Thoughts about FinTech, Cybersecurity, software developing & startups by Jörn Stampehl
This what your Jörn's space Blog Ad will look like to visitors! Of course you will want to use keywords and ad targeting to get the most out of your ad campaign! So purchase an ad space today before there all gone!
notice: Total Ad Spaces Available: (2) ad spaces remaining of (2)
I would like to come back to the topic of passwords, this time in a professional environment. Over the years I have worked for very different companies. Every time the topic password and password sharing were a more or less big problem. Usually, a process was established that worked reasonably well, but almost always I could still access some services for a long time after leaving the company. Unfortunately, the topic is not easy to solve, but there are a few things you can keep in mind,...
I would like to come back to the topic of passwords, this time in a professional environment. Over the years I have worked for very different companies. Every time the topic password and password sharing were a more or less big problem. Usually, a process was established that worked reasonably well, but almost always I could still access some services for a long time after leaving the company. Unfortunately, the topic is not easy to solve, but there are a few things you can keep in mind, especially with technology startups.
First, let us take a look at how things usually work in a young startup. In the beginning, the developers usually quickly set up a whole series of services, most of which run on their official email address. Sometimes the management even creates the central services itself, but also (and especially) here possibly even with private email addresses as accounts. Over time, more and more services are added, some are no longer used, others have become extremely important for the company.
This is particularly interesting when an employee leaves the company. On the one hand, it can then suddenly become difficult to access these services, because nobody knows which email address they are running to. On the other hand, there is of course always the danger that an unhappy employee will simply do nonsense later on. This cannot even be proven to him in case of doubt since many in the company also use this account.
As I said, it is not easy to prevent all this. But you can do a lot to keep track of and protect unauthorized access.
This sounds trivial but is rarely done consistently. Every startup should have a central document where all external services are listed, how to access them, who has access to them and where to find the password. In case of doubt, you can always quickly check if there are problems with a service.
Of course, this only works if everyone in the company uses a provider that offers such accounts. The most common example is certainly the Google account. If GMail is used as an email provider, it should be checked if other services can be used with it (e.g. Slack). If an employee then leaves, deactivating his company Google account is sufficient to block other services for him as well.
Interesting side effect: If you set up an administration area yourself, you can of course also connect it to OAuth and GMail. So, the employees have to remember fewer passwords and you can even set up the rights assignment on it.
Unfortunately, many service providers do not support SSO. But at least they provide the opportunity to create teams so that everyone gets a personal account. If in doubt, this can then be quickly deactivated without affecting the others. Many cloud services offer this for example (AWS, Heroku, Docker, …). Depending on the service, you can then set the rights again granularly for each individual user.
However, many smaller services only provide easy access. If this is the only way, you should set up a mailing list that you can use for this. This way you can at least ensure that several people receive notifications. Moreover, you can reset your password in case of doubt.
For easy access, it is usually necessary to store the passwords somewhere and make them available to others. It is obvious that this should not necessarily be done on a freely accessible wiki page.
There are now a number of tools that start here. KeePass is certainly a very simple solution that can be established quickly. But if you want to have different user groups that are only allowed to see certain passwords, Vaultier would be worth considering. Of course, it is important that there is a person in charge who maintains the tool regularly. Therefore, no one has to or can pass on the passwords by Slack or email.
If one of the loyal employees really leaves the company, there should be a process to deactivate which accounts and how and where passwords might have to be changed. If the employees introduce a new service, they also have to update the process or inform the responsible person to do so. Changing passwords is the most time-consuming part of this process. However, this is unavoidable if you want to make sure that the former employee really has no more possibility to access company accounts.
The older and bigger the company is, the more services have accumulated in the meantime. Many of them are not necessarily free of charge, but the prices are rather negligible. Nevertheless, 20, 30 Dollars a month is a lot of money if you do not use the service. Therefore, one should evaluate the list with the services regularly. Doing that it will save you money and at the same time to purify the offboarding of course.
Of course, the optimum would be a tool that automatically takes over the above-mentioned tasks. This would have integrated the most common services and the password administration would be done automatically. Included would be changing of passwords, although the user should not see them. Additionally, an assignment to teams would also be part of it. Unfortunately, I have not found such a service yet, but one should not give up hope.
Sitting is the new smoking. So they say. Because sitting too much and not enough exercise is unhealthy. Say the data. And nobody smokes anymore today, almost nobody. Except for a few incorrigible ones and those who now have these new-fangled vaporizers. And yes, the comparison is a little misleading, because you cannot always choose the sitting position. After all, not every office offers standing desks for working. However, it is said that data is the new gold. And the many services we use...
Sitting is the new smoking. So they say. Because sitting too much and not enough exercise is unhealthy. Say the data. And nobody smokes anymore today, almost nobody. Except for a few incorrigible ones and those who now have these new-fangled vaporizers. And yes, the comparison is a little misleading, because you cannot always choose the sitting position. After all, not every office offers standing desks for working.
However, it is said that data is the new gold. And the many services we use today without paying for them are not actually free. We pay with our data. And in fact, we are not the customers, but the product. The customers are the advertisers who use our data for advertising purposes. Or other companies that who knows what to do with our data. The funny thing is: We are somewhere subconsciously aware of that. And actually, it doesn’t really matter, because these services have been a great success and earn a lot of money with their business model.
This is not even about the data that we enter directly. At least as interesting are the meta-data, i.e. those that are collected almost incidentally and often not comprehensibly for us. That, for example, the new mobility service providers such as car sharing companies, bicycle rental companies and Uber movement profiles create, seems clear to everyone, even if the meaning behind it is not open to everyone. But even that hardly upsets anyone.
Only sometimes some reports startle us. Like recently, for example, the “scandal” surrounding Cambridge Analytica. Or the study by the University of Nuremberg, which could only create online profiles of strangers based on the online status of WhatsApp available to everyone. Sure, you might say that this is a nice game, but who cares? For example, health insurance companies that see that you do not get enough sleep and then increase your fees. Or the next employer who is wondering whether he should really hire the applicant if he is online all night and therefore perhaps not as efficient during the day.
This is where the dilemma begins for the individual: What is the consequence? Switch to a better messenger, like Signal or Threema? Where you are all alone because your circle of friends dismisses you as a “nerd” or a “tin foil hat”? Or refrain completely from being excluded from current communication with the result? In addition, you would have to shut down the entire smartphone, because Android and iOS already send a lot of metadata to their creators by default. VPNs don’t even help, because the data is collected on the device itself. And even with a “dumb-phone” the mobile phone provider gets enough connection and movement data, which certainly allow some interesting conclusions. So right back into the cave, communication by smoke signal and say goodbye to modern life with all its amenities? Probably no alternative either.
Of course, I have to be careful with my data and ask myself with every app: Why does it need this authorization? Does a flashlight app really need to access my location? But sometimes this is exactly what I want.
And so, sitting is not the new smoking for me, but the whole use of social media / messenger / internet stuff. Although I know I am revealing a lot of data with it, I do it anyway because it is fun and has a benefit for me. Exactly this logic must have smokers also (as a non-smoker for me difficult to understand): Although I know that smoking is harmful to my health, I consciously choose it because I enjoy it, enjoy it and want to have the effect. The only difference is that I think smoking is easier to quit.
When networks became established in the companies, there was soon a desire to connect to the internal network from outside. The main reason was that you could access its resources in this way. For example, field staff wanted to access files stored on the internal file server. Of course, it would have been a possible way to make the server accessible from outside. It is obvious, however, that this might not be the optimal solution from a safety point of view (not that this has not been done...
When networks became established in the companies, there was soon a desire to connect to the internal network from outside. The main reason was that you could access its resources in this way. For example, field staff wanted to access files stored on the internal file server. Of course, it would have been a possible way to make the server accessible from outside. It is obvious, however, that this might not be the optimal solution from a safety point of view (not that this has not been done anyway and probably is still being done). It is better to connect to the internal network from the outside and then become a part of it. VPNs (Virtual Private Networks) were introduced for this purpose. The employee then logs on to an externally accessible server with a specific protocol and then can work on it as if he were directly connected to the local network. To ensure that this connection via the VPN is also secure against interception, it is encrypted. This protects company secrets.
Over time, VPNs have become more and more common. Like in universities, for example, so that students can connect to the university network. VPNs are also being used more and more frequently in the private sector. It is no longer necessarily a matter of logging into another network, but of accessing the Internet from somewhere else and masking where you actually come from. There are actually three main reasons for this:
What a VPN cannot do is prevent tracking while browsing. If the advertising industry wants to track someone, this is usually done through cookies. These are also set and stored when using a VPN. If you want to prevent this, you have to use certain browser techniques like the anonymous mode or special plugins. And even then, devices can still be reliably identified by fingerprinting. This technique uses various parameters (device manufacturer, device type, browser resolution, language, etc.) and enables more or less unambiguous identification.
Now the question is which VPN to use. The answer is much more difficult than expected, because on the one hand it depends on the specific use case, but on the other hand not necessarily first and foremost on features or speed. Instead, you should pay attention to the price. More specifically, that the VPN costs money at all. Because the question a user should ask himself is, with what the VPN provider earns money at all. Because the VPN infrastructure costs money and since this is usually still to be earned, you also need a source of income. If the money does not come from the users, it is very likely that the users’ data will be turned into money. This means that the provider logs everything the user does and later sells it to other companies. And because it has to store the data somewhere, even government agencies can access it, which makes it dangerous to use in certain countries. Therefore, a VPN should cost money and also have a “no-logging policy”. Only then should you consider criteria such as which countries are offered or additional features. Generally speaking, it is not possible to rely on the relevant comparison portals, since it is here only about which provider pays the most to the portal (keyword affiliate).
A note on the ethical side: VPNs can of course also be used to do illegal things. Be it Bittorrent, terrorism or anything else, with a VPN, criminals can hide easily. But this applies to almost everything that can be found in this area, be it encrypted messaging, file encryption or other techniques that protect privacy. All this can always be used for evil. I think it is not acceptable to ban these technologies for everyone because they abuse some of them. But this discussion is taking place at several levels.
The average German internet user has 15 different accounts. Some of them he created because he wanted to, others he was forced to create more or less. And every single one of them is normally protected by a password. Of course, the user is lazy and therefore he is using every time the same password. At least since the major security breaches at Yahoo, LinkedIn and Tumblr you see what are the consequences. The leaked email-password combinations were used to try them at others services on a large...
The average German internet user has 15 different accounts. Some of them he created because he wanted to, others he was forced to create more or less. And every single one of them is normally protected by a password. Of course, the user is lazy and therefore he is using every time the same password. At least since the major security breaches at Yahoo, LinkedIn and Tumblr you see what are the consequences. The leaked email-password combinations were used to try them at others services on a large scale and with an astonished high hit ratio accounts could be compromised.
Obviously, the question is how can this be prevented best. Additionally, there are two basic conditions that do not make this easier. For one thing, more and more services insist that the password of the users has to follow specific rules (special characters, numbers, minimum length, …). For another thing, the user should never use the same password at multiple services. Both conditions are very reasonable advices. But can you really expect from the user to remember 20 different and very complex passwords?
You can of course write down all passwords on a sheet of paper. This might be good enough to get by as long as you are not pinning this paper direct on the computer. But you will have difficulties if you are out and about. Especially if you are not using your own computer like in an internet café.
A quite good addition to the common password authentication is the two-factor-authentication. With this one another, as independent as possible factor will be introduced, for example an SMS that is send to your mobile with a one-off code. This method is not completely secure especially if you use the same mobile for entering the code that also received it. But it is sufficient for the above described scenario. The catch is that this is not implemented particularly by smaller providers. While Microsoft, Google or Facebook integrated respective mechanisms for their user base for example Ebay has no such thing. At the same time, you do not have to take the SMS that causes costs on your end. The time-based one-time password algorithm is not causing recurring costs and for the most common programming languages there are corresponding libraries.
The users cannot be made responsible alone but again the providers have to act. Beside of security actions like 2Fa they have to take care that there is a limitation in the login procedure. Furthermore, it is a matter of course that stored passwords in the system are hashed (From personal experience I know systems were the passwords are stored in plaintext or only hardly encrypted.). And maybe the providers have to be forced to introduce 2FA (or similar measurements). To force the user to use more and more complex passwords cannot be the right way on the long run. Security has to be convenient and sometimes you have to make compromises to make it easy to use. Otherwise the user will look into workarounds with which they remove their security.
The German industry information service Heise.de proclaims the most popular programming language in 2016. The winner is: Java. While this was less surprising for ingrained Java developers, especially younger developers will be skeptical about this result. Programming languages were always the subject of religious discussions (You can see that in the comments of the article). But it seems to me that recently these discussions intensified significantly because of the popularity of new languages....
The German industry information service Heise.de proclaims the most popular programming language in 2016. The winner is: Java. While this was less surprising for ingrained Java developers, especially younger developers will be skeptical about this result. Programming languages were always the subject of religious discussions (You can see that in the comments of the article). But it seems to me that recently these discussions intensified significantly because of the popularity of new languages.
As mentioned before in the last five years more and more programming languages have come into the market that were not used only in a niche. Golang, Erland, Elixir or Scala have built a steady fan base. And especially when more applications are transformed from a monolith to an architecture with autonomous service every of this service could be theoretically build in another language. Still an exception are the mobile apps because here the languages (Java and Objective-C resp. Swift) are set by the platforms.
But what does that mean for the prospective developer, which language he should learn first? And which language should you consider for your startup or the refactoring of the legacy application? There is no easy and universal answer for both questions. This depends on the requirements and the goals you want to achieve. But there are some hints you can get.
Besides of that at least knowing a more common language will increase the chances to find a job. Due to the fact that there are still a lot of legacy projects in C, Java or Python (and new projects will using these anyway, see next paragraph) you can start with that and maybe introduce a new one later on by yourself.
And what about the startup? Here the choose of the programming language could be a fundamental part of the success. It is not about the language itself but more because of the ecosystem of the language. Normally two to three developers are working in an average startup at the beginning. Every single one of them is very important for the company and in case he will leave he has to be replaced as fast as possible. If you then introduced a very exotic language it could be even harder to find a suitable successor. In the worst case a third-party agency has built the first version of the application and made the decision for a more unknown language. Later on, you have to pick up that by your own and find experts to overtake the development work.
Additionally, you should take care that the number of used programming languages is as low as possible. The possibility that your frontend developers could also work in the backend area (and vice versa) could be very valuable especially in a small team. If every backend service is developed in its own niche language it will be much harder for new developers to catch up and get the overview.
Another thing you should have in mind are the availability of connectors for databases, services and other tools. There is an implementation for nearly every programming language. But sometimes this is the side project of a single developer that was updated seven months ago. It might be a good idea to look out for an active developer community. Otherwise you might not get any support in case of updates or bugs.
Also in the future discussions about the “right” programming language will be driven by ideologies and prejudices. But besides that, especially in small organizations you should be careful not to follow every trend because the new programming language is so hip. It might be boring to choose the traditional language but your risk will be lower. Particularly if single developer demand to use the bight new and shiny XYZ-lang because it is so much better than the other ones you should only consider to do that if you have thought about that day when these people will not be around anymore.
I just wrote a summary about the new bill regarding the data retention and surveillance (a.k.a. Snoopers’ Charter) in Great Britain. This is one of the most strict in Europe. Once you delve deeper into the subject you will be glad to live in Germany (or not…). Another Reason for Using a VPN: the Investigatory Powers Bill Disclaimer: At the moment I am working at ZenMate. That is why the article is tailored to that. Of course I stand by this statements. Der Beitrag The new...
I just wrote a summary about the new bill regarding the data retention and surveillance (a.k.a. Snoopers’ Charter) in Great Britain. This is one of the most strict in Europe. Once you delve deeper into the subject you will be glad to live in Germany (or not…).
Disclaimer: At the moment I am working at ZenMate. That is why the article is tailored to that. Of course I stand by this statements.
Der Beitrag The new Investigatory Powers Bill in Great Britain erschien zuerst auf Jörn's space.
Or if you prefer use one of our linkware images? Click here
If you are the owner of Jörn's space, or someone who enjoys this blog why not upgrade it to a Featured Listing or Permanent Listing?