Peter Coffee enters his next career

Posted on by
7

I had a chance to catch up with Peter Coffee, who recently ended his 18 years at Salesforce to focus on philanthropy and pro bono consulting. I first met Peter in the mid-1980s, when he was working for a defense contractor in IT, and I had just left working for an insurance company’s IT department. Both of us were living in LA and both of us were part of the advance guard of installing PCs around our companies. I had taken a job with PC Week, writing my little corporate IT heart out, and I had just hired Peter to be part of a team of product reviewers and in-house analysts.

Back in those days, there were many different PC makers, each running a slightly different collection of hardware and operating system. MS DOS, the Microsoft version, hadn’t yet become a standard, and there were also other operating systems that have since either died (like CP/M)  or have morphed into major big deals (like the early versions that became Linux). Peter recalls one debate that he had in person with Bill Gates in those early years, where he argued that MS DOS might be the technically superior product, but other DOS versions put more tools in the box. Those were the days where you could buttonhole Gates in person.

Before we came to PC Week, Peter and I would examine these products and make recommendations to our corporate user base and management about which ones would become the company standard. Given that both of our companies were huge IBM customers, you might think that IBM had the PC world locked up, but this wasn’t always the case.

Peter and the rest of my team at PC Week Labs were early to do product reviews and write about the issues that we saw in terms of our corporate context. “We created an entire new way of breaking news by doing tech investigations and analysis. We would write short pieces that were published the following week, originating this content from our technical backgrounds,” he said, giving me credit for creating this journalistic model that has since flourished and now seems in decline. We also did numerous stunts, such as testing which network topologies were actually faster (Ethernet) and why early Windows was a bust (it ran on top of DOS rather than replacing it) or about the 386 CPU. They were heady times, to be sure. It was a model that I brought over to Network Computing magazine, which I began in the summer of 1990.

Peter reminded me that many tech pubs — including most of the overseas ones — had a pay to play model, where the writers would offer up glowing reviews of the products of the major advertisers. What we did was having strong opinions and having the technical chops to back them up.

But times have changed. Now everyone is familiar with PCs, and takes them for granted. You don’t need a degree in Computer Science to be able to program, “because computer literacy is more about thinking about a problem than learning how to write code,” as Peter told me. “It is about finding the right tool to do the job, and assembling connections and anticipating the questions and problems that lie in the future. That has changed the whole notion of technical expertise into tying data sources and algorithms and understanding what the ultimate user wants to know.”

Several years ago, Peter and his wife started a non-profit foundation that will occupy their full-time attention. The foundation will focus on funding local efforts to improve climate, STEM education and other matters. His goal is to bootstrap these efforts into a better position to obtain national or international support. He said, “These are problems that could exponentially bloom into major issues, but they need help when they are still small and solvable.”  I wish them well.

Three new malware variants you might BOLO

Posted on by
Reply

Of all men’s miseries the bitterest is this: to know so much and to have no power.

That was something attributed to the Greek philosopher Herodotus, who lived in what is now Turkey and Italy more than 2400 years ago. It is a fitting name for a new kind of Android banking trojan that is making the rounds. The trojan works by inserting a small but randomly variable delay between keystrokes, to make them appear as to be typed by a (relatively poor) human typist. It has other features, such as being able to steal 2FA codes sent via SMS (yet another reason not to use this transport method), intercept everything that’s displayed on the screen, grab the lockscreen PIN or pattern, and install executable files. The malware looks like an ordinary mobile banking app but there is nothing ordinary about it.

But Herodotus isn’t the only bad news bear that is out there. How about the RedTiger malware that steals data by flooding targeted systems with hundreds of processes and random files to confuse forensic examiners. That essentially buries any warnings to make it harder for security personnel to figure out where the pony is in this massive alert pile. And another malware that goes by the name CoPhish — it hides Microsoft Copilot commands within phishing the HTML text of emails. That text is designed to not be displayed if you are just reading them in your browser or email client.

What these three attack methods show is that the bad guys are getting better at hiding in plain sight, using AI methods and more subtle mechanisms to distribute their malware and then try to remain out of sight for several months while the attacker moves about trying to document the soft center of your network that will be compromised.

So you have been warned. Pick a better MFA method than SMS texts to get your pin codes. (My favorite is Authy, but there are plenty of others.)  Make sure to carefully vet any downloaded app to your phone before you start using it, and at the install time, please pay attention to the warnings about what permissions it requires to ensure that it isn’t grabbing everything it can. And don’t reply to any text message involving money that comes out of the blue, whether from your bank, your long-lost cousin traveling abroad, or someone who is acting friendly (want to join me for dinner). It’s a jungle out there, and sadly an old Greek guy was spot on about how much we know but still don’t have any power to do anything about it.

Deleting your private data will get easier: thanks California

Posted on by
4

Most of us have seen those annoying pop-up screens when browsing the web that ask us to accept some turgid privacy policies or approve the use of cookies to track our sessions. California and a few other states are trying to make things more secure and protect our privacy by introducing new regulations that will go into effect in the coming months or years. One of these technologies is called a universal opt-out preference signal or sadly the acronym OOPS. California’s explanation can be found here.

The universal part of the deal is that many websites will recognize these signals, so users don’t have to individually opt-out of tracking for each website that they visit where they are buying something online or sharing their personal information (such as a social network). CalOOPS will make this mandatory in January 2027. That is a long ways off to wait for this convenience. Several other states are moving to enact similar laws, although it is a long road ahead. The OOPS signals are already not required in six of the 19 states that have privacy protections — just showing how much of a crazy quilt our privacy picture is and will continue to be.

The OOPS laws are just one of a triad of regulations that were enacted earlier this month in California. The others required major social media platforms to provide users with a clear way to delete their accounts and ensure that the data in your account would be completely wiped. The third law requires data brokers to more stringent standards, including how deletion requests are handled by a new service called DROP. Those two go into effect in January 2026. Husch Blackwell (who does an excellent job tracking state privacy laws) has more info on this page describing the three laws.

DROP stands for Data Removal and Opt-Out Platform, and it will be a central place where consumers can begin the process of removing their data from multiple data brokers. If you have ever tried this on your own, you probably know how frustrating the process can be: first, the brokers are numerous and many of which are companies that you probably never heard of. Here is a list of more than 600 of them. Then, once you can find one, they make this deletion action as obscure as possible, or put you through various pathways (download a special app, submit a web form) that don’t inspire confidence. And realistically, how many brokers are you going to do this with anyway? And finally, is Facebook et al. a broker or a social network or just all-around evilness?

Remember the do-not-track phone settings on your phone? Probably not, because these were for the most part ineffective, and not mandatory. These new laws have enforcement provisions. We’ll see if that matters in the end.

Browser vendors with privacy controls are one answer, such as Brave, DuckDuckGo, or extensions such as PrivacyBadger (which I wrote about here). I have been using Opera Air, which has an ad blocker built in. There are two problems. First, these browser-based tools don’t always work on some websites that require pop-ups as part of a normal workflow, or the websites don’t want you to run ad blockers, because they lose revenue from displaying the ad banners. And second, as you might have guessed, there are no federal data privacy laws, and given the state of our Congress, chances are slim that we will see any soon. That means that laws could be enacted that work at cross-purposes.

I would be interested in hearing any strategies that work for you.

 

CSOonline: 12 Attack Surface Management tools reviewed

Posted on by
Reply

Potential Attack Surface Management buyers need to understand how various network and other infrastructure changes happen and how they can neutralize them.

Periodic scans of the network are no longer sufficient for maintaining a hardened attack surface. Continuous monitoring for new assets and configuration drift are critical to ensure the security of corporate resources and customer data.

New assets need to be identified and incorporated into the monitoring solution as these could potentially be part of a brand attack or shadow IT. Configuration drift could be benign and part of a design change, but also has the potential to be the result of human error or the early stages of an attack. Identifying these changes early allows for the cybersecurity team to react appropriately and mitigate any further damage.

I review 12 different ASM tools and also provide some questions to ask your team and the vendors about their ASM offerings in this updated article for CSOonline.

 

Salesforce behaving badly with Zoomin acquisition

Posted on by
Reply

Last year, Salesforce acquired Zoomin, a company specializing in organizing unstructured data such as documentation and knowledge base repositories. As part of that acquisition, they announced that there would be no further product features (other than bug fixes) added to the Zoomin platform and that it would reach the end of its life in 2027. Eventually, they will replace Zoomin with a yet-to-be-announced new product to be added to their Service Cloud and Agentforce services. The key word in that last sentence is “eventually,” which is why I say they are behaving badly.

This move puts Zoomin customers in a quandary, because Salesforce has asked these customers to decide on renewing their contracts within the next month. One reader, an IT manager at a large tech firm who has been a Zoomin customer, wrote to me, saying “Salesforce wants us to move to a competitor because some genius in their finance department has put some arbitrary date out there that they need to quit providing support by. I’ve never seen something so nuts because it means we are on the hook for an additional 18 months of subscription costs for a product they aren’t improving.” My source was in the middle of an expansion of its Zoomin project, adding new documentation files and features that were part of their development plans. This was one of the reasons why they chose Zoomin to begin with. “We don’t want to keep enhancing a dead platform,” he said. Now they have to look to another vendor. “Killing Zoomin without having something to step in doesn’t make any sense to me.”

My source did get various briefings, roadmaps, and other information, which he shared with me. These plans were short on specifics, such as a “timeline” — the quotes indicate my own skepticism about their plans. Key missing elements are any solid migration plan, or any guarantee how the existing Zoomin data structures would be integrated into Service Cloud, or what the new subscription costs would be, or if there would be additional charges to migrate the Zoomin data. I find this both distressing and somewhat ironic, given that one of the attractions of Service Cloud is its ability to integrate across many different databases and platforms.

You can see one page of this briefing below:

As you can see from this page, there are lots of “upcoming” features that are called out. Both of us have been around the software devops block many times to know these are placeholders in any timeline that indicate these are features that might never happen, or won’t happen any time soon. One other notable curiosity is that this document never mentions Zoomin explicitly.

Salesforce is on a tear to produce an agentic AI-based self-service portal that can be used for all sorts of purposes, including a superset of what Zoomin was starting to do with its platform. You might agree with this direction, even if agentic portals might not be ready for prime time. But whether this is removing a competitor, total vaporware, wishful thinking or an actual service remains to be seen.

Red Cross: Mizzou makes running a large blood drive look easy

Posted on by
Reply

Red Cross phlebotomist Jenise McKee standing next to Jake McCarthy who is sitting in chair about to donate blood.

Setting up a mammoth blood drive is akin to building a 100-bed hospital emergency department from scratch and then taking it down a few days later. I got to see this in person with what is reported to be the largest student-run blood drive in the nation. Columbia is the city where you can find the University of Missouri, popularly called Mizzou, home to more than 30,000 students. For more than 40 years, the school has hosted blood drives in partnership with the American Red Cross. This year they broke their own record, collecting over 5,000 units of blood. You can read my post about the blood drive last month here on the chapter blog.

(photo is of Red Cross phlebotomist Jenise McKee readies Mizzou student donor Jake McCarthy for his Power Red blood donation.)

Book review: Wine Lord

Posted on by
Reply
Wine Load by D.B, Adams is a debut novel which offers an insider’s look at the way wine is made and marketed. The story takes place in Napa Valley, and if you are a wine drinker or if you are interested in that part of the country, this book might resonate with you. While the story is mostly well-written, it has its uneven spots that I will get to in a moment. If you consider yourself a wine aficionado or wine snob, you might find this book either humorous or frustrating. The story seems to be a realistic portrayal of the wine business world and describe a very believable conflict between the owners of the winery and their financial backers.
One notable exception is its stilted dialogue by a major character who is not a native English speaker. This doesn’t read well on the page. There is an impressive amount of words that offer nothing to advance the narrative or add to the enjoyment of the book and detract from the story flow. I found myself skipping whole pages of this dialogue the further into the book I read
Some people think they know more about wine than they actually do. What this novel succeeds at is showing that there are a lot more subtleties involved in the making and enjoying wine than just swirling it in a glass. But there is also a lot more involved in the making and enjoying a great work of fiction, and here this book disappoints.

What becomes a bottom feeder most?

Posted on by
Reply

I ask this question with serious intent and my focus is on vetting the best tech reviews websites. I have written around this problem in the past, but thanks to spending some time with my colleague Sam Whitmore, I have some new things to say. You can read the links to my past posts in the coda below.

With some modesty, I have some familiarity with this particular market, having written reviews for dozens of publications, both online and print, over the decades. When I began at PC Week (now sadly called eWeek) in the mid-1980s, we didn’t have the web, just the dead trees version. About a third of our pages were devoted to reviewing technologies and analyzing trends. These articles were written by people that actually touched the products and understood how enterprise IT folks would use them.

PC Week (and many others at the time) had a terrific business model, which was to charge a lot of money for print advertising, on the promise that our pub would control its circulation among what we would now call influencers. The web was the first big challenge: posting online content, these controls and promises went out the window. So began the fall of the Holy Roman Tech Empire.

In the late 1990s, we got the first wave of bottom-feeder websites, such as those created by Newsfactor and others. Instead of paying experienced writers and analysts to produce articles, they were “pay to play” operations that took pieces submitted by vendors who were anxious to get their names into print, or electrons. You could easily spot these sites because they have three things in common:

  1. Most articles quote no sources, or if they do they don’t actually use quotations,
  2. Most articles have no external links to any supporting materials, and
  3. Most articles have either no byline or no dateline, and as such aren’t tied to a particular news moment or product introduction or something else that would indicate timeliness.

What bugs me the most about these sites is that they are filled with posts which promise an actual review of a product or category. However they usually don’t deliver any insight or evidence that any author actually handled the product. It bugs me because these kinds of articles devalue my own expertise in product handling, and how I translated that to actionable insights for my readers.

Now these three things can happen in legit articles that professional writers create. But taken together they illustrate the pay-for-play milieu.

With the new millennium, we had a different tech publishing model best typified by TechTarget, now part of the Holy Informa Empire. These sites combined organic search with lead generation as their business model, and resulted in sites with domains such as searchsecurity.com and searchcloudcomputing.com. These were combined with print pubs in the beginning and eventually tied to conferences too. In its early years, I was proud to work for them because they emphasized high quality information.

With the advent of AI and LLMs, we now have a new era of tech publishing. Organic search has become a bottom-feeder operation, because queries are now asked and answered in natural language and stay within the confines of the chatbots. This is because AI can spin up batches of words and pictures easily and programmatically, there is no need to go any further. This means people like me have become buggy whips. Or hood ornaments. Or something that you put on a shelf.

Let’s examine one website for further analysis. This is tied to a print publication, so my guess is that many of these pieces were paid for by specific vendors or else generated by AI tools. No datelines. Bylines are suspect: I wasn’t able to ID anyone that I could independently verify is an actual human, and the authors’ pictures seem anodyne. There is a page of conferences that has odd mistakes in it, such as shows held in “Detroit City” and “Seattle City” and broken links. Again, a human proofreader would catch these in about three seconds. Articles are copies of other sites in this vendor’s “network.” The most curious thing is if you try to cut and paste some of the content, you get a popup that prevents you from doing so, saying that the work is copyrighted.

It is clearly the work of AI. The same company that owns this site runs about a dozen other websites, many with the work “review” in their domain names. These sites having a boring sameness about them, with articles that don’t reflect any news moments or trends to current events. These are not reviews.

Welcome to the new bottom-feeders of tech.

Coda: references

CSOonline: 5 steps for deploying agentic AI red teaming

Posted on by
Reply

Building secure agentic systems requires more than just securing individual components; it demands a holistic approach where security is embedded within the architecture itself. For my latest article for CSO Online, I delve into the world of using agentic AI for red teaming exercises. It is very much a work in progress. Many vendors of defensive AI solutions are still in their infancy when it comes to protecting the entirety of a generative AI model and the attack space is enormous.