011, Segal met the men in black who represent the NSA’s Technical Transfer Program, which is in place to commercialize technologies and products developed inside the agency. Interested in Fixmo’s existing security products, the NSA decided the company was a good bet to do business with.

After developing a relationship that resulted in a technology transfer in which Fixmo licensed agency-developed security code, Segal started building shippable products based on the NSA technology. Fixmo’s products, the company’s sales literature highlights prominently, “have been developed as part of a cooperative research and development agreement with the U.S. National Security Agency.”

That commercialization has culminated in the sale of those products back to the three-letter agencies.

“Seventy percent of our customers are government agencies like the NSA, FBI, and Homeland Security,” Segal says, noting a contract with the US air force that completed last week. “One of our clients has 700,000 seats.”

The company’s other clients include businesses in the financial services and healthcare industries, both sectors in which privacy, security, and compliance with corporate policies are paramount.

photo credit: DonkeyHotey via photopin cc

Disclosure: I’ve been invited by the government of Ontario to explore the startup ecosystem in Toronto, Waterloo, and elsewhere, and this post is part of that series, and Ontario has paid for this trip. My reporting, however, is my own.

While Google Glass may seem like a step towards a crazy science-fiction future, for some reason it lacks a fairly basic security feature: a lock screen.

That left the door open for Roundarch Isobar’s Mike DiGiovanni to develop a lock screen of his own, which he calls Bullletproof. Whenever Glass detects that it’s been removed from your face, the app presents a screen that can be unlocked with your own combination of gestures on Glass’s touchpad.

It’s not exactly groundbreaking, but it’s certainly necessary for a $1,500 computer that you wear on your face. Without Bulletproof, anyone could grab your Glass unit and send whatever images and messages they want to your friends and Google+ page.

The bigger question: How the heck did Google release a next-generation device without basic security protection? I’d argue that Glass is even more vulnerable to theft than your smartphone, since it’s typically resting on your face unattached, instead of being hidden in your pocket or purse. Glass also can’t be folded down like a typical pair of Glasses, which means it’s a fairly big target if you leave it on your desk.

If  your expensive Glass headset does get stolen though, you can always track it and wipe it remotely from the MyGlass website. Still, that doesn’t help if someone surreptitiously nabs your Glass unit to send malicious messages.

Update: A Google spokesperson sent along the following statement around Glass’s security:

We recognize the importance of building device-specific protections, and we’re experimenting with solutions as we work to make Glass more broadly available.

Via: Slashgear; Photo of Sergey Brin wearing Google Glass: Chris Chabot/Google

Paul Pellman is the CEO of Adometry, Inc.

In recent weeks there has been substantial debate about fraud in the advertising industry. Of course, these conversations aren’t new. Click fraud lawsuits have been a near constant for almost a decade.

In 2009, the Wall Street Journal wrote an in-depth report about hidden ads, prompting the formation of an industry group, StopAdFraud.org, which for a time attempted to create a blacklist of offenders in order to curtail the number of publishers enabling click fraud or low-quality impressions. More recently, there have been widely-reported organized click fraud rings – mostly originating from China and Russia in the form of “Botnets” – that involve tens of thousands of IP addresses visiting hundreds of domains and clicking millions of digital ads. Among our clients, which include large and small advertisers, agencies and ad networks, approximately 16 percent of monthly clicks are invalid – roughly half the industry average aided by sophisticated blocking lists that have been assembled to weed out known offenders over several years. While a 100 percent block rate is impossible, this number is still much too high.

All of this fraudulent activity comes at the (literal and figurative) expense of advertisers and agencies. To quote a former editor of a well-regarded tech blog who wrote frequently about this topic, “as long as advertisers pay for clicks, there will be click fraud.” Unfortunately, this mantra has only expanded to encompass the full swath of digital advertising including page-view impressions, views of online video and the like.

A persistent problem

There are many types of fraud and each has a slightly different impact on advertisers depending on the revenue models being used. Some of the most nefarious activity is caused by Botnets described above — these are sophisticated programs designed specifically for click fraud that leverage a network of computers (with or without the users’ consent) to visit websites or click display ads in an effort to generate unnaturally high traffic for commercial gain. Click fraud practices also continue to be present within Ad Networks themselves. We often see programmatic or scripted activity designed to appear to be human behavior. Beyond simple “invalid click” behavior through human or technological means, we see ad injectors, “stacking” ads one behind another, 1×1 pixels, fraudulent browser plugins, and cookie stuffing.

The arms race conundrum

Companies like ours work closely with advertisers, ad networks and agencies to help protect brands and combat all aspects of ad fraud, including maintaining growing lists of bad actors and providing data to clients to ensure they don’t pay for invalid clicks or inflated traffic. These ‘sell side’ solutions are important as they represent the front lines of the fight against ad fraud and protect the underlying economics of the online advertising business. Unfortunately, these technologies can’t prevent scammers from attempting to game the system entirely, and as long as there are incentives to do so there will be offenders that attempt to steal a slice of the multi-billion dollar advertising industry. In other words, we’ll continue to get better at detecting and preventing their tactics, and they’ll continue to develop new ways to circumvent the system.

It’s time for an ad fraud ‘pivot’

If you’ve ever seen the 80’s film War Games you remember the famous scene at the end of the movie during which the war games simulator has a sentient moment when it realizes “the only winning move is not to play.” Similarly, up to this point many online advertisers have decided to deal with fraud by simply ignoring it, leaving it up to ad networks and a small group of fraud-fighting vendors to deal with the problem. Long-term this approach is not only doomed to fail, but it also ignores the important role advertisers and agencies must play if the industry is ever going to disrupt the growing universe of scam-y, click fraud offenders in a meaningful way.

Unlike sell-side platforms and ad networks, advertisers hold a critical card in the fight against fraud – money. By virtue of controlling how ad budgets are spent and allocated, big advertisers and their agencies ultimately have the power to starve out scammers. In this model, instead of solely relying on ad networks catching a higher percentage of fraudulent activity, advertisers change the game by developing new measures that only reward good behavior. In other words, they stop looking only at ineffective KPIs like CPMs and start developing systems that weed out all but those supplying high-quality traffic and impression that accrue to revenue.

In the marketing attribution space, one approach we’re seeing many companies employ successfully is a gradual move away from simple metrics to new, modern techniques that calculate conversion credits on a granular level. There are many reasons for this, but one motivating factor that is often cited is a desire to understand not just what happened as a result of any given marketing campaign but how and why it happened. Using attribution algorithms, advertisers can identify which channels and media are performing well or poorly, then redistribute budgets or optimize spending around what’s performing best. Using the same data, marketers can give targeted feedback to demand-side platforms (DSPs) and real-time bidding partners to improve results and buy higher-quality placements. Ultimately, they may decide to stop allocating budget to specific ad networks if the inventory fails to deliver. Another benefit of cross-channel attribution is that pure-play vendors are like Switzerland – a beacon of neutrality. By having no stake in the outcome, independent attribution vendors can focus on providing unbiased analysis and let you worry about what to do with that information.

Final word

Depending on who you ask, you’re likely to get different answers as to how serious a problem fraud is in the digital advertising industry. The truth is probably somewhere in the middle, but when it comes to fraud one thing that is certain is the status quo is no longer working. Advertisers would be wise to heed the famous words of Jack Welch, “control your own destiny or someone else will.”

Boxing photo via Shutterstock

Paul Pellman is the CEO of Adometry, Inc., a marketing analytics provider that generates insights about the performance of marketing campaigns through combining and interpreting advertising data from online and offline channels.

Chances are you’ve read something, somewhere, about the increasing number of security breaches in web applications. Hackers are targeting these applications due to the amount of sensitive business (and personal) data they control. “Hacktivism” isn’t just a buzzword — groups of thousands of hackers are determined to take down organizations, which are targeted for reasons only the attackers themselves understand. Yet they are serious about it. And it’s time you become serious about it too.

Most organizations don’t think about application security until after the application has been designed and architected. They may layer on security testing after the application is developed. They may decide to test the application in its run time state, just before it goes to production. Some even test it after it’s in production. There are many high-profile companies that do this; you can read all about them (and the corresponding security breaches in their applications) in the latest news headlines.

To put the root cause of this issue bluntly, there’s a disconnect between security and development that can lead to serious security vulnerabilities down the road. Developers aren’t security experts, and most security experts aren’t developers. There needs to be a better mutual understanding — and earlier cooperation — between the two parties to better eradicate security issues.

Focus on software quality early and often

Usually, Quality Assurance (QA) is an “after process,” or something that happens late in the development cycle. A project that spans 180 days or more may get a 20-day cycle to perform QA testing–and security might get just three of those days.

This creates several problems, since QA and security are then testing a completely configured application that meets the functional specifications of whatever business unit ordered the application. This can pose a serious issue, since it’s the developers that need to fix the problems.

And herein lies the rub: by the time these problems are flagged, the developers have probably closed the project, been paid for meeting the deadlines and specifications of the application and moved on to another project. Re-architecting completed applications to meet new security concerns is likely not at the top of their list.

Engage devs with security issues sooner

So what exactly does “developer-first” security mean?

Developer-first security means ensuring that the people that know the most about the application, with the most amount of time and the most incentive to get the application right, actually get the application right!

They can’t be expected to think about all these things at the end of the development cycle, once they’ve moved on to another project. Their processes are all incremental and cumulative (not really an oxymoron!) — and testing has to be, as well.

Most folks have heard that developers resist security–that they don’t have the time, knowledge or understanding to do all of the requisite legwork, and create a great application at the same time. If you were developing a product and forced to tear it apart at the same time, you would likely feel the same way.

Seems logical, right?

Well, there’s more than meets the eye here. How can you expect developers to be testing or security experts, when the testing experts aren’t development experts?

It seems that most of the security companies out there have had “Year of the Developer” or Cross Site Scripting (XSS) eradication campaigns. Guess what? We’re reaching fewer developers and there are more flaws out there. Some of these flaws have been around for 15 or more years. Yet these campaigns continue to fail because organizations aren’t engaging development in an understandable manner.

Learn and speak the language

This isn’t to suggest quid pro quo here. Instead, testing experts should make a greater effort to understand how an application is developed. Give the developers requirements in a manner that they understand, using processes and technology purpose-built for development to test the quality and security of the application—and the underlying software code.

Don’t add something to a project once they’re done, and don’t expect them to be something they’re not. Test the code they write as they write it, and give them the defects in a manner they’re familiar with, either on a daily basis or as they complete their assignments (e.g. code check-in). And give them specific guidance on how to fix the issue in language they understand and in the context of their code.

That’s why more organizations need to switch over to testing that starts with developers—aka, “developer first” testing. They know more about the application than anybody else in a given organization, and can fix it in real time.

Adopt emerging best practices for dev-first security

While many organizations don’t typically think of application security as a functional business requirement, there are a number of growing companies that do.

What separates these organizations from others? They understand development. They can spare a smart developer to coach the team on QA or security. (Think embedded Security Evangelists!) And they employ a number of creative tactics to promote a developer-first approach to security, including training programs and internal incentives, from specialized titles (who doesn’t want to be a “Security Guru”?!) to contests that promote cooperation between development, QA, and security.

Organizations that adopt some or all of these methods will create better, more secure applications.

---

Big Data and Predictive/Real-time Analytics startups: Are you looking to jumpstart development & accelerate market traction? Sign up for the SAP Startup Focus program to receive technology, support, resources and community to help you develop new applications on SAP HANA, a cutting edge database platform. Get started here, and enter promo code “VB2013″ on the form.

---

Safety first, y’all!

GitHub Pages, those slick landing pages the code-hosting company lets you create for your latest and greatest projects, are moving to a new top-level domain. They will now live at GitHub.io.

“Why?!” you shriek in mock horror, realizing this isn’t that big a deal but still wanting to create a stir among your friends over brunch.

The short answer is “security.”

The long answer, from the GitHub blog, is, “This is a security measure aimed at removing potential vectors for cross domain attacks targeting the main github.com session as well as vectors for phishing attacks relying on the presence of the ‘github.com’ domain to build a false sense of trust in malicious websites. … From this point on, any website hosted under the github.com domain may be assumed to be an official GitHub product or service.”

If your GitHub Page has a custom URL, you can go back to your brunch; you have nothing to worry about and no steps to take to ensure the survival of your Page to the seventh generation.

If you do not have a custom URL, you still don’t really have anything to worry about, as GitHub will be taking care of automatic redirects from YourApp.GitHub.com to YourApp.GitHub.io for the foreseeable future.

Also not changed: The Pages IP address.

You may not resume your regularly scheduled brunching. Or whatever it is you’re doing right now. (For us, it’s Cinnabon-flavored coffee in a toasty warm bed with a small but lovable dog. Getting out of bed on the weekend is for suckers.)

---

Big Data and Predictive/Real-time Analytics startups: Are you looking to jumpstart development & accelerate market traction? Sign up for the SAP Startup Focus program to receive technology, support, resources and community to help you develop new applications on SAP HANA, a cutting edge database platform. Get started here, and enter promo code “VB2013″ on the form.

---

That’s impressive growth, and it’s along the lines of other top software-as-a-service players who are household names in Silicon Valley and beyond.

“We’re kinda matching Zendesk and Evernote in user growth curve,” HootSuite CEO Holmes told me this morning. “Our progressive cycle to each additional million is getting shorter and shorter, which is a good thing.”

The Vancouver-based company, which counts 79 of the Fortune 100 as its clients, also continues to excel at enterprise sales. Sales to enterprises under $10 billion in value grew 272 percent in the first quarter of 2013, HootSuite said, and sales to enterprises over $10 billion grew 900 percent.

See HootSuite’s swanky new offices

The company also added a major client just in the past few days which I cannot disclose, but is a massive consumer-focused company with almost 17,000 global locations.

While a strong focus on sales and marketing has helped the company grow quickly in enterprise — which former Yammer exec Dee Anna McPherson will help accelerate — Holmes says that viral, social, and content marketing have actually been more important.

Source: HootSuite

HootSuite’s new offices in Vancouver, Canada.

“We’ve seen a very nice progression of users from our free to premium product,” he said. “Often organizations of 100+ people are on board, all at the free level, and then when they become a paying client we’ll help tie all their accounts together.”

The big new features coming in the next month are in security and analytics, Holmes told me, as HootSuite puts more technology in place to prevent hacking or phishing attacks. One of the most problematic security issues, of course, is via internal users who go rogue. To limit this risk, HootSuite is enhancing its account provisioning and LDAP support so that internal users’ social media account access can be easily and safely managed.

“If you give them direct account access … you’re giving them the keys to the kingdom,” Holmes said. “Then you’re relying on social networks to turn them off, and that can take days. We’ve seen that with McDonalds and Burger King recently.”

Source: http://www.flickr.com/photos/bluegenieart/7045869337/

The HootSuite bus at SXSW

In terms of analytics, HootSuite is capitalizing on the fact that its members send out over three million social media messages each day to help brands become more viral.

New tools in HootSuite will help brand managers know not only how they’re doing on one network versus another — which content is successful on Twitter, Facebook, or elsewhere — but also which of their social media managers is more effective at engaging social media users. And then, of course, sharing those lessons so all can benefit.

All of that growth requires more head count, which ballooning 250 percent last year — partially due to acquisitions such as Seesmic — and will grow another 60 to 80 percent this year, Holmes said. Which, of course, necessitated new offices, that HootSuite built in a former police station in east Vancouver.

It’s also something that reminds me of Holme’s comments a year ago about not selling out too early. He felt at the time that HootSuite could become a billion-dollar company.

Those feelings haven’t changed — if anything, they’ve increased:

“We’re getting closer all the time,” Holmes said. “I’m not interesting in selling out … we have a huge opportunity looking ahead, and the billion-dollar number is just a stick in the sand. Hopefully we’ll run right through that and keep going!”

---

Big Data and Predictive/Real-time Analytics startups: Are you looking to jumpstart development & accelerate market traction? Sign up for the SAP Startup Focus program to receive technology, support, resources and community to help you develop new applications on SAP HANA, a cutting edge database platform. Get started here, and enter promo code “VB2013″ on the form.

---

Anonymous, the unorganized hacker organization that has attacked everyone from North Korea to SendGrid to you name it, decided it needed better news capability than Your Anon News, which currently depends on Tumblr and Twitter, can provide. So Your Anon News decided to crowdfund a new Anonymous news agency via Indiegogo … which was then promptly DDOS’d by — presumably — Anonymous.

Of course, when I’m saying “it decided,” that’s not strictly accurate. Your Anon News says it supports Anonymous, but is not officially speaking part of Anonymous. Realistically, however, no one is officially a part of Anonymous, and the edges of the unorganized organization are so frayed as to make it impossible to determine who or what actually is part or not part of it.

In any case, some in Anonymous decided the Indiegogo campaign was not kosher and promptly went nuclear, kicking off a Distributed Denial of Service attack on all of Indiegogo to disrupt it.

UPDATE: Yesterday’s DDoS attack was on the Your Anon News campaign (ow.ly/jLaxS). We don’t yet know who the attackers were.

— Indiegogo (@Indiegogo) April 4, 2013

Indiegogo has fought through the attack, and the campaign, far from being disrupted, has been very successful. With 12 days left in its campaign, Your Anon News has raised $9,857, almost five times its original $2,000 goal. Apparently, the crowd is beating the bullies.

One funny note: As TechCrunch’s John Biggs notes, the Your Anon News contribution perks are lame in the extreme — buttons, mugs, and T-shirts. In other words, just the same as every other campaign’s.

Why not be a little creative?

For $1,000, we’ll hack the Department of Justice. For $5,000, the FBI. And for a platinum-level contribution of $10,000, we’ll hack the CIA and finally reveal the truth about Area 51.

Now that would be something more interesting.

Here’s Your Anon News contribution-seeking video, which sounds like it was narrated by a Mac’s text-to-speech:

Paranoid U.S. lawmakers want to keep Huawei out of the U.S. — and their efforts are working out pretty well so far.

According to Huawei marketing VP Bob Cai, the company doesnt expect any growth to come out the U.S. this year because it’s been effectively shut out of the country.

Much of the current predicament ties into a congressional report that argued that Chinese companies like Huawei and ZTE pose significant threats to U.S. national security. These companies “cannot be trusted to be free of foreign state influence,” the report said. (Huawei, of course, denied those allegations.)

While Congress has no proof that Huawei or ZTE are dangerous, it’s easy to see where U.S. lawmakers are coming from: With countless security breaches bring traced to China as of late, companies are understandably hesitant to use Chinese products to handle sensitive information. Huawei may be innocent, but it’s guilty by association.

European countries, however, don’t have the same concerns. According to Cai, Huawei’s wireless networking unit could grow as much as 10 percent this year due to expansion in Europe and elsewhere. (Huawei generates as much as 70 percent of its revenue abroad, in particular, in Western Europe.)

Of course, no growth in Europe will help Huawei gain a real foothold in the U.S., at least while lawmakers are shooting down any deal that involves a Chinese company.

July 9-10, 2013
San Francisco, CA

Early Bird Tickets on Sale

Cesare Garlati is the co-chair of the Mobile Working Group at Cloud Security Alliance.

Many employees don’t understand the implications of using their personal devices for work. Many companies don’t understand that they are in fact liable for the consequences. This post covers the things you always wanted to know about BYOD but were too afraid to ask.

Good News: Your company offers a BYOD program

You can finally stop carrying that boring corporate phone and use your own shiny new iPhone for work. Even better, you can now check your corporate email from home while streaming YouTube videos on your Galaxy tablet. Your company picks up part of the bill and even provides enterprise-grade help desk support to help you with your gadgets. It looks like an offer you can’t refuse.

Bad News:  You joined your company’s BYOD program

One morning you wake up, reach for your iPad to check the email but it doesn’t turn on. Your iPad is dead. Totally bricked. After a quick family investigation you realize that the little one tried to guess your password to play Angry Birds before you would wake up. Too bad the security policy enforced by the corporate email account triggered your iPad self-destruction to prevent sensitive corporate data from unauthorized access.

Angrier than those famous birds? Wait until you realize that the device itself can be brought back to life and your corporate data restored. But that your pictures, videos and songs are gone. Forever. (Note: the case above is based on a true story, my son’s name is Luca.)

Don’t read on if you’re already scared. This is not the worst it can happen to your data, to your privacy and to your device. Many employees who use their personal devices for work are shocked to find out that their smartphones, tablets, and laptops may be subject to discovery request in the context of a litigation involving their company. Employees may be asked to surrender their personal devices — in which they have browser history, personal information and documents they created — as they may be subject to review by 3rd parties in connection with litigation.

The BYOD fine print

If you were too impatient to read all through the Acceptable Use Policy that you signed when you joined your company’s BYOD program, or if you simply were not too eager to know what you were really getting into, this may be a good time to go back to that document or to contact your IT or HR department to ask for clarification.

Here are the things you should know about your company’s BYOD program and that you shouldn’t be afraid to ask.

Personal Data Loss

When your personal smartphone, laptop or tablet is used for work related activities, such as access to corporate email, calendar or corporate directory, there is a good chance that your company relies on built-in features and additional software tools to secure and manage the data in your device.

As a first line of defense, many organizations enforce ActiveSync policies, pre-installed in most consumer mobile devices, to enforce password protection and remote wipe and lock. More sophisticated IT departments may request the installation of additional Mobile Device Management software agents to extend corporate IT reach into any application and functionality of your device. While security and manageability are legitimate concerns for the company, most BYOD programs rely on IT tools that don’t make a clear separation between personal and corporate data and applications. As a result, in case of unauthorized access – real or presumed – the whole content of the device is more or less automatically deleted and the device itself made unusable.

What you should ask if you are not too afraid of the answer: Is the data in my device susceptible to automatic or remote deletion? What events trigger the automatic deletion? Is remote deletion part of the standard employee termination process?  Is my approval sought or required for the remote deletion? Is my personal data retained in case of automatic or remote wipe?  Does the company provide a mean to recover the personal data deleted? Am I entitled to any reimbursement for the loss of personal content such as songs, videos or applications?

Privacy

From a legal standpoint, the fact that you own the device is irrelevant in case of a litigation. To discover and preserve evidence, the court may require forensic review of all devices in connection with the litigation. Employees participating in the BYOD program may be asked to produce their personal devices for 3^rd party examination.

You will have to make any personal information stored in your devices accessible. This includes the history of the websites visited, songs and movies downloaded and played, copy of financial transactions or statements, the list of your personal contacts and your electronic communications with them including personal emails, personal phone call, text messages and various social media activities including Facebook, Twitter and VoIP services such as Skype and similar. This extends to the personal information of any other family member or third party who may share the use of that device.

Personal data stored in the device is not the only privacy concern. Your location and your online activity may be exposed to your employer too. A main feature of Mobile Device Management software is the ability to track in real time the location of the device. The feature is intended to help determine whether a device is lost rather than stolen before initiating a remote lock or remote wipe.  It can also be used to selectively disable camera and microphone when the device enters restricted company areas to prevent sensitive data loss.

Modern devices can get quite accurate at pinpointing location even when inside buildings where GPS technology is typically complemented with Wi-Fi access point detection. Although not intended for this use, your IT department may be able to track your whereabouts anywhere and anytime, deliberately or accidentally, and you may not even be aware of this. In addition, when your personal device connects on-campus to the corporate Wi-Fi network, there is a good chance that your online activity is monitored and filtered to comply with various regulation and to protect the company from any liability arising from an improper use of corporate resources.

What you should ask if you are not too afraid of the answer: May I be required to produce my personal devices for forensic analysis? Does this apply to devices shared with other family members? Who will then get access to the personal information stored in my device? Is my company able to track my location? Under what circumstances can this happen? Is my approval sought and required to track my location? Do I get notified? Are these systems active outside regular work hours? Is my personal online activity on-campus monitored and logged? Is this information retained when I leave the company?

Device seizure and loss of use

Mobile devices are small and you take them with you everywhere. No surprise they are the most likely to get lost or stolen. But when you use your gadgets for work related activities, you have a couple more reasons to worry about. Your device may become unusable as a result of a company initiated remote lock or wipe. Or you may be asked to surrender your inseparable smartphone for legal examination in conjunction with litigation. Either case you could lose the use of your device for some time and likely find yourself in need for a temporary or permanent replacement.

What you should ask if you are not too afraid of the answer: Under what circumstances may I be asked to surrender my personal device? Is the company going to provide a replacement? Who is responsible for backing up and restoring personal data and applications if the device is seized? Under what circumstances can the company initiate a remote lock of the device? Is my approval sought and required? What is the process to regain use of my device?

Former Vice President of Mobile Security at Trend Micro, Cesare Garlati currently serves as Co-Chair of the CSA Mobile Working Group – Cloud Security Alliance. Prior to Trend Micro, he held director positions within leading mobility companies such as iPass, Smith Micro Software, and WaveMarket. 

Photo: blakespot via photopin cc

Me neither.

That hasn’t stopped the BBC from claiming ”Global Internet slows after biggest attack in history,” or the UK’s Independent from saying that “Internet services across the world have been disrupted” with “millions of web users” not able to access service like Netflix.

According to the Internet Traffic Report, everything’s fairly copacetic. Response time has been pretty steady for the past 30 days, with no discernible dip in the past week, and packet loss globally has remained steady at almost zero:

Source: Internet Traffic Report

Internet traffic doesn’t seem very disrupted in the past month or week …

A quick check of InternetPulse shows that the U.S. Internet is all healthy, with sub-90-second latency in response times across the board today:

It’s not until we check Akamai’s global real-time web monitor that we see what the problem is: congestion is up in two general areas. Those would be the UK — where the BBC lives — and Germany/Netherlands, where a local fight is on between a controversial hosting provider, Cyberbunker, and a spam-fighting filter service, Spamhaus.

Essentially, it appears that Spamhaus blacklisted Cyberbunker for allegedly distributing spam, and friends of Cyberbunker then attacked Spamhaus’ servers with up to 300 gigabytes/second of data. That’s an enormous amount of data, and it constitutes the biggest-ever DDOS attack. It’s clogging the interweb’s tubes in at least a few places but not, apparently, all over the world.

Little hint to the BBC and others: Western Europe is not the world.

As a member of congress, it’s one thing to support a bad piece of tech policy because you don’t fully understand the Internet but it’s quite another when you brag about all the money you’re making on the side from that position.

That’s what happened yesterday when Rep. Mike Rogers (R-MI) tweeted about how pro-CISPA organizations donate much more money than those that don’t support the bill.

CISPA, or the Cyber Intelligence Sharing and Protection Act, seeks to give American companies more legal breathing room (protection against lawsuits) when collecting and sharing consumer/user data for the purpose of preventing massive Internet security threats. The bill failed to gain traction last year and its current version is strongly supported by President Barack Obama. As many critics have pointed out, CISPA is too vague when it comes to what pieces of personal data a company is allowed to share with the government, and doesn’t specify sufficient boundaries for protecting privacy rights.

Rogers initially tweeted a link to an article (screenshot shown above) that outlined the collective contributions that pro-CISPA organizations donated to House members. The pro-CISPA groups, such as AT&T, IBM, U.S. Chamber of Commerce, and Comcast, gave upwards of $55 million to congressional members, where anti-CISPA groups have only given about $4 million, according to political finance activist group MapLight. Basically, this is the kind of information that should send up all sorts of red flags — since many of these companies that support CISPA stand to benefit financially in one way or another if it passes.

The tweet in question has since been deleted by Rogers. And since then the congressman (or one of his aides) has tweeted statements that attempt to further explain what CISPA does and doesn’t do. But without any evidence attached to those statements, it’s pretty much a matter of how you interpret the language written in the bill.

CISPA is currently being held up for review in a house committee, and is expected to head to the floor for a vote in the near future.

Via BoingBoing

RoboteX, a California company building robots for “first responders,” has filled $2.06 million of a desired $5 million round of funding, according to a filing with the SEC.

Peter Thiel, along with RoboteX founder Nathan Gettings and chief executive Alexander Karp were listed in the filing. Though these three are named, the filing cites four investor who are unidentified.

RoboteX was founded in 2007 and creates robots without the use of government funding. Its line of “Avatar” robots are meant to help with security, sometimes in situations that could be dangerous for humans. The website lists examples such as serving papers to a dangerous individual, entering hostage situation, patrolling, investigating suspicious packages, and more.

The company also has a line of robots for the home and office that offer its own form of roving security system. You attack an iOS device to the robot, which you can then remotely control to survey the house on your behalf.

The robots also come with a line of accessories, such as a command center, carrying case, manipulator arm, and stabilizers for rough terrain. With the manipulator arm, the Avatar II almost looks like a tiny NASA Curiosity rover.

The company brought in $3.6 million in 2010, and another $2.6 shortly before that.

Avatar image via RoboteX

Rachel Greenberg writes about residential and business VoIP solutions and technology for VoIPReview.org.

In mid-January, VoIP service provider VoIP-Pal successfully tested their new Lawful Intercept Technology. Labeled “LI” for short, VoIP-Pal’s intercept technology allows law enforcement agencies to tap into VoIP calls without either the calling or called party knowing. As VoIP gains more and more customers each year, it has become increasingly necessary for law enforcement officials to have access to the same kinds of security protocols with VoIP as they do with analog service.

After the successful test, VoIP-Pal received a patent from the US Patent Office for their LI Technology. Soon, the company will make their technology available to VoIP service providers, who will face growing insistence from the government to support LI access.

VoIP-Pal CEO Dennis Chang says “it is only a matter of time when it will become mandatory for all VoIP service providers.” However, now that law enforcement agencies have a new way to wiretap VoIP calls just like analog calls, the discussion continues over wiretapping regulations.

Why is VoIP wiretapping important?

Unlike traditional phone service, VoIP is much harder to wiretap because it isn’t directly tied to a physical location. Additionally, the voice data contained within a VoIP call can be encrypted in such a way that it is hard for law enforcement agencies to decipher a call.

VoIP also allows users to be mobile, giving them access to their VoIP service from anywhere in the world. As a result, law enforcement agencies struggle with adequately wiretapping VoIP calls. However, police groups need to be able to wiretap VoIP calls just as they need to wiretap any other call: when there is reasonable evidence of suspicious or unlawful activity, wiretapping can provide invaluable evidence.

How has wiretapping changed?

Wiretapping with traditional phone service dates back to the late 1800s, and the earliest days of the telephone. During the Prohibition Era, law enforcement organizations used wiretapping evidence to convict known bootleggers by recording their phone conversations. Wiretapping became a useful tool against organized crime, as long as it was used within the confines of the law (that is, there was sufficient evidence to necessitate the privacy violation associated with wiretapping).

At times, wiretapping was abused by law enforcement, though, and so laws have been put in place to ensure only legal wiretapping, sometimes called lawful interception, takes place. These laws require law enforcement agencies find just cause before presenting their lawful interception request to a judge. The judge will then issue a court order for lawful interception. Then, and only then, is law enforcement authorized for wiretapping.

Currently, police have to go through this same process before wiretapping a VoIP call, but it could be technologically difficult to tap into the conversation. With VoIP-Pal’s patent, system barriers should no longer prevent police from successfully tapping VoIP calls.

What Does This Mean for VoIP?

With LI services ready to launch, it could soon become equally easy to wiretap a VoIP call as any analog call. However, residential and business VoIP customers should expect no changes in their regular VoIP service. This technology will just prevent criminals from using VoIP services to circumvent the risk of wiretapping.

That said, wiretapping is still in a grey area for law enforcement agencies. Since VoIP sends voice data over the Internet, it’s harder to classify as a traditional phone service, which means laws will need to reflect the technological differences in the system. Although there are strict rules involving wiretapping traditional phone service, regulations surrounding newer communication services (i.e. text messages and emails) are a little less clear.

Many law enforcement agencies can access email and text correspondence without jumping through as many hoops as they do with wiretapping phones. Will VoIP fall under the same jurisdiction as text messages and emails, or will it be treated like traditional phone service? That’s a question the government will need to answer in the next year or so.

Eavesdropping photo via Everett Collection/Shutterstock

Rachel Greenberg writes about residential and business VoIP solutions and technology for VoIPReview.org.

From personal experience I know bugfixing can be like putting up wallpaper: smooth down one air bubble, only to watch it pop up again in another place. Which apparently is exactly what Apple is doing recently with its iPhone operating system, iOS.

Exactly one day after Apple released iOS 6.1.3 to squash two lock screen bugs, another one has emerged:

This new flaw only affects iPhone 4, apparently, so it is less severe. However, it does allow access to your address book and stored photos, without having to punch in your security code. For many, that might not be horrible, but it certainly is private information … even if you don’t have any personal photos from a special someone on your device.

This has got to be getting a little old for Apple, and I can only imagine how Steve Jobs would react to yet another lock screen bug appearing just hours after Apple’s latest bugfix. Even though this might be a fairly minor security hole that requires physical access to the device, Apple’s reputation for quality is at stake.

And, it’s no small thing to update hundreds of millions of mobile devices, each requiring user intervention for system updates.

photo credit: Travis S. via photopin cc

Hat tip: Cult of Mac

BREAKING: Weev sentenced to 41 months followed by three years of supervised release.

— Tim Pool (@Timcast) March 18, 2013

Just moments before sentencing, Auernheimer (also known as Weev), was cuffed by court officers in a struggle over his tablet and phone. Auernheimer, who was not permitted to use computers with keyboards, was asked to surrender his devices, but tried to hand them to his lawyer.

“It looks like Andew got slammed into a desk by federal agents while trying to hand his phone to his lawyer after the court asked for his phone,” his publicist told me via email.

Auernheimer is, by all accounts, a controversial figure, which became abundantly clear in a Reddit AMA (ask me anything) conducted yesterday.

He’s a founder of GNAA (Gay N*iggers Association of America), a group that probably has no actual gay or black members and seems, much as many other online trolling groups, to be devoted to causing as much online damage and destruction as possible. He’s also a member of Goatse Security, a grey-hat organization that focuses on finding and exploiting computer and website vulnerabilities. And he has done things online that most of us would consider morally reprehensible and ugly, if not precisely illegal, such as taking a leading role in the massive online harassment that caused usability expert Kathy Sierra to abandon the Internet.

But the specific charges that he was convicted of and has now been sentenced for seem tame by comparison. Essentially, he queried a public server with exactly the same kind of request your browser sent to the servers that run this website, aggregated the results, and sent them to a news agency, Gawker.

Auernheimer got a harder sentence than the #Steubenville rapists. One journalist equated the prosecution of hackers to the Red Scare.

— Tim Pool (@Timcast) March 18, 2013

The charges were based on the same law that federal prosecutors used against Matthew Keys, Aaron Swartz, and Stephen Watt: the Computer Fraud and Abuse Act, which opponents have decried as vague and Swartz’s lawyers have said was misused by federal prosecutors to overly-aggressively pursue Swartz, who ended up committing suicide.

Auernheimer knows he is not exactly a lovable figure.

“I’m a nutjob from Arkansas,” he told me yesterday. “That’s any sane person’s perspective.”

But the question today is whether his exact actions in the AT&T case were illegal. And if they were, how many other actions of ordinary Americans are now being criminalized?

Auernheimer told me yesterday that he already plans to appeal the sentence, and the EFF is helping with the appeal.

photo credit: Funky64 (www.lucarossato.com) via photopin cc

Tomorrow, he’s likely going to jail.

“It’s a fucking ludicrous charge,” Auernheimer told me this morning from New Jersey. “The FBI has tried to frame me for terrorism five times, and by their own admission they’ve been surveilling me since I was 15 years old.”

Update: Auernheimer was sentenced to 3 years in jail and $73,000 in fines

But tomorrow he expects to go to jail. In preparation, he and supporters have rented a 10,000 square foot hall where they’ll party the night away in perhaps his last taste of freedom for 10 years.

If he does go to jail, it’ll be the latest chapter in a long list of federal prosecutions of computer “crimes” by hackers who are forcing mainstream society to reconsider what freedom of speech means online, what is an appropriate response to a corporation’s poor security, and what kinds of access constitute crimes. That list includes Aaron Swartz, who committed suicide after what many have said was DOJ misconduct.

The story starts with a boneheaded AT&T decision.

During the summer of 2010, Auernheimer and co-defendant Danile Spitler discovered that by querying AT&T’s iPad servers with a string of numbers that matched subscribers’ SIM card identifiers, AT&T’s servers would send back the unencrypted, unprotected email address of the AT&T customer, the iPad owner. AT&T had a massive security design flaw, which, as it admitted in Auernheimer’s one-week trial, was intentional: for subscriber convenience. After running the script to capture 114,000 email addresses of AT&T iPad subscribers, Auernheimer sent a list of the email addresses to Gawker to highlight the security hole. Gawker then printed them in redacted form.

“If you buy an Apple product, you have a right to know that Apple partners could compromise your privacy,” Auernheimer told me, explaining why he sent the email addresses. “And that they take six months to patch security issues.”

So there’s obviously a security issue. And there’s obviously a privacy issue. But where’s the crime?

“We sent Get requests to a public API,” Auernheimer says. “They charged me with unauthorized access to a computerized device … and identity theft, which is a possession charge … if you walk down a street and write down physical addresses, you’re stealing identifiers, and you’re an identify thief.”

If sending Get requests is a crime, we are all criminals.

You could be charged with unauthorized access to a computerized device, for instance, simply because you clicked on the link that brought you to this article. Oh, and Google, one of the most successful corporations in the world, is the root of all evil. A Get request is simply a note from a browser computer code asking for a resource. You issue thousands of them every day all by yourself. Google issues billions.

Whether the receiving server responds to that request in any way, shape, or form is entirely at the discretion of the developers and system administrators who control that server.

The CFAA does not define the phrase “unauthorized access,” so according to Auernheimer, the government essentially told the jury that his access to the server was unauthorized because they said it was. Which, if true, means that whether you commit a legal act or an illegal act is at the discretion of anyone who runs a webserver, who can change their mind at any time without you knowing.

Good luck following the straight and narrow.

After a one-week trial, a jury found Auernheimer guilty on November 20 after just a few hours of debate. Auernheimer told me that his friend overheard “vicious arguing and screaming” in the jury room, so there was some serious debate, but there was a potential reason to be fast, and maybe even hasty.

“The trial was right before Thanksgiving … I think people wanted to get the hell out of there and get to Thanksgiving,” Auernheimer said.

Tonight he’s awaiting sentencing, which could be up to 10 years in jail and up to $500,000 in fines. And he’s not too hopeful that the judge will go easy on him.

“I’m probably going to prison, and they may take me into custody immediately,” Auernheimer told me. “But I have an excellent chance on appeal … any sane examination of the CFAA at this point is going to realize that it criminalizes all web access.”

The Electronic Frontier Foundation has already agreed to help him with that appeal.

In fact, Scout Alarm crowdsourced that cash all on its own.

The Scout Alarm is a $120 “next generation” alarm system that is designed for renters as well as home owners. It’s clean, simple, doesn’t require wires or a landline, and it comes with you to your new home when you move. In other words, a Scout representative told me, it’s the perfect system for urban dwellers who may not be living in the same home for decades on end.

Scout says that Kickstarter wouldn’t allow it on its service as its product was not far enough along in preproduction yet, so the company followed in the footsteps of Lockitron, which crowdfunded its keyless lock solution, then open-sourced the needed software. A month later, the company has 596 backers who have pledged $159,180 for the new alarm systems, which start shipping in August.

“Scout has been the most successful project of its kind that we can find,” a company representative told me via email. “Even if you look at the top 15 projects of 2012 from Indiegogo, Scout would be in the top 10 … we believe we are the most successful independent crowdfunding campaign to date, excluding Lockitron, which was on their second product.”

The company put together two blog posts highlighting how to make a private crowdfunding campaign work. Here’s the short version:

1. You’ll need to do some programming. Even though Lockitron open-sourced its crowdfunding code, it may not be perfectly suited for you.
2. Press helps
3. This may be a well-duh one, but if you can get the attention of people that have others’ attention, it helps.
4. PR people help, too. Let me just put it this way: There’s a reason you’re seeing this article, and it’s not because I woke up this morning thinking I was going to write about Scout Alarm.
5. Sweat the small stuff. Distributors? Shipping rates? Know them.
6. Remind me later. Some people can’t buy right away. Some don’t want to. Give them a way to get you to remind them later.
7. Live chat on your site. Talk to people who hit your site — they’ll have questions.
8. Talk to backers early and often. Keep them informed, excited, and sharing.
9. Have a second angle on press. Initial press doesn’t last. Have a new angle for week two, three, and so on.
10. Retargeting from day one. Set up AdRoll or another retargeting solution on your site so that you can market to people who visit but don’t buy. “It’s cheap,” Scout Alarm says on its blog. “We’ve spent $340 to get 43,000 impressions and 81 clicks in two weeks.”
11. Video, demos, pictures. People don’t like to read; they like to see.
12. Ask for help. Other startups and entrepreneurs like to help startups and entrepreneurs.
13. Help backers go viral. Give them simple ways to share news and updates.
14. Hire a virtual assistant. Keeping up with the flow of information is hard.
15. Ask for the sale. Don’t be shy!
16. Track referrals and conversions from day one. Know what’s working … and what’s not.

The results?

In the first three weeks, Scout Alarm received 48,500 visitors, including 36,500 unique visits, from people who pre-ordered $140,000 worth of home security equipment. Now the campaign is near $160,000.

Scout’s campaign is continuing for another five days, and it’s looking for about $20,000 more in preorders.

Oracle has issued an emergency patch for its Java software after a string of high-profile hacking incidents at companies including Apple, Facebook, Twitter, and Microsoft.

Java has become a persistent thorn in the side of major companies. A small number of Apple employees had their computers hacked via a Java exploit in February. Facebook disabled Java after several of its employees were hacked as well.

The U.S. Department of Homeland Security even recently recommended to stop using Java because of its persistent security problems.

Oracle’s new emergency patch specifically addresses issues affecting Java running in web browsers. The company writes in its latest security alert:

This Security Alert addresses security issues CVE-2013-1493 (US-CERT VU#688246) and another vulnerability affecting Java running in web browsers. These vulnerabilities are not applicable to Java running on servers, standalone Java desktop applications or embedded Java applications. They also do not affect Oracle server-based software.

These vulnerabilities may be remotely exploitable without authentication, i.e., they may be exploited over a network without the need for a username and password. For an exploit to be successful, an unsuspecting user running an affected release in a browser must visit a malicious web page that leverages these vulnerabilities. Successful exploits can impact the availability, integrity, and confidentiality of the user’s system.

Sewing patch on jeans via cosma/Shutterstock

This guest post is by Piyush Bhatnagar

[Our post on a startup called Outbox launching its new system of mail delivery in San Francisco received a good deal of interest from readers. This is one reader's response.]

Innovation is the engine of America’s economic growth. Entrepreneurs are coming up with radical new ideas every day, and new startups create new products, services, and business models. Some of these ideas will change the way do things today. So let’s take a look at one such company that is attempting to change the way we think about the mail.

Outbox launched in San Francisco on Feb 26th, 2013. The company was founded in 2011 in Austin with a goal to provide an alternative to the old system of mail delivery. Outbox’s team of “Unpostmen” will collect your mail three times a week, bring it to a warehouse, digitize it and provide you access to it through web or mobile devices. They will also discard your junk mail, which in my opinion is a huge service in its own right.

Outbox will do all this for a small sum of $5 a month, so you will never have to visit your postal mailbox again. They will also deliver you a package, in a fancy Prius, if you request your original mail from an iPad or smartphone within 30 days on its receipt. After 60 days, your physical mail will be discarded and shredded so you wont have to worry about old mail sitting in some warehouse. Outbox uses strong 512-bit encryption, and prevents digitized mail from falling into the hands of someone other than the intended recipient.

The company has already raised $2.2 million from Floodgate Fund and angel investors, including Peter Thiel. However, there are others in this space who are working on making your physical mailbox obsolete.

I can appreciate the process of innovation and respect anyone who tries to create something new. But Outbox does raise a number of questions as well.

Privacy issues

Despite their innovative take on “old style” mail, one word sums up the problems with Outbox’s approach, and that’s privacy.

Outbox employees will open every mail or package that I receive, and digitize it. According to Outbox’s FAQ, their operations specialists use their custom built machines to open, lay out, and photograph your physical mail. These files are then optimized and processed digitally, and then delivered to your digital account. They also state that all “Unpostmen” –and anyone at Outbox who interfaces with your mail — go through a stronger background check than U.S. Postal Service workers go through, giving the the best trained and highest rated workforce.

Typical mail may include checks, personal information, private communication, legal documents, and many such things. In traditional system, even though USPS/FEDEX/UPS staff handles your mail, it is sealed by the sender and opened only by you.

Identity theft and mail fraud

In Outbox’s model, someone other than the recipient opens every piece of mail. Outbox states that they have strict policy and technical controls in place, including prohibiting employee’s access to critical documents (except in rare cases.) In addition, Outbox states that it is insured up to $1 million against identity theft.

Despite Outbox’s assurances that it is making sure you and your accounts are safe, there is a distinct possibility of identity theft. Just the fact that the mail needs to be opened physically and maintained in a warehouse for up to 60 days provides a window of opportunity to identity thieves and fraudsters. There are liability issues related to someone else opening mail and a problem of accountability. Who is responsible for a lost mail or documents? That is still not clear.

How will Outbox make money?

Outbox is offering the service for $4.99 per month, with no additional fees for delivery or mail volume. Since they will deliver mail through an app or web, there is potential to add digital ads as a new revenue stream. The costs of running this business are surely prohibitive otherwise.

The costs for sorting and digitizing equipment, the warehouse for storage, hiring “unpostmen” as well as other warehouse staff, the vehicles for mail pickup and delivery will quickly add up. It is quite likely that Outbox will be replacing junk snail-mail with its own digitized avatar.

Is this a problem worth solving?

As a fellow entrepreneur, I highly respect the out-of-the-box thinking of the Outbox team and admire their tenacity in coming up with an innovative alternative to the “old style” mail.

The main question that comes to mind is whether this is a problem that needs a solution. Most service providers, banks, electric companies, phone companies, and so on, allow consumers to choose electronic billing. Electronic payments are commonly used alternatives to sending checks by snail-mail. These practices avoids the snail mail altogether and also ensure that only the senders and recipients get to see the contents and no one else.

If you determine that you need an alternative to USPS, is Outbox worth the risk? I am not comfortable with anyone else opening my mail. Are you?

Piyush Bhatnagar is the Founder and CEO of Authomate Inc., an early-stage security startup. He a seasoned technology executive, entrepreneur and consultant with over 20 years of experience in technology development and management at companies like AT&T and Bank of America. 

Mailbox image via Joe Belanger, Shutterstock 

Evernote has this morning announced a rash of suspicious activity and is instituting a service-wide password reset.

In a post this morning on the company blog, team members called the activity “a coordinated attempt to access secure areas of the Evernote service.”

Evernote’s security team says it has found no evidence that user data, including stored content, was accessed. The company also confirmed that payment information for Evernote’s premium services was not compromised.

What the hackers were really after was usernames, email addresses, and passwords. Evernote says the information sought had been encrypted (hashed and salted). Even so, the service is asking its users to change their passwords.

To change yours, go directly to the Evernote site; don’t click on any links in any emails you may receive.

Also, your friendly neighborhood nerds at VentureBeat would encourage you to change your passwords for any accounts that shared the same login information as your Evernote account. Using duplicative login credentials across multiple sites is a big personal Internet security no-no, but we know enough of you do it.

These kinds of hacks are becoming more and more common. To thwart hackers and prevent online or financial identity theft, all us Internet folk should generally not be idiots about passwords, the first line of defense in online security. Get creative with your passwords, or better yet, use password management software such as 1Password.

A stealthy startup called Armor5 wants to alleviate fears about employees and remote workers bringing their own devices to work.

The Santa Clara, Calif., based Armor5 has a new way for mobile workers to access their company’s applications without sensitive data hitting their handset. The beta version is available for free as of today with a self-service sign up.

Chief executive Suresh Balasubramanian, a former general manager of antipiracy at Adobe, believes that BYOD (employees bringing their own devices to work) is a big problem for IT departments; they have “no choice but to deal with the issue,” he said. But it also raises “significant security, compliance and cost problems.”

You’ve been living under a rock if you’re not concerned about the security risks of BYOD. The topic was the center of discussions at the RSA Security conference, particularly given that the sophistication of attacks on corporate firewalls are increasing.

Balasubramanian told VentureBeat that competitors — including mobile device management and desktop virtualization (VDI) vendors — don’t address IT’s growing needs. MDM software used by an IT department to manage employee’s mobile devices is hard to administer, he explained, and VDI can’t deliver on all app functions.

A lot of companies have attempted to solve this problem by locking down certain apps or enabling IT to access specific parts of a personal device.

But Amor5′s approach is a bit different: The technology connects to a company network via an existing VPN, virtualizes Intranet data and cloud apps, and generates a URL for mobile workers to access content safely from a personal or company-issued device. The entire process takes just a few minutes.

Balasubramanian was brought on as CEO after the company incorporated in 2011. Its founders are former engineers from Microsoft, Adobe, and Motorola.

“CIOs are understandably concerned with data security given the rise of smartphones, tablets, and other mobile devices inside their organizations,” said Fred Wang, the general partner at Trinity Ventures, the firm that led the seed round.  ”Its [Armor5's] singular focus on the intersection of data security and BYOD, and its unique approach to solving the problem, is the reason we are investing.”

The startup has emerged from stealth mode today with $2 million in funding from Trinity Ventures, Citrix, and Nexus Venture Partners.