Shared posts

15 Jul 14:31

Shantaram/Smartnews/MakeHub

by claudia

Long-form listening
One of the best books I ever listened to is Shantaram. This very long story — 43 hours! — is the fictionalized autobiography of an Australian outlaw who hides out in the slums of Bombay, is thrown in Indian prison for drug dealing and eventually follows his guru to fight for the muhadjin in Afghanistan. He is a holy thief, a wise sinner, a coyote trickster, and this meld of the sacred and profane is what gives the story its epic rousing power. The narrator in the audible version does hundreds of foreign accents pitch-perfectly and captures the enthusiasm of the Indian sub-continent. Even after 43 hours I wished the story-telling would never end. — KK

Best news app
Smartnews is a free, lightweight, mobile app for iOS and Android. It presents the top news stories in different categories and is updated frequently. You can add your favorite news sites to it, too. When I want to find out what’s going on, it’s the first place I go. — MF

Indie online projects
MakeHub is an crowdsourced list of interesting and useful projects by indie developers. You can sort by which has the most social media followers or votes on Product Hunt. Through MakeHub, I came across colorkuler, which extracts and displays your instagram color palette, and had fun comparing my palette with people I follow. — CD

High leverage philanthropy
I’ve been making micro-loans to entrepreneurs in the developing world via Kiva for 10 years. I loan small amounts (less than $100) to say, women in Africa hoping to buy a sewing machine to start their own sewing business, or herders in Bolivia needing some equipment to make cheese, and soon enough they will repay the loan, so I can re-loan the money again to someone else. I’ve gone through 4 cycles of loans for my first money, and there is less than 0.1% delinquency — a rate any bank would die for. 100% of my money goes to helping the individuals I select; Kiva’s operating costs are funded separately. The money keeps going around. It’s one of the best bargains in the world. — KK

Worry about it later list
I got the idea to make a worry list from this Forbes article on organizing your feelings. I keep a sticky note on my laptop and when something is bugging me I add it to the list and mentally shelve it until later. By the end of the day, most of it doesn’t matter and then I get to cross it out and that feels great. — CD

Moth catcher
We have pantry moths in our kitchen cupboards, and can’t get rid of them. But we can greatly reduce how many there are with these moth traps. They look like little scout tents but the inner walls are coated with a sticky substance. Once every 9 months we replace the trap, which by then is covered with the creatures. — MF

10 Jul 20:12

Happy Birthday Nebula!

by Insha Fitzpatrick

I know we all love Gamora, aka The Deadliest Woman in Space. There’s another girl that has this writers heart as The Deadliest Woman in Space. I’m talking about her sister Nebula. Nebula’s […]

The post Happy Birthday Nebula! appeared first on Geek.com.

09 Jul 11:17

Preacher season 3 episode 3 review: Gonna Hurt

by louisamellor
Ron Hogan
Jul 9, 2018

Preacher is still rounding out its world in season 3, but delivers another consistently entertaining episode in Gonna Hurt. Spoilers...

This review contains spoilers.

3.3 Gonna Hurt

There are times during Preacher in which I struggle to follow along. Not necessarily with the plot or the characters, but with the world itself. This is a world in which, for example, people head to voodoo practitioners to get their problems solved. There are whole organizations that collect souls in exchange for services, money, or some combination of the two. Thus, the soul is real, and magic is real, God exists (and is wandering around the United States), and yet there's still a need for 12-step programs. There are also multiple groups that know of the existence of vampires, which I imagine would be of interest to the general public.

One of the big questions raised by Gonna Hurt concerns the relationship between voodoo and vampires. As Cas says, logically enough, he should be the main attraction of Angelville; a real-life vampire doing real-life vampire things. Yet when Jody and TC figure out what he is, their first idea is to string him up to leave him in the sun to burn (which leads to a very fun animation sequence where Cas remembers the hanging-man picture in Angelville, only this time it comes to life and starts burning). I'm not really sure why one's okay and why the other is not, but Jesse establishes that voodoo is something natural, while vampires are monsters, and monsters have a specific purpose on the Angelville farm.

There was nothing too especially stand-out about the episode, but it's solidly put together. There are some nice moments spread throughout, and things put into play early in the episode by Gary Tieche's script end up paying off by the end of the episode. There are some fun moments, like Tulip's brief conversation with God, and the surprisingly sweet talk between Jesse and Cas in which Jesse admits, for the first time, that Cas is his best friend. Cas, of course, fails to take his advice to leave, and gets himself in trouble by trying to short-cut his healing process with a little late-night raw chicken dinner. It's true to the character, who loves chemicals and short-cuts, and true to Jesse, who loves to throw his weight behind hopeless causes like Cas and the cursed Tulip. Her screw-ups turn out to be part of the divine plan, not that Tulip is particularly happy about that.

That interaction between Tulip and God ends up being really funny in director John Grillo's hands. The fantasy scene where Tulip beats up God is really funny, thanks in no small part to Ruth Negga's willingness to get in God's face and talk back to God even after he literally flicked her away so hard she flew across the road and crashed down in front of her car. She's pugnacious, there's no question about that. Not especially smart, but brave. Her flirtation with TC was also very funny, with the use of the baby alligator toy a particularly amusing visual.

Even in a fairly standard episode, there are enough fun moments to carry Preacher along. Ruth Negga and Joseph Gilgun are brilliantly funny actors, Negga especially, with Dominic Cooper playing a solid straight man to the wackier side characters. Tulip is very funny throughout the episode, and even though everything goes wrong every time she tries to do something, it all ends up working out in the end for her somehow. Or at least she survives her misadventures. TC is a little too broad for my tastes, but Jody is strong enough as a semi-villain to off-set the bigger villains of The Grail, and every scene with Marie is incredibly creepy, even when (especially when) she's pretending to be helpful to Cas.

The story is progressing steadily. Jesse is still stuck at Angelville, and will be for the foreseeable future, but at least he seems to be coming up with plans to make proper use of his time there, and to make proper use of his friendship with Cas. The Tombs are open, and The Tombs will be where Cas will be the main attraction of Angelville. It's not as lucrative as the voodoo business lost to Madame Boyd and her family, but it'll be something. And, perhaps, it will help get Tulip out of the trouble that she marched into with only a gun to keep her safe.

I'm not sure what she might have expected. She's walked into situations like this before and come out okay, but I don't think that she's ever really had anything to do with any voodoo before. I'm not sure if anyone save Jesse knows the true power of voodoo. I'm curious to see what it might do if used on, for example, an immortal vampire, or the leader of a giant multi-national conspiracy group bent on dominating the world's religious institutions.

Preacher is still rounding out its world, but I can't complain. It's at least moving in interesting ways and going to interesting places. The show is doing a good job of laying out new wrinkles, and capitalising on them. If nothing else, it's always entertaining, even when it's not at the peak of performance. I'll take consistent entertainment over dramatic highs and lows all day.

Read Ron's review of the previous episode, Sonsabitches, here.

US Correspondent Ron Hogan once had a rubber alligator that he got on a family vacation in Florida. It was only used to eat GI Joe action figures and never for TC-like purposes. Find more by Ron daily at PopFi.

07 Jul 03:28

Proving that Christians don't hold a monopoly, Buddhists now investigating claims of sexual misconduct against spiritual leader [Awkward]

26 Jun 18:25

There's no nudity in Assassin's Creed Odyssey

by Ali Jones

There is no nudity in Assassin’s Creed Odyssey, despite the existence of multiple romanceable characters. In an Ask Me Anything that took place on Reddit over the weekend, the game’s creative director, Jonathan Dumont, confirmed that characters will definitely be keeping their clothes on throughout the game.

Dumont was asked whether there will be any romantic scenes in Assassin’s Creed Odyssey, as well as whether there will be full nudity. In response, he says “depends if you are any good at romancing,” but confirms that “lovers keep their clothes on though.”

If digital nudity is your thing, why not check out our list of the best sex games on PC?

That seems to be the same as what happened in Assassin’s Creed Origins, as although Bayek and his wife Aya were quick to get it on whenever they met during the game, they always seemed to stay at least partially clothed. It’s quite the departure from other games, however - The Witcher 3 developer CD Projekt Red says that its new game, Cyberpunk 2077, will feature full-frontal nudity. That follows up from Geralt’s adventures, which were far from prudish themselves.

Assassin's Creed Odyssey

We already knew that Assassin’s Creed Odyssey will feature romance options, allowing you to attempt to woo characters regardless of your choice of character (you can choose your gender in Assassin’s Creed Odyssey).

07 Jun 12:26

The damage from Atlanta’s huge cyberattack is even worse than the city first thought

by Taylor Hatmaker

More than two months after a cyberattack hobbled many of its critical municipal systems, the city of Atlanta is still sorting through the wreckage of what is likely the worst cyberattack targeting a U.S. city to date.

On March 22, Atlanta’s connected systems city-wide were hit with a ransomware message locking their respective files and demanding an approximately $50,000 payment in bitcoin (the price has fluctuated since). The ransomware is believed to be from the group known as SamSam, which has been operating and executing similar attacks since at least 2015.

In the days following the March 22 incident, Atlanta residents were unable to do simple city system-dependent tasks like paying parking tickets or utility bills. City employees didn’t get the all-clear to turn on their computers until five days later and many city systems still have not recovered.

On Wednesday during a budget meeting, Daphne Rackley, Atlanta’s Interim Chief Information Officer and head of Atlanta Information Management, disclosed new details about the extent of the damage. As Reuters reports, at least one third of the 424 software programs that the city runs remain offline or partially inoperable. Almost 30 percent of those programs are deemed “mission critical” by the city meaning that they control crucial city services like the court system and law enforcement. In the meeting, Rackley explained that the city initially believed only 20 percent of the city’s software programs to be affected by the attack, none of which affected critical systems.

While reporting the updated numbers, Rackley estimated that $9.5 million would need to be added to the department’s $35 million budget to address the remaining damage. That amount is on top of the more than two million dollars in emergency procurements sought by Atlanta Information Management following the attack.

TechCrunch has reached out to Atlanta Information Management about how that additional $9.5 million for recovery from the attack would be allocated and will update if we learn further details. Earlier this week, Atlanta’s Police Chief disclosed that the cyberattack destroyed “years” worth of police dash cam video footage.

Atlanta has been regarded as a frontrunner for Amazon’s second headquarters in some analyses, though it’s not immediately clear how the cyberattack will affect the city’s odds.

06 Jun 14:54

New Vpnfilter analysis: modules attack router owners and target industrial control systems; reinfection still possible, more routers vulnerable

by Cory Doctorow

Vpnfilter is the malicious software that targets home routers, thought to be the work of Russian state-affiliated hacker group Fancy Bear, that raised alarm last month on the revelation that it had infected half a million home routers around the world. (more…)

04 Jun 16:52

Federal Agencies Respond to 2017 Cybersecurity Executive Order

by Eduard Kovacs
28 May 23:52

The year of Linux on the (Windows) Desktop - WSL Tips and Tricks

by Scott Hanselman

I've been doing a ton of work in bash/zsh/fish lately - Linuxing. In case you didn't know, Windows 10 can run Linux now. Sure, you can run Linux in a VM, but it's heavy and you need a decent machine. You can run a shell under Docker, but you'll need Hyper-V and Windows 10 Pro. You can even go to https://shell.azure.com and get a terminal anywhere - I do this on my Chromebook.

But mostly I run Linux natively on Windows 10. You can go. Just open PowerShell once, as Administrator and run this command and reboot:

Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux

Then head over to the Windows Store and download Ubuntu, or Debian, or Kali, or whatever.

What's happening is you're running user-mode Linux without the Linux Kernel. The syscalls (system calls) that these un-modified Linuxes use are brokered over to Windows. Fork a Linux process? It a pico-process in Windows and shows up in the task manager.

Want to edit Windows files and edit them both in Windows and in Linux? Keep your files/code in /mnt/c/ and you can edit them with other OS. Don't use Windows to "reach into the Linux file system." There be dragons.

image

Once you've got a Linux installed (or many, as I do) you can manage then and use them in a number of ways.

Think this is stupid or foolish? Stop reading and keep running Linux and I wish you all the best. More power to you.

Want to know more? Want to look new and creative ways you can get the BEST of the Windows UI and Linux command line tools? Read on, friends.

wslconfig

WSL means "Windows Subsystem for Linux." Starting with the Windows 10 (version 1709 - that's 2017-09, the Fall Creators Update. Run "Winver" to see what you're running), you've got a command called "wslconfig." Try it out. It lists distros you have and controls which one starts when you type "bash."

Check out below that my default for "bash"  is Ubuntu 16.04, but I can run 18.04 manually if I like. See how I move from cmd into bash and exit out, then go back in, seamlessly. Again, no VM.

C:\>wslconfig /l /all

Windows Subsystem for Linux Distributions:
Ubuntu (Default)
Ubuntu-18.04
openSUSE-42
Debian
kali-rolling

C:\>wslconfig /l
Windows Subsystem for Linux Distributions:
Ubuntu (Default)
Ubuntu-18.04
openSUSE-42
Debian
kali-rolling

C:\>bash
128 → $ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.4 LTS
Release: 16.04
Codename: xenial
128 → $ exit
logout

C:\>ubuntu1804
scott@SONOFHEXPOWER:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04 LTS
Release: 18.04
Codename: bionic
scott@SONOFHEXPOWER:~$

You can also pipe things into Linux commands by piping to wsl or bash like this:

C:\Users\scott\Desktop>dir | wsl grep "poop"

05/18/2018 04:23 PM <DIR> poop

If you're in Windows, running cmd.exe or powershell.exe, it's best to move into Linux by running wsl or bash as it keeps the current directory.

C:\Users\scott\Desktop>bash

129 → $ pwd
/mnt/c/Users/scott/Desktop
129 → $ exit
logout

Cool! Wondering what that number is before my Prompt? That's my blood sugar. But that's another blog post.

wsl.conf

There's a file in /etc/wsl.conf that lets you control things like if your Linux of choice automounts your Windows drives. You can also control more advanced things like if Windows autogenerates a hosts file or processes /etc/fstab. It's up to you!

Distros

There's a half dozen distros available and more coming I'm told, but YOU can also make/package your own Linux distribution for WSL with packager/distro-launcher that's open sourced at GitHub.

Docker and WSL

Everyone wants to know if you can run Docker "natively" on WSL. No, that's a little too "Inception," and as mentioned, the Linux Kernel is not present. The unmodified elf binaries work fine but Windows does the work. BUT!

You can run Docker for Windows and click "Expose daemon on localhost:2375" and since Windows and WSL/Linux share the same port space, you CAN run the Docker client very happily on WSL.

After you've got Docker for Windows running in the background, install it in Ubuntu following the regular instructions. Then update your .bashrc to force your local docker client to talk to Docker for Windows:

echo "export DOCKER_HOST=tcp://0.0.0.0:2375" >> ~/.bashrc && source ~/.bashrc

There's lots of much longer and more details "Docker on WSL" tutorials, so if you'd like more technical detail, I'd encourage you to check them out! If you use a lot of Volume Mounts, I found Nick's write-up very useful.

Now when I run "docker images" or whatever from WSL I'm talking to Docker for Windows. Works great, exactly as you'd expect and you're sharing images and containers in both worlds.

128 → $ docker images

REPOSITORY TAG IMAGE ID CREATED SIZE
podcast test 1bd29d0223da 9 days ago 2.07GB
podcast latest e9dd366f0375 9 days ago 271MB
microsoft/dotnet-samples aspnetapp 80a65a6b6f95 11 days ago 258MB
microsoft/dotnet-samples dotnetapp b3d7f438bad3 2 weeks ago 180MB
microsoft/dotnet 2.1-sdk 1f63052e44c2 2 weeks ago 1.72GB
microsoft/dotnet 2.1-aspnetcore-runtime 083ca6a642ea 2 weeks ago 255MB
microsoft/dotnet 2.1-runtime 6d25f57ea9d6 2 weeks ago 180MB
microsoft/powershell latest 708fb186511e 2 weeks ago 318MB
microsoft/azure-cli latest 92bbcaff2f87 3 weeks ago 423MB
debian jessie 4eb8376dc2a3 4 weeks ago 127MB
microsoft/dotnet-samples latest 4070d1d1e7bb 5 weeks ago 219MB
docker4w/nsenter-dockerd latest cae870735e91 7 months ago 187kB
glennc/fancypants latest e1c29c74e891 20 months ago 291MB

Fabulous.

Coding and Editing Files

I need to hit this point again. Do not change Linux files using Windows apps and tools. However, you CAN share files and edit them with both Windows and Linux by keeping code on the Windows filesystem.

For example, my work is at c:\github so it's also at /mnt/c/github. I use Visual Studio code and edit my code there (or vim, from within WSL) and I run the code from Linux. I can even run bash/wsl from within Visual Studio Code using its integrated terminal. Just hit "Ctrl+P" in Visual Studio Code and type "Select Default Shell."

Select Default Shell in Visual Studio Code

On Windows 10 Insiders edition, Windows now has a UI called "Sets" that will give you Tabbed Command Prompts. Here I am installing Ruby on Rails in Ubuntu next to two other prompts - Cmd and PowerShell. This is all default Windows - no add-ons or extra programs for this experience.

Tabbed Command Prompts

I'm using Rails as an example here because Ruby/Rails support on Windows with native extensions has historically been a challenge. There's been a group of people heroically (and thanklessly) trying to get Ruby on Rails working well on Windows, but today there is no need. It runs great on Linux under Windows.

I can also run Windows apps or tools from Linux as long as I use their full name with extension (like code.exe) or set an alias.

Here I've made an alias "code" that runs code in the current directory, then I've got VS Code running editing my new Rails app.

Editing a Rails app on Linux on Windows 10 with VS Code

I can even mix and match Windows and Linux when piping. This will likely make Windows people happy and deeply offend Linux people. Or, if you're non-denominational like me, you'll dig it!

$ ipconfig.exe | grep IPv4 | cut -d: -f2

172.21.240.1
10.159.21.24

Again a reminder: Modifying files located not under /mnt/<x> with a Windows application in WSL is not supported. But edit stuff on /mnt/x with whatever and you're cool.

Sharing Sharing Sharing

If you have Windows 10 Build 17064 or newer (run ver from windows or "cmd.exe /c /ver" from Linux) and you can even share an environment variable!

131 → $ cmd.exe /c ver


Microsoft Windows [Version 10.0.17672.1000]

There's a special environment variable called "WSLENV" that is a colon-delimited list of environment variables that should be included when launching WSL processes from Win32 or Win32 processes from WSL. Basically you give it a list of variables you want to roam/share. This will make it easy for things like cross-platform dual builds. You can even add a /p flag and it'll automatically translate paths between c:\windows style and /mnt/c/windows style.

Check out the example at the WSL Blog about how to share a GOPATH and use VSCode in Windows and run Go in both places.

You can also use a special built-in command line called "wslpath" to translate path names between Windows and WSL. This is useful if you're sharing bash scripts, doing cross-platform scripts (I have PowerShell Core scripts that run in both places) or just need to programmatically switch path types.

131 → $ wslpath "d:\github\hanselminutes-core"

/mnt/d/github/hanselminutes-core
131 → $ wslpath "c:\Users\scott\Desktop"
/mnt/c/Users/scott/Desktop

There is no man page for wslpath yet, but copied from this GitHub issue, here's the gist:

wslpath usage:

-a force result to absolute path format
-u translate from a Windows path to a WSL path (default)
-w translate from a WSL path to a Windows path
-m translate from a WSL path to a Windows path, with ‘/’ instead of ‘\\’

One final note, once you've installed a Linux distro from the Windows Store, it's on you to keep it up to date. The Windows Store won't run "apt upgrade" or ever touch your Linuxes once they have been installed. Additionally, you can have Ubuntu 1604 and 1804 installed side-by-side and it won't hurt anything.

Related Links

Are you using WSL?


Sponsor: Check out JetBrains Rider: a cross-platform .NET IDE. Edit, refactor, test and debug ASP.NET, .NET Framework, .NET Core, Xamarin or Unity applications. Learn more and download a 30-day trial!



© 2018 Scott Hanselman. All rights reserved.
     
22 May 16:31

New speculative-execution vulnerability strikes AMD, ARM, and Intel

by Peter Bright

Intel Skylake die shot. (credit: Intel)

A new attack that uses processors' speculative-execution capabilities to leak data, named Speculative Store Bypass (SSB), has been published after being independently discovered by Microsoft's Security Response Center and Google Project Zero. Processors from Intel and AMD, along with some of those using ARM's designs, are all affected.

Since the Meltdown and Spectre flaws were announced earlier this year, the speculative and predictive capabilities of modern microprocessors have been closely examined, revealing several new attacks.

All the attacks follow a common set of principles. Each processor has an architectural behavior (the documented behavior that describes how the instructions work and that programmers depend on to write their programs) and a microarchitectural behavior (the way an actual implementation of the architecture behaves). These can diverge in subtle ways. For example, architecturally, a program that loads a value from a particular address in memory will wait until the address is known before trying to perform the load. Microarchitecturally, however, the processor might try to speculatively guess at the address so that it can start loading the value from memory (which is slow) even before it's absolutely certain of which address it should use.

Read 8 remaining paragraphs | Comments

30 Apr 15:41

PDF Files Can Silently Leak NTLM Credentials

by Ionut Arghire

NTML credentials can be stolen via malicious Portable Document Format (PDF) files without any user interaction, Check Point security researchers warn.

read more

27 Apr 20:12

The cure worse than the disease; get your new patches or enjoy a total meltdown

by Jeremy Hellstrom

Wasn't it hilarious when Microsoft released a patch for the Meltdown flaw that made things even worse by allowing write access to kernel memory as well as read access?  Well, if you haven't the patch which fixes the patch in place you won't be laughing so hard today.  The Register has seen proof of concept code which makes use of this flaw to elevate a DOS shell window to NT AUTHORITY\System from a user without admin privileges.  Get yourself patched up, especially that Server 2008 instance!

stop-hitting-yourself-meme.jpg

"If you're not up-to-date with your Intel CPU Meltdown patches for Windows 7 or Server 2008 R2, get busy with that, because exploit code for Microsoft's own-goal flaw is available."

Here is some more Tech News from around the web:

Tech Talk

 

read more

24 Apr 21:48

Network issues with VMware Tools 10.2.0 and Windows Server 2008 R2 Guest VMs

by afokkema
When you’re (still) running Windows 2008 R2 and are using VMware Tools 10.2.0 you might run in an issue regarding to network loss. VMware has published KB54459. Windows Server 2008 R2 guest VM ports are exhausted after upgrading to VMware Tools 10.2.0 Details: Guest virtual machine ports are exhausted after a few days. Networking is […]
23 Apr 12:54

City of Atlanta Ransomware Attack Proves Disastrously Expensive

by Kevin Townsend

City of Atlanta Ransomware Attack Showcases Ethical Problem in Whether to Pay a Ransom or Not

read more

20 Apr 17:46

FDA Reveals New Plans for Medical Device Security

by Eduard Kovacs

The U.S. Food and Drug Administration (FDA) this week announced its medical device safety action plan, which includes seeking additional funding and authorities that would help it improve cybersecurity in the healthcare industry.

read more

19 Apr 15:55

NIST Publishes New Version of its Cybersecurity Framework

by Sharon Nelson

The National Institute of Standards and Technology (NIST) announced on April 16th that it had released version 1.1 of its popular Framework for Improving Critical Infrastructure Cybersecurity, more widely known as the Cybersecurity Framework.

"Cybersecurity is critical for national and economic security," said Secretary of Commerce Wilbur Ross. "The voluntary NIST Cybersecurity Framework should be every company's first line of defense. Adopting version 1.1 is a must do for all CEOs."

The framework was developed with a focus on industries vital to national and economic security, including energy, banking, communications and the defense industrial base. It has since proven flexible enough to be adopted voluntarily by large and small companies and organizations across all industry sectors, as well as by federal, state and local governments.

Version 1.1 includes updates on:

  • authentication and identity,
  • self-assessing cybersecurity risk,
  • managing cybersecurity within the supply chain; and
  • vulnerability disclosure.

The changes to the framework are based on feedback collected through public calls for comments, questions received by team members, and workshops held in 2016 and 2017. Two drafts of Version 1.1 were circulated for public comment to assist NIST in comprehensively addressing stakeholder inputs.

"This update refines, clarifies and enhances Version 1.0," said Matt Barrett, program manager for the Cybersecurity Framework. "It is still flexible to meet an individual organization's business or mission needs, and applies to a wide range of technology environments such as information technology, industrial control systems and the Internet of Things."

Later this year, NIST plans to release an updated companion document, the Roadmap for Improving Critical Infrastructure Cybersecurity, which describes key areas of development, alignment and collaboration.

NIST will host a free public Webcast explaining Version 1.1 in detail on April 27, 2018, at 1 p.m. Eastern time. Worth signing up for - I am regrettably on the road at the time, but hope to catch up with this shortly.

E-mail: snelson@senseient.com Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
https://www.senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson

18 Apr 12:18

Chrome 66 Released With Security Improvements & New JavaScript APIs

Google has rolled out Chrome 66 to its stable channel for Linux desktop users as well as other supported desktop/mobile operating systems...
16 Apr 20:46

Lessons from cybersecurity exits

by Jonathan Shieber
Mahendra Ramsinghani Contributor
Mahendra Ramsinghani is the founder of Secure Octane, a Silicon Valley-based cybersecurity seed fund.

To: ceo@cybersecuritystartup.com

Subject: Lessons from cybersecurity exits

Dear F0und3r:

What a month this has been for cybersecurity! One unicorn IPO and two nice acquisitions – Zscaler’s great debut on wall street,  a $300 million acquisition of Evident.io by Palo Alto Networks and a $350 million acquisition of Phantom Cyber by Splunk has gotten all of us excited.

Word on the street is that in each of those exits, the founders took home ~30% to 40% of the proceeds. Which is not bad for ~ 4 /5 years of work. They can finally afford to buy two bedroom homes in Silicon Valley.

My math is not that good but looks like even some VCs made a decent return. Back of the envelope scribbles indicate that True Ventures scored an estimated ~44X multiple on its seed investment. Others like Bain snagged a ~10X on the A round investment and Venrock which led the Series B round took home ~6X.

We see a similar pattern with Phantom Cyber, which got acquired by Splunk for $350 million. A little bird told me that they had booking in the range of $10 million. But before we all get too self-congratulatory, lets ask – why did these companies sell at $300 million to $350 million when everyone in the valley wants to ride a unicorn? Clearly, funds like GV, Bain and Kleiner could have fueled more rounds to make unicorns out of Evident.io and Phantom Cyber.

(Data Source: Pitchbook)

Some of the board members might have peeked at the exit data gathered by the hardworking analysts at Momentum Cyber, a cybersecurity advisory firm. Look at security exit trends from 2010-2017. You might notice that ~68% of security exits were below $100 million. And as much as 85% of exits occur below $300 million.

Agreed that there are very few exceptional security CEO’s like Jay Chaudhry who grew up in a Himalayan village, and led ZScaler to an IPO. This was Jay’s fifth startup and he kept over 25.5% of the proceeds, with another 28.3% owned by his trust. TPG Growth owned less than 10%. After all, he himself funded a substantial part of the company (which raised a total of $110 million).  But not everyone is as driven, successful and it’s ok to sell if the exit numbers are meaningful. Remember what that bard of avon once said:

For I must tell you friendly in your ear,

Sell when you can; you are not for all markets.

(Shakespeare, As you Like It, Act 3, Scene V)

(68% of security exits occur below $100 million. M & A Data from 2010-2017. Source: Momentum Cyber)

My friend Dino Boukouris, a director at Momentum Cyber, offers some sage advice to all founders who are smitten by unicorns. “Before a founder raises their next round, I would reflect on the market’s ability to purchase companies. The exit data says it all. As you raise more capital, your exit value goes up, timing gets stretched and the number of buyers who can afford you drops.” Dino has a point, you see. As we inflate valuations, your work, my dear CEO, becomes much harder.

If you don’t believe Dino, let’s look at another recent exit, PhishMe, which was acquired by a private equity consortium for $400 million. That’s a nice number, correct? At the first look, you’ll notice that the dilution and financial return patterns are similar to that of Phantom. Except that PhishMe took 7 years and consumed $58 million of capital, while Phantom took 3 years and consumed $22.7 million. Timing and capital efficiency matter as much as exit value. It’s not just the exit value ~ but how long and how much. Back to my man, Dino who will gently remind you that for the 175 M & A transactions in 2017, the median value was $68 milion. Read that last sentence again — very slowly. $68 million. Ouch!

(Data Source: Pitchbook)

Two years ago  in Cockroaches versus Unicorns – The Golden Age of Cybersecurity Startups cybersecurity founders were urged to avoid the unicorn hubris. A lot of bystanders, your ego included, will cheer you as you get higher valuations. But aren’t we all rational human beings, always making data based decisions?

Marc Andreessen will remind you that his best friend, Jim Barksdale, once said “If we have data, let’s look at data. If all we have are opinions, let’s go with mine.”   Since 2012, my VC friends have funded 1242 cybersecurity companies, investing a whopping $17.8bn. But chief information security officers say that they don’t need 1242 security products. One exhausted CISO told me they get fifteen to seventeen cold calls a day. They hide away from LinkedIn, being bombarded relentlessly.

Enrique Salem (former CEO of Symantec) and Noah Carr, both with Bain Capital are celebrating the successful sale of Evident.io. They pointed out that the founders — Tim Prendergast and Justin Lundy had lived the public cloud security problem in their previous lives at Adobe. “Such deep domain expertise allowed them to gain credibility in the market. It’s not easy to earn the trust of their customers. But given their strong engineering team, they were able to build an “easy to deploy” solution that could scale to customers with 1000s of AWS / Azure accounts. Customers were more willing to be reference-able, given this aligned relationship.”

(Source: Momentum Cyber)

You, my dear CEO, should take a page from that playbook. Because Jake Flomenberg, Partner at Accel Partners says, “CISOs are suffering from indigestion. They are looking to rationalize toolsets and add very selectively. New layer X for new threat vector Y is an increasingly tough sell.” According to Cack Wilhelm Partner at Accomplice, “Security analysts have alert fatigue, and CISOs have vendor fatigue.”  You are one of those possibly, wouldn’t you agree?

Besides indigestion and fatigue, the CISO roles have become demanding. William Lin, Principal at Trident Capital Cyber, a $300m fund pointed out that “the role of CISO has bifurcated into managing risk akin to an auditor and at the same time, managing complex engineering and technology environments.”  So naturally, they are managing their time more cautiously and not looking forward to meeting one more startup.

Erik Bloch, Director of Security Products at SalesForce says that while he keeps an open mind and is willing to look at innovative startups, it takes him weeks to arrange calls with the right people, and months to scope a POC. And let’s not forget the mountain of paperworks and legal agreements. “It’s great to say you have a Fortune 100 as an early customer, but just be warned that it’ll be a long, hard road to get there, so plan appropriately” he pointed out.

So, my dear founder, as the road gets harder, funding slows down. Look at 2017 —  despite all those big hacks, Series A funding dropped by 25% in 2017. Clearly, many of our seed funded companies are not delivering those Fortune 100 POC milestones. And are unable to raise a Series A.  Weep, if we must, but let us remind ourselves that out point solutions are not that impressive to the CISOs.

All the founders I know are trying to raise a formulaic $8m Series A on $40m pre. But not every startup that wants 8 on 40 deserves it. Revenues and growth rate, those quaint metrics matter more than ever. And some investors look for the quality of your customers.  Aaron Jacobson of NEA, a multi-billion dollar venture fund says, ”A key value driver is a thought-leader CISO as a customer. This is often a good indicator of value creation.“

When markets get crowded and all startups sound the same, investors seek quality, or move to later stages.  They like to see well proven companies, that have solved a lot of basic problems. And eliminated riskier stumbling blocks. Like product-market fit, pricing and go-to-market issues. Naturally, the later stage valuations are rising faster. Money is chasing quality, growth and returns.

Median Post-Money Valuation by stage for cybersecurity companies (Source: Pitchbook)

The security IPOs offer a sobering view. This is a long journey, not for the faint of heart. Okta moved fast, consumed ~4X more capital as compared to Sailpoint and delivered great returns.

Innovating with go-to-market strategies

In the near term,  the big challenge for you, dear security founder, is selling in an over crowded market. If I were you, I’d remember that innovation should not be restricted to merely technology, but can extend into sales and marketing. We lack creativity when it comes to marketing – ask Kelly Shortridge of Security ScoreCard. She should get some kind of BlackHat award for developing this godforsaken Infosec Startup Bingo. If you find any startup vendor that uses all these words, and wins this bingo, please DM me ~ I will promptly shave my head in shame. We got here because we do not possess simple marketing muscles. We copy each other while our customers roll their eyes when we pitch them.

Sid Trivedi of Omidyar Technology Ventures wants to work with the developer focussed startups. He says, “Look at companies like Auth0. The sales efficiency on developer-focused platforms is tremendous. You can go to a CISO, CIO or CTO and point out that X number of developers are paying to use my technology. Here are their names, why don’t you talk to them? And then, let’s discuss an enterprise license for the full company?” That approach works like magic. Overwhelming majority of the software IPOs like Twilio, Mulesoft, SendGrid are developer platforms.”

If you go top-down in a hurry, you can crash and burn. I am aware of an impatient security vendor who used executive level pressure at a Fortune 50 company. They kicked their way into the POC. And got kicked out by the infosec team. The furios infosec team destroyed the vendor in a technical assessment. I was told that the product was functional but the vendor’s impatience and political gymnastics killed the deal. Let us not forget simple truth: many times CISOs turn to their subordinates for advice and decision-making, so don’t just sell to the top. Nor ignore the rest of the people in the room.

With more noise, the buyers freeze. Margins shrink. Revenues and growth slows down. Which means it’s harder to get to your milestones before your next round. Running out of cash is not fun. Nor is a down round, layoffs and such. So while this is easier said than done, please raise less and do more. And maybe, just maybe, you can keep 40% of a $350 million exit.

If you have questions or existential dilemmas, you can always find me, chatting with a friendly VC in South Park.  Or I’m always around in a trusted secure world of Signal.

Stay safe at that annual security stampede called RSA.

Kindly,

Mahendra

PS: Let’s not forget to express our gratitude to those analysts at Momentum Cyber and Pitchbook for painstakingly tracking every investment, analyzing and presenting meaningful data. They help us look at the forest, and make our journey easier. Send them a thank-you tweet, some wine, chocolates, flowers or home-baked cookies.

16 Apr 01:32

Available for download - PowerCLI 10 Poster

by nospam@example.com (Eric Sloof)

13 Apr 17:34

In Penetration Tests, 27% of Employees Fall for Phishing E-mails

by Sharon Nelson

TechRepublic reported on April 9th that, according to a 2018 report by security firm Positive Technologies, phishing was the most effective form of social engineering attack. 27% of recipients clicked a phishing link, which led to a fake website.

The firm studied its 10 largest penetration testing projects performed for clients in 2016 and 2017. These tests included 3,332 emails sent to employees with links to websites, password entry forms, and attachments, mimicking the work of hackers.

"To make the emails more effective, attackers may combine different methods: a single message may contain a malicious file and a link, which leads to a website containing multiple exploits and a password entry form," Leigh-Anne Galloway, cyber security resilience lead at Positive Technologies, said in a press release. "Malicious attachments can be blocked by properly configured antivirus protection; however, there is no surefire way to prevent users from being tricked into divulging their password."

At times, employees complained that the malicious files or links would not open. In some cases, these employees tried to open the files or enter their password on the fake site 30-40 times, according to the report. This cracked me up. Some employees won't apply the same determination to their work that they will to getting a fake site to open up and compromise their employer.

Sometimes, they were so frustrated that they were unable to open the files that they forwarded them to the IT department for help—further increasing the risk to the organization, as IT staff are more likely to trust their colleagues and attempt to open the file. Well, the report may say that, but my own experience is that IT folks are far more likely to recognize phishing e-mails, especially when forwarded from employees. IT has been around the block with problematic employees more than a few times!

Hackers have also learned that sending messages from fake companies is less effective than in the past, causing only 11% of risky actions from employees, the report found. However, sending messages from the fake account of a real company and person increases the odds of success to 33%. That makes perfect sense of course – and that does parallel what we see.

But here's what I found to be the most comical part of the report. Attackers carefully select email subject lines to illicit a response from employees, including "list of employees to be fired" (which caused 38% of risky actions), and "annual bonuses" (which caused 25%). Yup, curiosity killed the cat, as did greed (did I get a bonus?).

Running phishing attack simulations is an excellent idea for law firms – and any other kind of entity. You'd be amazed at the extent to which you can reduce your risk for phishing if you adequately train employees.

E-mail: snelson@senseient.com Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
https://www.senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson