zoiaorg

Tech, Strategy, and other interesting things by Roberto Zoiaby Roberto Zoia

How to Prevent Hackers from Accessing Your Mail and Other Online Services

by Leave a Comment

Online security is more relevant than ever. News from hackers breaching massive number of user accounts from an online service no longer surprises anyone.

Two important things that you should do today to improve the security of your online accounts are setting up two-factor authentication and using a password manager.

Two-factor Authentication

Two-factor authentication means that each time you log into an online service, before you can get access to your account, you’ll be asked to enter an additional code after you enter your password. This code is generated by an app on your phone1, or sent to you by SMS, and changes every 30 seconds. With two-factor authentication enabled, even if your password is compromised, a hacker cannot log in into your account.

Ideally, security is based on three things: something you know, something you have, and something you are. Almost everybody uses usernames and passwords. That’s something you know. But as security experts point out, “passwords have outlived their usefulness as a serious security device”. Adding something you have to the login process, like an additional code generated by an app in your phone, greatly enhances security.

If you are required to use your fingerprint to unlock your phone, then you’ve introduced a third factor: something you are. This is probably the best scenario you can get without resorting to professional-level security.

Authy

There are several authenticator apps on the market, perhaps the most well-known are Google Authenticator and Authy. Microsoft also offers an app. My personal favorite is Authy, because it syncs across devices so you can generate tokens from your phone or laptop. (Authy’s webpage offers a handful of guides on how to activate two-factor authentication on popular services. Check, for example, their guide for Gmail.)

What if your mail service provider doesn’t offer two-factor authentication? Don’t hesitate, change to a provider that does.

Use a Password Manager

The second most important thing is to use a password manager. Writing down your passwords on a stick-it note or in your iPhone’s Notes app is not only inefficient but insecure.

Companies that require their employees to change their passwords every 30 days, and don’t provide them with a password manager, are simply encouraging their employees to use weak, easy to guess passwords, or to write them down in a note they stick to their laptops.

With a password manager, you only need to remember one password: the one for the password manager itself. The app takes care of storing the usernames and passwords for every online service you use. Thanks to browser extensions, they recognize which webpage you are visiting and fill in the proper credentials. It also keeps you passwords synchronized between devices. (And yes, you can enable two-factor authentication for the password manager itself.)

Passwords and hashes

To understand why password length and complexity is important, we need to dive into how online services store passwords, and what hackers do when they steal user’s credentials from a server.

When an online service asks you to enter a password to create your account, the password is not stored as-is in the company’s servers. Instead, the server generates a hash code for the password. This hash code, and not the actual password, is stored along with your username and other data on the server2.

A hash is a mathematical function that takes a string of data as an argument, and produces a fixed-size series of numbers, which is call a hash code. Different passwords will produce different hash codes, and it is nearly impossible to deduce the original password from the hash code.

To verify your identity, the online service asks for your password, generates a hash code for the characters you typed in, and compares it to the hash code it generated when you created your account (or last changed your password). If both hash codes are equal, it means that the password you just typed and the password registered on the server are the same. You are granted access to your account.

Now and then, hackers break into an online service’s servers and steal data: email addresses, and password hashes, among other data. These stolen databases are sold in the black market for money3.

As computer processing power becomes cheaper, it is possible to try a brute-force attack against a stolen database and succesfully recover part of the original passwords from the hash codes. Brute-force means that the hacker will use a program to generate, systematically, passwords with every combination of characters, and compare their hash codes with the hash codes in the stolen database4. For every match, the attacker now knows he or she’s got the password for a given account.

To protect you from this kind of attack, password managers allow you to generate long and random passwords for each new service you sign in. If you are inventing passwords by yourself, then your passwords are probably not long or complex enough. A long enough password ensures that a hacker won’t be able to crack it for several years from today.

This comic by xkcd’s Randall Munroe illustrates the point.

If the hacker get’s to know your username and password, chances are he or she will try to use them to access your accounts on popular services: Gmail, Facebook, Dropbox, Instagram, LinkedIn, etc. Once he’s got access to your email, he can request a password reset from other services, which will send a link to for resetting your password to your now-compromised email account. (That’s another reason to enable two-factor authentication.)

Which password manager should you use? I can recommend 1Password, which I’ve been using for several years now. Also, LastPass has excellent reviews.

Two-factor authentication and using a password manager are the most important things you should do today to improve online safety and protect your accounts from being hacked.


Photo by Dayne Topkin on Unsplash

  1. These apps are called, among other names, two-factor authentication or 2FA apps, authenticator apps, one-time password or OTP apps
  2. There are some online services that store their customer’s passwords as-is, which is a terrible practice. You can detect such services when you forget your password and click on the ‘Forgot your password?’ link: they’ll send you your password by email, instead of generating a new one or sending a link to reset it. 
  3. There are pages that will tell you if your email has been compromised in a data breach. Check, for example, \
  4. The attacker doesn’t even have to be an expert hacker to do this. For $10, you can get a very good book explaining how to do it. 

Social Networks’s behavioral addiction

by Leave a Comment

Cal Newport, in his book Digital Minimalisn, explains that there are two forces that encourage behavioural addiction when using social networks.

The first force, intermittent positive reinforcement, exploits the fact that rewards delivered unpredictably are more enticing than those delivered with a known pattern. The expectation of likes/hearts/retweets after posting online is comparable to gambling.

The second force is the the drive for social approval. Social media is tuned to offer us a rich stream of information about how much (or how little) our friends are thinking about us at the moment.

We didn’t sign up for the digital lives we now lead. They were instead, to a large extent, crafted in boardrooms to serve the interests of a select group of technology investors.

— Cal Newport, Digital Minimalism

A quick test to see how deep these two forces have taken hold of your behavior: delete your Facebook and Instagram apps from your phone for just one day, and see if you show signs of abstinence syndrome. You can always reinstall the apps later if you want.

Maybe it’s time to let the old ways die

by Leave a Comment

A difficult aspect of facing technological innovation is the decision to change your business model in ways that disrupts your current business. It’s not easy to leave the safe shores of what works and is known.

NiemanLab published this interesting article about the L.A. Times and its difficulties competing in the digital business once the advantage of physical distribution of newspaper that gave them market power disappeared. Among other things, the L.A. Times is late in the game. The New York Times launched its first try at digital subscriptions in 2011, eight years ago. The table below, extracted from the article, shows the results.

“In every era, traditional media channels will diminish, dismiss and ignore the new ones. They do this at the very same time that they are supplanted by the new ones. While they will occasionally spend some time or money testing a new medium, they rarely leap.1

An important exercise is to write down a list of the current technology trends, and consider how they could affect your business. The difficult part is not falling in a blind spot, dismissing things as ‘hyped’ or ‘not serious’.

Take, for example, Artificial Intelligence (AI). If you follow some kind of business trends, you’ll read news every day of companies applying AI to some part of their operation. The insight here is that there are a small fraction that are actually applying advanced AI. But there is a significant number of companies that are going through ruthless automation of everything task-related, applying automation to every process possible. Call it ‘basic AI’ if you want. In a couple of years, thanks to their lower costs and operational efficiencies (and the insight they can get from their data), these companies will be in a significantly better poisition to compete than companies that are dismissing AI as just ‘hype’.

Hint: If you can’t identify a technology trend that could disrupt your current business model, you’re doing your analysis wrong.

Photo by Austin Chan on Unsplash.

  1. cfr Seth Goding, The old media/new media chasm

Where Should You Publish Your Content?

by Leave a Comment

There are several good options for publishing content online. Facebook, LinkedIn, Instagram, YouTube, Medium, and others offer a convenient and cost-free way to publish content and, potentially, reach a huge audience.

It’s important to understand why social networks are free. Like Michael Ende’s Momo Men in Grey, social networks are dependent on their ability to get humans to invest time on their platforms. Social networks revenue comes from selling carefully segmented “user attention” to advertisers1. In this business, eliminating any barrier to users spending time on their platforms —maximizing engagement— is critical for increasing revenue.

What’s critical for the network to succeed is to have enough “user attention” to sell to advertisers, properly segmented. Users spend time on social networks interacting with other users, and interacting with what other users post. To keep users engaged, social networks need a stable supply of content relevant to their user’s interests2. There is one more twist, however: the beauty of the model is that the content is created by the users themselves, which is another reason why publishing on said platforms is free.

As several people have pointed out, if you are not paying for the product, then you are the product.

The Rules of the Game

The problem on relying solely on a social network as your digital home is that their business model may not align with yours.

Consider Medium. Developed by co-founder of Twitter and founder of Blogger Evan Williams, Medium was launched in August 2012 as a long-form publishing and social site where content is privileged. The platform has a clean design, an excellent editor for writing articles, and offers exposure to like-minded people who are in the search of quality content over click-bait articles. Publishing on Medium can give you a lot of exposure.

However, social platforms have their own goals. In 2016, in search of a profitable business model, Medium introduced a paywall around its content. If you had been publishing on Medium, your content became blocked behind the paywall. From that date on, your readers need to subscribe to the platform in order to read more than the 3 monthly articles limit offered by Medium’s free account.

Another factor is what content is shown and when. Most social networks use a newsfeed to show content to their users. An algorithm custom-tailors the series of posts you see. The algorithm’s selection criteria is proprietary to each network. From the user’s point of view, this means that you have limited control over who sees what you publish. Even if you publish something for “Your Friends on Facebook”, not all your friends are shown what you post. (But you can pay Facebook to ‘boost’ your post.) Also, because the newsfeed is time-based, content that is not reshared, quickly fades into oblivion.

Using Social Networks to Promote Your Content

A better strategy is to publish your content on a site under your control, and then use social networks to promote and distribute your content. Having your own site gives you a series of benefits that social networks don’t. It gives you control over your brand. (If it’s your personal brand, I think this is becoming more important every day.) You can tailor the site to reflect your strategy. Over the paltry analytics most social networks give you, you can measure in detail how users interact with your content.

Long term, you are building an asset. Social networks come and go… come and go with your content, if that’s the only place you publish.

Photo by Daria Nepriakhina on Unsplash.

  1. The exception is Medium. Medium income comes from subscription plans. In the case of LinkedIn, their clients are advdertisers and headhunters.
  2. In some cases like LinkedIn or Medium, income also comes from offering premium, non-free plans to users. These plans give you more control or access to published content and users. LinkedIn, for example, artificially limits the number of advanced searches you can do using a free account. 

Huawei. Modern Warfare

by Leave a Comment

Wars are often fought to win over strategic resources.

Huawei is the #1 telecom supplier in the world1, and the #2 smartphone maker2 after Samsung. It’s also a major player in next generation 5G network technology. “As of April 2019, Huawei tops the global rankings in nearly every category of 5G development, from its ‘contributions’—a technical term meaning standards proposals—to the number of standards meetings around the world that company representatives attend3“, writes The Wall Street Journal.

On May 15, U.S. President Donald Trump declared a national emergency, signing an executive order that expanded the government’s powers to protect communications networks4. Shortly after, the Commerce Department banned U.S. companies and any company using U.S. technology from doing business with Huawei, alleging “that there is reasonable cause to believe that Huawei has been involved in activities contrary to the national security or foreign policy interests of the United States 5”.

There has been a “long-held belief from lawmakers and the U.S. intelligence community that Huawei acts on behalf of the Chinese government6”. While Huawei says it respects intellectual property rights, “competitors and some of its own former employees allege company goes to great lengths to steal trade secrets7”. On January 2019, the “U.S. Department of Justice (DOJ) (…) charged Huawei with bank fraud and stealing trade secrets. In a 13-count indictment DOJ charged Huawei, its chief financial officer, and two affiliated firms with a laundry list of crimes including conspiracy, money laundering, bank and wire fraud, flouting U.S. sanctions on Iran, and obstruction of justice8.”

The ban will certainly impact Huawei’s cellphone business, and the damage to their telecom business can be even greater. For example, the World’s leading chip designers and suppliers, Intel, Qualcomm, Broadcom, and ARM among them, have announced that because of the ban they will no longer be able to supply Huawei9.

Weapons of War and Perfect Timing

The timing of the ban is perfect, just in the middle of the U.S. trade negotiations with China. According to the Washington Post, “Trump has signaled in the past that these sorts of decisions can be used as bargaining chips in broader negotiations10”. In fact, some days after the ban, “Trump raised the possibility of easing restrictions on Huawei as part of a broader trade deal with Beijing11“. How can a national security issue be eased on “a broader trade deal”?

The ban on Huawei is not based on technical arguments, nor mentions Huawei’s rampant intellectual property theft. The alleged cause, national security, is very convenient because it prevents China from presenting a formal WTO challenge to the U.S..

It’s worth noting that none of the U.S. major telecom players use Huawei technology, and neither does the U.S. Government. (However, thanks the lower cost of its equipment, Huawei plays an important role for wireless carriers in rural America12.) Also, Huawei doesn’t sell phones within the U.S..

Some people raise the flag that the U.S. administration is doing “what’s right”, alluding Huawei’s rampant piracy practices and the fact that it works hand in hand with a government that restricts some very basic freedoms. However, the U.S. government doesn’t seem too much concerned when U.S. companies help oppressing regimes with implementation of censorship and information control infrastructure. Consider, for example, the Great Firewall of China13, one of the Chinese government’s favorite repression tool, which was build thanks to huge contracts with U.S. companies, using hardware provided by U.S. companies like Cisco14. A more recent examples is the funding by US Universities and Retirees funds of censorship technology like SenseTime and Megvil.

The Race for 5G Supremacy

The U.S. government has been trying to persuade Europe and other commercial partners to stay away from Huawei for their next generation 5G networks. But 5G networks are extraordinary expensive. China is heavily invested in 5G and Huawei is one of the leading companies in 5G technology in the world15, with very competitive prices. Nick Read, CEO of Vodafone —the world’s second-largest mobile operator— said that barring Huawei could delay 5G in Europe for at least two years, and structurally disadvantage Europe16.

EU nations don’t like to be bossed around by foreign governments. On March 11, 2019, the Trump administration told the German government that it would limit intelligence sharing with Berlin if Huawei was allowed to build Germany’s next-generation mobile-internet infrastructure. The same day, Chancellor Angela Merkel announced that Germany would define its own security standards for their new 5G networks, and that they have no plans to stop Huawei from participating if the company complies with the security requirements17.

Other European countries have followed suit. “If nations as wealthy as Switzerland and Saudi Arabia are picking Huawei (and their bank accounts) in the face of U.S. displeasure, we cannot realistically expect developing countries without such deep pockets to choose differently.18

Technological Gaps

While the U.S. is leading when it comes to design and the technology behind electronic components, manufacturing is lead by a companies in Asian countries like Taiwan’s TSMC (the world’s largest semiconductor foundry) and others. U.S. semiconductor companies like Qualcomm, Nvidia, AMD, MediaTek, etc., are “fabless”. That is, they outsource the fabrication of their designs to specialized semiconductor foundries.

Big players like Apple manufacture products like the iPhone in China because it allows them to lower assembly costs significantly. But most of the iPhone technology and parts are not desiged nor produced in China. It’s estimated that China makes only $10 of the cost of an iPhone, and only $2 of the amount are labor costs. Touch screen display, memory chips, microprocessors and other components are manufactured by Japanese, Korean, and U.S. companies, among others19, and are imported to China for assembly and later exported back as a finished product.

This is one of the reasons why, aside from the huge capital expenditure involved, moving factories to the U.S. for Apple would certainly increase assembly costs and lower Apple’s margins. (Even if the Trump administration has granted companies like Apple exception from import taxes over components.)

China is taking giant steps innovating in fields like AI and genetics. But when it comes to hardware and design of basic components like microprocessors, it continues to depend on the U.S.. The Huawei ban exposes this vulnerability. “China now has no choice but to pursue technological independence, and will burn the cash to achieve it20“. It will take time, but China will certainly take the necessary steps to close this dependency on foreign technology.


Photo by Thomas Jensen on Unsplash

  1. cfr Huawei Now World’s Largest Telecom Equipment-Maker
  2. cfr Smartphone Rankings Shaken Up Once Again as Huawei Surpasses Apple 
  3. cfr WSJ, Huawei’s Yearslong Rise Is Littered With Accusations of Theft and Dubious Ethics
  4. cfr Executive Order on Securing the Information and Communications Technology and Services Supply Chain
  5. Technically speaking, Huawei was added to the Entity List. The Entity List is a “list of names of certain foreign persons – including businesses, research institutions, government and private organizations, individuals, and other types of legal persons – that are subject to specific license requirements for the export, reexport and/or transfer (in-country) of specified items.“ (cfr Bureau of Industry and Security/Entity List
  6. The Verge, Huawei vs. Trump: all the news about the Chinese phone maker’s messy relationship with the U.S.
  7. cfr WSJ, Huawei’s Yearslong Rise Is Littered With Accusations of Theft and Dubious Ethics
  8. cfr Huawei: Banned and Permitted in Which Countries?
  9. It’s worth noting that these and other companie’s revenues will also get hurt by the lost of such a big client. Cfr Intel, Qualcomm, and other chipmakers reportedly join Google in Huawei ban
  10. cfr The Washington Post, Trump administration cracks down on giant Chinese tech firm, escalating clash with Beijing
  11. cfr CNN Business, Trump suggests using Huawei as a bargaining chip in U.S.-China trade deal and The Verge, Trump’s latest explanation for the Huawei ban is unacceptably bad
  12. cfr The New York Times, Huawei Ban Threatens Wireless Service in Rural Areas
  13. cfr Wikipedia, Great Firewall: “The Great Firewall of China (GFW) is the combination of legislative actions and technologies enforced by the People’s Republic of China to regulate the Internet domestically. Its role in the Internet censorship in China is to block access to selected foreign websites and to slow down cross-border internet traffic. The effect includes: limiting access to foreign information sources, blocking foreign internet tools (e.g. Google search, Facebook, Twitter, Wikipedia etc.) and mobile apps, and requiring foreign companies to adapt to domestic regulations. Besides censorship, the GFW has also influenced the development of China’s internal internet economy by nurturing domestic companies and reducing the effectiveness of products from foreign internet companies.” 
  14. cfr. Wired, Cisco Leak: Great Firewall of China was a chance to sell more routers
  15. Meanwhile, in the U.S., Intel recently announced that it was exiting the 5G modem market. cfr The Verge, https://www.theverge.com/2019/4/16/18411332/intel-exiting-5g-smartphone-modem-market-apple-qualcomm-settle-dispute. Also, cfr MIT Technology Review, China is racing ahead in 5G. Here’s what that means
  16. cfr Huawei expects to secure 5G contracts in Germany
  17. cfr Huawei: Banned and Permitted in Which Countries?
  18. cfr Australian Strategic Policy Institute,
    Huawei and 5G: what are the alternatives?
  19. cfr The Conversation, We estimate China only makes $8.46 from an iPhone – and that’s why Trump’s trade war is futile
  20. cfr The Tech Cold War Has Begun