I’ve mentioned it before but it bears repeating – the chip shortage will not wrap up anytime soon, with all major players like Nvidia, Intel and Toshiba predicting shortages lasting well into 2022 if not into 2023. Seeing as semiconductors are in everything from autos to Zambonis and everything between, production has slowed if not halted in most major industries on manufacturing and delivering goods. Couple this with the major supply chain issues we are also facing world-wide and it’s a safe bet that your holiday shopping (or end-of-year budget spend-down) may be pinched by a Grinch that won’t be stopped by seasonal vibes.
What this means for you
All the more reason to get out there on Black Friday or Cyber Monday to do some shopping now, right? Don’t think it Scrooge-ish of me if I offer some words of caution when you brave the crowds (or virtual queues) in search of technology deals. I’m certain there will be good deals to be found on both fated days. Retailers are up against shortages, inflation and the pandemic – they will likely not pull any punches to wash the red out of their ledgers this year, but it’s not like the chip shortage or the pandemic is something new. The most sought-after holiday gifts are typically technology items, and things like the latest generation of video consoles have been notoriously hard to find since their launch, especially since the internet and online shopping has made scalping an extremely profitable side hustle. Retailers are barely able to keep stock on hand for the high-demand items, and even the less-popular stuff is selling because there is literally nothing else to buy. This goes for work technology items as well. Our wholesale sources are getting down into single-digit availability on the core workplace desktops, laptops and printers, and they are even selling out of the models we normally avoid recommending because of sub-par performance or quality issues.
This brings me to my warning: Beware of buying something – whether for entertainment or work – just because it’s available and “on sale”, especially If you haven’t done the research on it. We are in the most scarce technology market I’ve seen in my professional lifetime, but I don’t think we are at the point of choosing “any port in a storm” just yet. Do you really need a slightly bigger flat screen or slightly faster smartphone, or could you scrape a few more months out of a working device that is in your hands right now. If you need additional equipment because you are expanding or hiring, buying something on discount that you might not have normally purchased may not be optimal use of your resources. Definitely get into the spirit of the holidays, but don’t let FOMO of Black Friday impair your judgement! We’ve found that retailers know that people are in the buying mood, and the deals aren’t necessarily any better than what you might find throughout the year, and given that we know the good stuff is already in short supply, the deals might be more glitter than gold.
Image by Tumisu from Pixabay
In years leading up to the domination of the world by the Internet we used to make fun of organizations and industries that seemed to be dragging their feet on getting modernized – the Navy’s old DOS-based, air-gapped systems seemed so antiquated (even with the Wargames movie sounding very prescient, if simplistic alarms) or local mom-and-pops using mechanical registers, or hospitals and clipboard paper charts. Now that everything has a network connection and is sending and receiving data via the internet, it would seem the Monkey’s Paw curled up all fingers except one and that one is flipping us “the bird.” This latest facepalm comes in the form of devices built by or containing components built by Siemens that use an operating system known as Nucleus, an OS that was written for devices used in industries that require stringent safety and security controls, such as the medical, automotive and aviation controls. Clearly this would mean that the OS must be safer than the usual swiss cheese we see from OS’s like Windows, right? Researchers have found 13 vulnerabilities in the networks stack of Nucleus, an OS that is used in an estimated 3 billion devices.
What this means for you
I won’t go into the gory details of the vulnerabilities as that would only be entertaining for security geeks and I know they aren’t reading my blogs for that sort of fun. Suffice it to say, so far as the researchers know, these vulnerabilities haven’t been exploited in the wild yet and Siemens has supposedly addressed these holes with updates. So why am I spending precious minutes telling you about something that (a) you have no direct control over and (b) might already be taken care of? Precisely because of those things. It’s convenient and comfortable for us to go about our daily lives while ignoring just how much of our surroundings are managed, monitored and controlled by devices that we have zero understanding of how they work, let alone what master to which they report.
We can be sure of two things in this current crazy timeline: if a device can gather and report data, it will do so because data = profit, and if the device was built, programmed or configured by a human, you can be certain that it is less than perfect. Most of the time, we can deal with something that is less than perfect. In fact we are surrounded by imperfections that are suitable, usable and safe. Most of us understand that perfection is an ideal to strive for and not objectively obtainable. Unfortunately for internet security, small imperfections, even when rare or obscure, can lead to massive problems. At the moment, as with the parallel analogy of the ratio of air disasters to safe flights, it feels like security breaches and vulnerabilities are everywhere, when in fact they only make up a very small percentage of the amount of the vast amount of digital transactions that occur every single second. Unfortunately, like plane crashes, though their occurrences may be statistically rare (for the moment), they can be catastrophic when they happen. Engineers strive to reduce the chances that a plane will crash or that an operating system will be vulnerable to attack, but in the end, they are subject to human error. No technology is infallible.
It would be paralyzing to try to anticipate everything that could go wrong – this is the textbook definition of anxiety. However, I think it’s useful to carefully moderate your expectations when it comes to relying on technology to protect you or care for you perfectly. Don’t take your technology and security for granted, and you will be less surprised and better prepared for when it shows its human side.
Image by Bruno /Germany from Pixabay
Before you go checking the temperature down in Hell or watching the skies for flying pigs, you should take this small bit of good news with a healthy dose of skepticism. Facebook is facing a veritable crap-storm of scrutiny on multiple fronts, and while they have enough money and backing from shareholders to thumb their noses at just about everyone, at a certain point it just makes good marketing sense to throw the public a bone to demonstrate that they aren’t all bad. In this case, Facebook has decided it’s facial recognition features make a good sacrificial offering, and will be eliminating this feature from its social media platforms. They didn’t say exactly when this was happening, but as long as they go through with it, it will be a welcome change.
What this means for you
I bet you didn’t realize that Facebook’s facial recognition features have been around for over 10 years, but if you’ve used the platform at all, you’ve come across it numerous times, perhaps unwillingly. While Facebook has (supposedly) never used or offered its facial recognition software outside of its platforms, scrapping it is good optics, as the technology itself has also been coming under increased fire from privacy and rights watchdogs. While Hollywood would have you believe otherwise, the use of facial recognition by law enforcement has faced heavy criticism and has been used by less democratic governments to suppress minorities, protestors and dissidents.
Don’t let this gesture distract from Facebook’s other problems. The allegations leveled by the Facebook whistleblower are serious enough that Facebook is now facing Congressional scrutiny, as well as significant criticism from other countries as well. Changing their name is another thinly veiled attempt to deflect and divide the withering amount of fire they are receiving. If you value the platform at all, it’s important to make sure your voice is heard by your local representatives and senators so that it can be held answerable for the vast amount of disinformation and division it has wrought on the world in the name of profit. There is zero chance they will do anything to amend their ways if we all give them a pass. Unlike coaching an individual by praising progress and providing constructive criticism, the only message Facebook seems to understand is congressional scrutiny and potential damage to their bottom line.
I tried to think up an appropriate bon mot about a platform like Craigslist getting hacked based upon how old and basic the platform is in comparison to “modern” services, but frankly, their easy-to-use and barebones approach strikes me as a rare unicorn in a world full of apps that (try to) do everything, or ones that do one thing in an overly complicated/cutesy/outlandish fashion to stand out in the crowded field. If anything, you may take my soft spot for Craigslist as an oblique self-burn on my age and get-off-my-lawn attitude about modern apps, but given the amount of troubleshooting I do on its contemporaries, barebones and utilitarian gets it done without a whole lot of fanfare and confusion. Sadly, like all things internet, this has a double-edge: hackers have taken advantage of one of Craigslist’s signature features – anonymous emails – to trick users into installing malware.
What this means for you
If you use Craigslist to offer something up – goods, services, your heart, etc. – you will want to pay attention. Craigslist uses a form of anonymized emails that allow users to keep their identity confidential until they decide they want to interact with someone answering their ad. Unfortunately, this also means an email arriving from an anonymized Craigslist email address claiming to be an official warning about an “inappropriate” ad is probably going to be taken seriously, and links contained in said email will likely be clicked, leading to a malware infection instead of an actual, legitimate Craigslist URL.
Attackers are using camouflage provided by a trusted, familiar environment that they 100% know their target is engaged with, combined with a malware delivery through OneDrive to give them additional cover against the usual malware detection provided by mail services that can smell bad URLs. Even with good malware protection installed on your computer, clicking and opening a document and then following the familiar process to allow editing of the document – something that occurs everytime when opening Office documents delivered via email or the internet (aka OneDrive, Dropbox, Google Drive, etc.), will bypass the usual protections and deliver a malware payload essentially because you allowed it.
This is what you are up against. This is what we all are up against. There is no good protection against this type of chicanery other than being savvy and vigilant, having up to date malware protection installed, backing up your data, and using unique passwords and two-factor authentication wherever possible. There is rarely an instance where the holy trinity of malware protection, backups and strong authentication practices is not warranted. Don’t make excuses – these three things will be your safety net when your vigilance wavers. We are all human and we can and will be tricked. That is one thing I can guarantee.
Image Courtesy of Stuart Miles at FreeDigitalPhotos.net
Don’t let down your guard yet, but it would seem that hackers are focusing their efforts on targets with deeper pockets than you or I. Sinclair Broadcasting is the latest infrastructure victim to have their operations significantly disrupted by a ransomware attack that took dozens of televisions stations completely offline for hours in various markets across the country. As one of the largest media companies in the US, Sinclair owns and operates nearly 300 stations in the US, and according to unverified reports from inside sources at Sinclair, many of the stations are connected via a common Active Directory structure that allowed attackers to jump from station to station, encrypting servers and paralyzing the the affected station’s ability to broadcast any of its regularly scheduled programming.
What this means for you
Sinclair doesn’t own any stations local to Southern California as far as I can tell, so most of us probably went about our weekend blissfully unaware that a ransomware attack locked down an undisclosed number of stations. Though they as of yet have not released specifics, it’s possible they are the latest victims to run afoul of a new RaaS (Ransomware as a service) called BlackMatter which, perhaps not coincidentally, has also shown up in a new advisory from CISA, the FBI and the NSA that warns of threat actors using the new platform to target critical infrastructure, including two recent attacks on agricultural targets in the US. While these attacks may not impact you or I directly, infrastructure attacks are definitely worthy of our attention as they can and will cause widespread disruption to activities and services we take for granted, and in some cases like hospitals or law enforcement agencies could actually be life-threatening. And here’s something you may not have considered – each of these attacks most likely started with and individual getting tricked into giving up a password that gives the hackers a toehold, and that is all they need. Unfortunately, in this increasingly complicated technology landscape it is becoming ever more difficult to keep passwords safe, mainly because we are always being asked for them. How many times a day are you confronted with a password request that makes you question it’s legitimacy? It’s a challenge to keep up with technology on a good day, but when the hackers have you on guard 24/7, you really can’t afford to not pay close attention.
Unfortunately, there isn’t any silver bullet or magical tip I can provide to help you here. It’s most important to know where and when a service might ask for a password, and how to recognize legitimate requests based upon having more than just a passing familiarity with applications and services that require passwords that protect sensitive data or privileged access. If anything, err on the side of not entering a password if you aren’t 100% certain. Additional protection will come from using multi-factor wherever it is made available to you, and of course, using unique, hard to guess passwords for all your important services.
Even those living under the proverbial rock knew about the massive Facebook outage last week. For almost 6 hours last Monday, the entire world(!) was without their daily drip of Facebook, Instagram and WhatsApp which, for a large portion of the online world is the entirety of social media that matters. And the week before that, we lived through several, multi-day VOIP phone outages as two other foundational internet platforms, VOIP.ms and Bandwidth.com fought off ransomware attacks that crippled their services (and all of their customer’s services) for the better part of a week.
Why does the internet keep breaking?
This may come as a surprise to you, but if you think about it (or you’ve been working with computers as long as I have), you will realize that technology is only as reliable as the people making it and, of course, using it. I will allow (and be able to provide plenty of anecdotes demonstrating) there are a plethora of examples of technology from days past that are lightyears ahead of their modern counterparts – I have a woodworking router that is likely older than I am, and it’s still a capable tool. So why do things made today seem to break more frequently? Some of it is likely nostalgic bias, but there are two other key factors that also tip the scales towards an increasingly fragile technology future: mass production and commodification of technology, and the internet.
While it’s most certainly to the benefit of everyone that computers and smartphones have become largely affordable, it’s definitely come at a cost in quality and durability, and there is a fairly wide consensus that manufacturers are building in obsolescence into their products and designs to enforce a vicious cycle of upgrades that guarantee a profit. Our consumption of technology devices is further reinforced by the internet-connected world where the transmission of information is at once solace, comfort, education, power and the lack of it has become a deadly disadvantage for all but a very small portion of the world’s population. And, of course, that connection to the internet is also double-edged blade that undermines security and sustainability as inexorably as water will work its way into any place it should not be.
If you look carefully (and perhaps don’t if you want to sleep tonight) you will see that almost every aspect of our modern life now relies on devices that themselves rely on a near-constant connection to something else (usually the internet) in order to function. And here’s a dirty little secret any technology veteran will gleefully share with you: the internet is built on some very old technology that has become nigh impossible to replace, and yes, it’s still easy to make a mistake that will take the world’s largest social media platform offline for hours. Imagine being tasked with repairing (or replacing!) a bridge that is heavily used. Shutting it down is not an option. So you have to try to do the work while people are driving over it. Failure is not an option, and yet, here we are: human to a fault – pun very much intended.
Image by Spencer Wing from Pixabay
Another week and more bad news. Most of the world’s technology relies on several key chip manufacturers that are located in Asia, and in case you hadn’t heard, they were rocked by the Pandemic fairly early on in 2020. This has created a massive shortfall in semiconductor production which, when coupled with the spike in demand for technology to move a large chunk of the world’s workforce and students home, has manifested as a serious supply-chain choke-point that is resulting in empty shelves and shipping delays for just about anything with a computer chip in it.
What this means for you
Depending on what you are shopping for, you might be thinking, “What shortage? I can walk into my neighborhood big box and buy a computer right now!” Absolutely this is true, but even those supplies are dwindling. For anyone looking purchase what we call “business-class” or “enterprise-grade” equipment, we are seeing backorders between three to four weeks and certain models are out of stock through the end of the year as wholesalers and manufactures sell out of their standing, domestic stock. Computers aren’t the only thing impacted: this shortage is affecting everything from videogame consoles to new cars to medical equipment to smart phones
Industry analysts are predicting this supply-chain shortage will last well into 2022, and it will likely make the upcoming holidays a little challenging if you were planning to make up for last year’s sober shortages in the usually red-hot electronics and videogame markets. Scalpers are still showing no mercy, and the chip shortages won’t be helping us battle their profiteering. Long story short – make sure to include a multi-week delay in shipping if need new technology. Take good care of your existing equipment as it may hard to replace or repair for the next 6-8 months, minimum.
Image by Dan Williams from Pixabay
We’ll keep it short and sweet this week. Earlier this year, an advanced form of spyware was discovered on a small group of Middle-Eastern journalists’ iPhones that was eventually traced back to a developer in Isreal called NSO Group. Purportedly designed for law enforcement agencies to combat terrorism, the spyware known as Pegasus appears to have been utilized by one or more government agencies to spy on a select group of iPhone users. At the time, it was unclear how the exploit was being deployed, so no defense or patch could be provided to stop Pegasus from being installed. After months of research, Canadian internet watchdog group Citizen Lab uncovered the flaw and announced it this week in the news, timed in concert with a security update from Apple that should be applied immediately to all iOS devices and MacOS devices.
What this means for you
If you have a late model iPhone, Mac computer, Apple Watch or iPad, check the settings immediately for any available updates and apply them as soon as you can get to a solid internet connection and have your device connected to a power source. The iOS version you are looking for is 14.8, and on Macbooks and iMacs it will be MacOS 11.6.
- Update your iPhone, iPad, or iPod touch – Apple Support
- Update your Apple Watch – Apple Support
- Update macOS on Mac – Apple Support
As of this writing, the actual number of people who have been impacted by this flaw and Pegasus is very small, but now that the actual flaw has been revealed, there is a possibility that others beside the NSO Group will attempt to take advantage of the window that is typically open while people get patched which can be days or even weeks. While Pegasus is designed for spying, there will surely be other malware types released to attempt to exploit this flaw that may be more straightforward in doing harm. Don’t be one of the ones caught sleeping on this update. Get patched now!
Warning: this article will melt your brain. Consume in small portions and rest frequently. Or skip to the end for the simple advice.
In the not so distant past of technology, the account name you used to access your service or software was usually a single word. Sometimes it was your name, or some variation of first initial and last name, or it was something you got to choose like “soccermom72” or “sunnysdad” or “bruins4ever” etc. As online services grew in popularity and the number of people needing accounts exploded, most service providers realized they no longer needed you to pick a name (and suffer through finding one that wasn’t already taken) as you were already providing them with a unique identifier, so they got rid of all the “catmom2013” ID’s in favor of using your email address. From a technical perspective, this makes perfect sense, but for many users, this can lead to confusion and frustration if you aren’t keeping careful track of your passwords, or worse, using the same password for everything.
When an email address is more than just an email address
Microsoft, Apple and Google are the primary causes of email-as-account-name confusion, especially if you’ve created an account with those services using an email address that has nothing to do with any of those providers. For example, when setting up a new Windows computer, one of the first things it does is ask if you have a Microsoft account, and if you don’t (or think you don’t) it asks you to put in your email address and it will create one for you. So you put in your email address that you’ve had for years (something-at-aol-dot-com?) and the set up process has you create a password for this new account. Many people misread this prompt as “enter your current email” password, and don’t realize Windows is actually asking you to create a new password for your new Microsoft account, but also, typing in your email password (Twice? Why is it asking me to enter it twice?) works, because as far as Microsoft is concerned, your current email password will also work as your new Microsoft password. Do you see where this is going?
So now you’ve got a new Microsoft account that uses your email address and password as the login. “Convenient,” you think. “One less password to remember.” Until you need to change your email password because maybe it got hacked, or your IT consultant warned you to stop using it. Whatever, you’ve changed your email password. Then you go to log into your Windows computer, which is using that same password, right? Wait. Why isn’t this new password working? I just changed it and I know I wrote it down correctly! OK, I’ll try the old one. Why is that working? But the old password doesn’t work for my email now? WHAT IS HAPPENING?!?!
For most folks that don’t daily marinate their brains in technology, it’s a common mistake to think that using your email address for an account name confers global login capabilities to your services with your email address and password. It does if you use the same password and never change it, but the moment any of the services insist on a password change, confusion is imminent. And here’s something that will really bake your noodle: if you set it up right, your email credentials can actually do this with a lot of services and keep in sync with password changes! But it has to be a certain type of email address (Microsoft, Google or Apple powered) and the services all have to have that capability (usually labeled as “login with your XXXX account”). This was a very popular authentication method in the early 20-teens, but once major password leaks started occurring, more services were shying away from “single sign-on” as folks were having their entire online lives stolen with a single password. In reality, most people will have a mixture of single sign-on services and regular logins, all using their email address as the login name. And if they don’t make a point of recording passwords used with particular services (especially if those services don’t ask for passwords often), human memory will just mash all of it together under “email address and this password.” Even writing it down is confusing sometimes, especially if you look back later at your notes and see the following, “Microsoft account uses Gmail address and this password,” or “Google account uses my AOL email address as login.” Wait, my email doesn’t come from Google, it comes from AOL, doesn’t it?!?
What’s the solution to this madness? Password trackers and unique passwords, and understanding that just because an account is using your email address as a login, it doesn’t necessarily mean that it’s using the same password. In fact, if you are “doing it right”, nothing should have the same password unless you are using a collection of services that are designed specifically to authenticate against email services that provide single sign-on capabilities. Still confused? You are in good company. Just take good notes, track your passwords, and make sure you have C2 on speed dial when things get weird.
Image by Gerd Altmann from Pixabay
Today’s smartphones are incredibly powerful. If you are savvy enough, and determined, you could probably do a good portion of your office job and manage most, if not all of your personal life just via a late model smartphone. Even someone like me can do a significant amount of work via smartphone. The tools are there, and the screen is just big enough to make it possible with some squinting and finger cramping, but I only do it in an emergency when I don’t have access to better tools or platforms. For most of you, email, video conferencing and phone conversations cover a large chunk of your professional life, and when you add in the social media apps, you’ve got the bases covered. But should you be using your smartphone for anything other than for what it was originally designed?
Should you be getting off my lawn?
I’ll admit it, I’ve definitely become much more conservative *gasp* when it comes to considering where technology intersects with our personal lives, especially as it pertains to privacy. Back when I had a full head of hair and maybe less brains, I fell firmly into the “what do you have to hide” category of privacy, but that was before our data was essentially and mercilessly monetized with zero regard for the consequences. And after it was purposefully gathered, categorized and analyzed, it was carelessly and unapologetically leaked repeatedly, where it could again be gathered, exploited and manipulated by folks with even less care for ethics or humanity in general. While most of us haven’t been significantly damaged individually by this in any way we can quantify, the merciless monetization of our data has definitely been to the detriment of society in general. While it might feel usefully prescient that Amazon seems to know exactly what you need when you visit their website, I’m betting you start feeling a little unsettled when every other website you visit thereafter also seems to know what you’re shopping for, like you just stepped into the Twilight Zone, or Black Mirror, for the younger generations. Whether you like it or not, the breakthrough in data gathering was courtesy of rise of the smartphone and its cornucopia of useful apps. For every function of your professional and personal life that you pursue with your cellphone, the carriers and app makers and their data-hungry customers gather oodles of telemetry about you – where you shop, what social and political beliefs you peruse and pursue, what kind of foods you like, what games you play, on and on. People view smartphones as a window to the world, but don’t forget that windows work both ways, and you are providing stark, unexpurgated view of your life to folks who only see you as a profit center.
Full disclosure: On top of email, texting and phone calls, I do no small amount of social media lurking (though not posting), GPS navigation, music listening and a little shopping here and there on my smartphone. I’ve made my peace (for now) with the Faustian deal I make in trade for services I (and my clients) find incredibly useful, and to be extremely clear, even I don’t know to what extent my data has been harvested, exploited and monetized, but I like to think I’m going into it as clear-eyed as one can be in this day and age. Should we be considering this a reasonable tradeoff? Would you be willing to pay for services you use for free right if it meant you had more control over your data? Do you even care? Even I don’t know how to answer these questions right now.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net