I’m sure it’s still a thing for students today, but one of the phrases that always caused a groan in any class that involved solving equations was, “Make sure you show your work.” Whether it was pre-Algebra or Advanced Calculus, the only way you could prove that you actually understood the topic well enough to solve the problem was for you to write out each step of the solution. We had graphing calculators when I was going through high school, but even if we were allowed to use them during tests, more often than not there was going to be at least one instance where the calculator was only there to confirm the answer we arrived at after lines and lines of chicken scratch and piles of eraser crumbs.
There’s a point to this nostalgic indulgence
If you are a business owner or part of the executive team, you will likely be familiar with the technology security questionnaires that accompany your organization insurance renewals. Up until perhaps 2023, checking “yes” boxes on the questions or tossing in vague answers were typically enough to get you through the approval or renewal process, and I’m fairly certain that the application reviewers were just as cross-eyed as you were when filling them out. I’m (not really) sorry to say this “relaxed” approach to evaluating your security standards are in the rear-view mirror for everyone, regardless of the industry you are in or the size of your organization. Insurance carriers are reading your responses and are not taking “N/A” or “No” as an answer when asking if you have various security safeguards in place. At best, you may be encouraged by your insurance agent to, “Reconsider some of your responses,” and at worst it may lead to an outright denial of coverage and a mad scramble to find another carrier for your insurance needs. The insurance industry is already taking a beating on natural disaster claims (something not likely to abate given the world’s general dismissal of climate change), so they are definitely not going to be generous with the next most popular claim: cyberattacks. Don’t given them any excuse to deny a cyber liability claim by just checking a box. Show your work by actually implementing the security standards they are asking about, and if you don’t know where to start, get a professional like C2 on the job as soon as possible.
As of now, Microsoft seems to be holding fast to its promise to end support for Windows 10 in October this year. Old tech heads like me are skeptical as to whether Microsoft will keep its word as the clock ticks down, as we still remember when these same promises were made about Windows 7, for which support and updates lingered for years after its scheduled demise. In case you were worried, the October deadline doesn’t mean that Windows 10 will suddenly stop working, but if Microsoft sticks to its guns, the nearly 10-year old operating system might get the boot much faster than the previous deadline-defying champion, Windows 7.
Hang on, what happened to Windows 8 (or 9)?
For those of you paying attention, you may have noticed that only certain of Microsoft’s operating systems seem to enjoy more staying power than other versions. Since the early ’90’s Microsoft has been infamous for releasing alternating generations of good and bad operating systems, and if you ask any IT professional around long enough to experience at least 2 waves of this, they are pretty much in agreement that the current pairing of Windows 10 and 11 matches the previous cadence of Windows 7 and 8, and Windows XP and Vista, eg. good, then bad, then good, etc. The pattern actually goes back even further but I think you get the point.
What’s changed this time around isn’t that Windows 11 is better than 10. Most folks who have gone through the transition already would probably agree that regardless of what may have been improved under the hood, the Windows 11 experience is not an upgrade over 10. What has changed is the pace of security updates. Windows 10, through most of its early years, was updated on a monthly basis, with a few patches sprinkled throughout, and many companies would hold updates back from being applied upwards of a full 3 months so as to not disrupt operations. Likewise, many software developers would match Microsoft’s slow cadence with their own reserved pace, oftentimes exhorting their customers to delay applying new Microsoft updates too quickly lest they break their own software (which they did, regardless of your pacing).
Today, that’s just not going to fly. The pervasive onslaught of cybercriminal activity has forced Microsoft (and everyone else, to be fair) into an absolute frantic pace of updates. On top of this, the insurance carriers providing what meager safety nets they can for the inevitable cyberattack are now requiring that everyone manage these risks at a rigor previously only applied to much bigger organizations (and budgets). And if Microsoft makes good on their promise to stop updating Windows 10 – let’s face it, they have no good reason to do otherwise – then we will all have very little say in the matter. Windows 11 is what’s for dinner, and a Windows 10 peanut butter sandwich is not an option.
There have been plenty of rumors about the upcoming retirement of the version of Outlook that most professionals use daily, and a lot of concern from those same professionals about the “new” Outlook, which is very different from “classic” Outlook. The terminology of “classic” versus “new” is actually the official terminology from Microsoft, and “new” Outlook debuted back in August 2024. Much like the famous soft drink who also tried this approach, “new” Outlook has had a frosty reception, and while none of my clients would classify themselves as “fans” of classic Outlook, they definitely prefer it over the new one.
How long do we have together?
Part of the confusion about the impending “death” of classic Outlook comes from the retirement of certain Windows apps that have been a part of of the operating system for over 30 years. Windows Mail first appeared in 1991 on multiple operating systems including Windows 1.0 Microsoft officially discontinued Mail, People and Calendars apps at the end of 2024, and Microsoft has stopped including the apps in Windows 11 as of version 24H2. While most professionals don’t use Windows Mail for their work email, it’s typically the app of choice for everyone’s personal free-mail accounts like Yahoo, Gmail, Hotmail, etc. especially since Outlook installations on home computers were non-existent and only became more commonplace thanks to the pandemic and WFH initiatives.
On top of this, Microsoft is no longer installing classic Outlook in Windows 11 as part of the pre-installed Office 365 suite, and getting the “classic” installer is not immediately obvious, even to the veteran Office 365 user. This may lead many folks to believe that classic’s demise is imminent, but according to Microsoft, they plan to continue supporting classic Outlook through 2029. Will they make it any easier to get that version installed on your new Windows 11 PC? Probably not, but at least we have a few more years with our “beloved” mail reader.
Next post we will look at why “new” Outlook isn’t as popular as Microsoft would have hoped.
When I last looked up, it was Thanksgiving. I blinked and Christmas is around the corner. For a lot of folks December is a time to slow down and bring the year to a gentle close, but for us, it’s typically a mad dash to the year-end to wrap up projects, spend the rest of the annual budget and somehow squeeze it in around everyone’s holiday schedule. In one of those fun, calendar-year serendipities, the next two scheduled newsletters actually fall on holidays, giving me a tidy excuse to skip writing blogs for the “rest of the year”. Which means this one needs to be a banger, right?
What I hope we don’t see next year (but probably will)
Chris is making a list and checking it twice: most will be naughty, but we can hope everyone plays nice.
- Technology hardware prices will likely go up by 20-40%. The incoming administration has promised tariffs will be levied against our biggest trading partners and primary source of electronics. I’m not just talking iPhones and televisions – almost all technology is based on manufacturing and assembly overseas. Regardless of what the politicians are saying, us folks in the cheap seats will be paying for those tariffs through increased retail pricing, impacted supplies (and scalping-driven pricing), and continuing degradation in manufacturing quality as suppliers squeeze profit out of an increasingly impoverished middle class.
- Hackers will up their game with AI. Phishers have long since graduated from the clumsily worded “business propositions” from African princes to carefully crafted emails mimicking your closest colleagues and friends. They now have easy access to AI-powered platforms that cost them virtually nothing to implement, and they are backed by big budgets, well-trained teams, and often nation-states with even higher stakes than draining your personal bank account. Banks have proven that they are struggling to keep up with just human-based attacks, and when those attackers gear up with AI, it’s going to be a bloodbath. And don’t get me started on how far behind government agencies are in this escalation.
- There will be a social media showdown. Several social media platforms are fighting for relevancy (and revenue) but clearly they still have a huge influence on politics, and all of them have made no bones about wielding that influence to gain and retain power. A certain upstart has gained some market share from folks fleeing the more toxic discourse on the established platforms, but we all know the internet breeds trolls and hate just as quickly as everything else, and trolls feed on the turmoil they cause. This new platform is a wide open “sky” for them unfortunately. We will see if the newcomer can survive the more bloodthirsty internet demographic.
- There will be more out-in-the-open, nation-based cyberwarfare. Politically-motivated but mostly low-profile cyberwarfare has been a thing for several decades now, but the war in Ukraine has given both sides ample testing grounds and tangible, publicized results that are definitely being added to every APT playbook while justifying creation, funding and resource prioritization for nations trying to catch up. Successful cyberwarfare attacks don’t rely on throwing armies into a meatgrinder to cause political or economic instability – just a handful of well-funded hackers can do considerable damage without shedding a drop of blood. Because of this, we will also see the impact spreading to the everyday citizen as opposition nations test their reach on aging utilities (like power grids and water supplies) who have always lagged in cybersecurity development.
My job is to watch for the worst, so it may come as no surprise that I always see danger around the corner. I also know that the world is full of compassionate and enlightened humans who are focused on making the world a better place, despite the fact that hate and fear seem to be gathering power. The mass media has always made the most money off leading with blood and conflict which makes us feel like that’s all there is, so perhaps “turn off” the internet for a little while. If there is one thing the holidays should remind you of, it’s to put the phone down and look around you to the friends and family that make holidays important and memorable. Change happens locally. If all of us focus on improving and changing the things we actually have influence on, I believe love and empathy will carry us through even the darkest times.
Image by kewl from Pixabay
Per a recent updated report from the FBI and CISA, the telecomm hacks that had been previous announced (and most likely missed amidst the election and holidays) are now being regarded as much worse than previously thought, and that there is no anticipated ETA as to when the hackers can be evicted from the various compromised infrastructures. As such, the FBI and CISA are recommending everyone avoid unencrypted communications methods on their mobile devices, which includes SMS messaging between Android and Apple phones, and carrier-based cellular voice calls (which have never been encrypted).
What this means for you
If you are like 95% of the world, you are probably thinking, “Well, if China wants to know about the grocery list I texted to my spouse, they are welcome to it,” or “I’ve got nothing to hide,” or even more naively, “I’ve got nothing worth stealing.” Most people do not consider just how much they communicate via unsecured text – banking two-factors, prescription verifications, medical complaints to doctors, passwords to coworkers, driver’s license pictures, credit card pins – the list is endless, and extremely valuable to threat teams like Salt Typhoon, the APT allegedly behind this huge compromise. The reason that this is a big deal is that we as a society (at least in America) have grown overly comfortable with this lack of privacy, and on top of that, the market has encouraged a fractured and flawed approach to communications between the various community silos we have created for ourselves online. What you might not know is that messaging from iPhone to iPhone, and Android to Android, are fully encrypted, as well as messages in WhatsApp, Facebook Messenger and Signal, but as you consider your circle of family and friends, how many of them are on the same platform and use the same messaging apps to communicate? How many of your two-factor codes arrive via SMS?
To address this latter issue, you should move any multi-factor codes to an app like Microsoft or Google Authenticator (if the platform even allows it – many banks do not yet support apps). This process will be painful and tedious, but probably most important in terms of improving your personal safety. The messaging problem is not so “easily” solved at least from a friends and family perspective, but for business communications, you should consider moving everything to a platform like Microsoft Teams, Google Workspace, Slack, etc. And stop sharing passwords via text. More information to come as we learn more about the severity of this telco hack.
Image Courtesy of Stuart Miles at FreeDigitalPhotos.net
Ever since they were hacked in 2023, genetics and ancestry website 23andMe has been more or less moribund, going from a high of $16 per share to $0.29 today and the resignation of their entire board of directors last month. When we last wrote about them in December of last year, the beleaguered DNA testing company had to revise their initial statement about only getting a “little” hacked (1.4M records) to admitting that they got majorly hacked (6.9M records). As you can imagine, this didn’t bode well for their marketability.
Why are we talking about them again?
It’s been nearly a year since the initial data breach, and judging by the lack of faith the recently departed board of directors had in the company’s founder, they aren’t likely to return to full potential any time soon, if ever. If you were one of the millions of people that sent them your DNA to analyze, you’ve probably already reaped whatever benefits (positive and negative) you will likely get from 23andMe, but they may not be done making money from your data. While they claim that much scientific good has been generated if you were one of the many who consented to allow your de-personalized data to be used by researchers, you may want to consider the consequences of letting a company who’s security practices led to their current downfall continue to have access to your data. Because you do have the option of asking them to delete your data. And seeing as you paid them for the privilege of providing your data, it seems rather mercenary for them to then take your data and continue to sell it without compensating you. Rather, they got hacked, exposed your confidential information, and then continued to (somewhat) operate. If you’d like to see some consequences, you can do your part by asking them to delete your data which can be done merely by logging into your account on their website and submitting that request. Do it. If a majority of their customers were to do this, perhaps it will send a warning to competitors to do a better job with your precious data, and a message to our government about doing a better job protecting our privacy.
Image courtesy of geralt at Pixabay
California is one of 7 states participating in a pilot program that allows drivers to store their license on their phone in their Apple or Google wallet. California’s rollout is part of a larger project called “Digital ID Framework” which lays the groundwork for a much broader implementation of identification that is intended to supplement and eventually replace physical ID’s like Passports, government badges, and Driver’s Licenses. Their vision is to link the various State-certified credentials, government programs with day-to-day practicalities like checking in at an airport, purchasing groceries through EBT, or proving to local agencies that you are a licensed cosmetologist. But don’t throw your Driver’s License in a drawer just yet.
What this means for you
First off, California’s pilot program is limited to 1.5 million participants at the moment, and obviously you will need to have an Android or late model Apple smartphone with a functioning digital wallet. Additionally, using Apple or Google’s wallet mobile Driver’s License only grants you the ability to use it to verify your ID at airports, so unless you are a frequent traveler, adding your license to your digital wallet is really more of a novelty at this point. The DMV also has a wallet app that adds a little more functionality: in addition to using it at Airports, the DMV wallet app allows you to verify your age at a select few stores in San Francisco and Los Angeles, and the reader function of the app allows you to verify identification of other DMV wallet users. Not exactly the bold new world you might have originally envisioned.
More importantly, your California mobile Driver’s License cannot currently be used for things like traffic stops or other law enforcement verifications. Some states like Louisiana and Colorado have begun adoption at this level, and as I mentioned above, California intends to expand capabilities of their Digital ID Framework to eventually make your phone a valid ID for this exact purpose. Until this comes to pass, and even when it does arrive, privacy advocates are recommending that you never voluntarily surrender your phone to law enforcement for any reason without a proper search warrant and legal representation. Even the Supreme Court has ruled in this matter. Even if you’ve done nothing wrong and are confident that there is nothing incriminating on your phone, it does not mean the person requesting your phone won’t abuse your privacy or their authority. For now, even if it seems like a very convenient feature, keep your phones in your pocket and your Driver’s License handy.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
After a lovely Labor Day weekend spent grilling, eating and celebrating with friends, I received an email early Tuesday morning from a worried client who was sent a very upsetting email over the weekend. It greeted them by name and opened with a single sentence, “I know that visiting [client’s address] would be a more convenient way to reach if you don’t cooperate,” and followed with another partial sentence, “Beautiful neighborhood btw,” and included a picture of my client’s home and then a PDF attachment that supposedly included further instructions. Despite missing a word, this email was threatening and clearly menacing. It was also fake.
What this means for you
At first glance, my gut reaction was to tell my client to report this email to the local authorities and maybe look into getting out of town for a few days. As written this was a very thinly veiled threat – if someone were to receive this email in a movie or TV show, it would most certainly be a prelude to some good ole-fashioned Hollywood violence and terror. On a hunch, I opened up Google Maps Street View and punched in my client’s address. A quick flick of my wrist on the camera angle revealed the exact picture used in the email, cropped to remove the various overlays that would have otherwise significantly detracted from the implied threat. Clearly the sender (most likely just another bot powered script) was trying to pull a fast one by getting the recipient to open the PDF, which would most likely lead to a phishing prompt. “It’s fake,” I typed in a quick email to the client, and then went about my day, where, within the hour, I encountered the same type of email received by another colleague over the same weekend. The scammers have a new toy, and I’m betting it’s a money-maker for them.
Here’s my thinking on this: regardless of the contents of the email, or who it’s from, you should NEVER open an unexpected attachment (or link) unless you can confirm the contents in some other way than opening the actual attachment. It is beyond common for email accounts to get compromised and the first thing hackers do when they bag an email account is to immediately spread to that account’s contacts within minutes of gaining access. Their success counts on rapid, undetected spread and rely on the built-in trust that emails sent by a known contact inherit. Even the best email filters available are always playing catchup to the latest scam techniques like the fake extortion email from above, so there will always be ill-intentioned emails that will get through despite your mailbox being protected by “enterprise-grade” security. As always, anything built and maintained by humans will be fallible, and as the threats on the internet get increasingly dangerous, even fake extortion phishing emails can end up doing real damage. Stay vigilant and always ask for a second opinion on things like this. While it can be exhausting sometimes to be on the receiving end of the countless questions people have, every time I keep someone safe for even one more day makes it all worth it.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
I’ve been doing technology support long enough to tell you that many of the problems that people experience with computers are self-inflicted. I even have clients who truly believe they have a little black cloud hanging over them every time they sit down in front of a computer, and having witnessed their track records first-hand, I make sure to keep my tech poncho handy. It’s hard to deny empirical data that clearly indicates some folks might be better keeping their distance from expensive or important technology. Today, however, some of my tech-kryptonite clients can hold their heads high because…guess what?! In the case of a large number of computers built with Intel CPU’s the technology problems plaguing those PCs might have been the hardware and not them!
“I’ll need an old priest and a young priest.“
Unfortunately for Intel, exorcising this particular demon won’t be nearly so simple (or cinematic). The tech manufacturer most widely known for making CPUs used in just about every desktop computer, laptop and server on this planet has recently admitted that they created, manufactured and sold two entire generations of CPUs with a flaw that basically causes them to commit electrical seppuku by requesting more voltage than they can safely handle. Intel’s Raptor Lake 13th and 14th generation CPUs have been installed in PCs since late 2022 all the way through today, and no one’s quite sure how many PC’s might be affected because it’s very difficult to determine if your repeated crashing is from a fried CPU or you are just one of my “stormy” tech friends.
After strongly denying this for several weeks, Intel finally came clean and admitted to the manufacturing defect, and after some prodding from the industry, also committed to extending warranties on retail CPU’s (ie. sold in boxes for installation into computers by system integrators, hobbyists and MSP’s like yours truly) by 2 more years. And after a little more prodding from their biggest customers, extended that same 2-year grace to OEM computers as well – these would be the ones you buy from Dell, Lenovo, HP, etc. Additionally, Intel is prepping a firmware update for mid-August that will supposedly rectify this nasty bug, but sadly, the fix won’t do anything for CPUs that have already lobotomized themselves. For that, you’ll need to seek a warranty replacement. As someone who has gone through that particular process more times than should be allowed by the Geneva Conventions, make sure you get your “waiting boots” on and keep your favorite stress toy handy. The next few months are going to be a hoot. And by “hoot” I mean nothing at all resembling such a thing. Thanks, Intel.