Even those living under the proverbial rock knew about the massive Facebook outage last week. For almost 6 hours last Monday, the entire world(!) was without their daily drip of Facebook, Instagram and WhatsApp which, for a large portion of the online world is the entirety of social media that matters. And the week before that, we lived through several, multi-day VOIP phone outages as two other foundational internet platforms, VOIP.ms and Bandwidth.com fought off ransomware attacks that crippled their services (and all of their customer’s services) for the better part of a week.
Why does the internet keep breaking?
This may come as a surprise to you, but if you think about it (or you’ve been working with computers as long as I have), you will realize that technology is only as reliable as the people making it and, of course, using it. I will allow (and be able to provide plenty of anecdotes demonstrating) there are a plethora of examples of technology from days past that are lightyears ahead of their modern counterparts – I have a woodworking router that is likely older than I am, and it’s still a capable tool. So why do things made today seem to break more frequently? Some of it is likely nostalgic bias, but there are two other key factors that also tip the scales towards an increasingly fragile technology future: mass production and commodification of technology, and the internet.
While it’s most certainly to the benefit of everyone that computers and smartphones have become largely affordable, it’s definitely come at a cost in quality and durability, and there is a fairly wide consensus that manufacturers are building in obsolescence into their products and designs to enforce a vicious cycle of upgrades that guarantee a profit. Our consumption of technology devices is further reinforced by the internet-connected world where the transmission of information is at once solace, comfort, education, power and the lack of it has become a deadly disadvantage for all but a very small portion of the world’s population. And, of course, that connection to the internet is also double-edged blade that undermines security and sustainability as inexorably as water will work its way into any place it should not be.
If you look carefully (and perhaps don’t if you want to sleep tonight) you will see that almost every aspect of our modern life now relies on devices that themselves rely on a near-constant connection to something else (usually the internet) in order to function. And here’s a dirty little secret any technology veteran will gleefully share with you: the internet is built on some very old technology that has become nigh impossible to replace, and yes, it’s still easy to make a mistake that will take the world’s largest social media platform offline for hours. Imagine being tasked with repairing (or replacing!) a bridge that is heavily used. Shutting it down is not an option. So you have to try to do the work while people are driving over it. Failure is not an option, and yet, here we are: human to a fault – pun very much intended.
Image by Spencer Wing from Pixabay
Another week and more bad news. Most of the world’s technology relies on several key chip manufacturers that are located in Asia, and in case you hadn’t heard, they were rocked by the Pandemic fairly early on in 2020. This has created a massive shortfall in semiconductor production which, when coupled with the spike in demand for technology to move a large chunk of the world’s workforce and students home, has manifested as a serious supply-chain choke-point that is resulting in empty shelves and shipping delays for just about anything with a computer chip in it.
What this means for you
Depending on what you are shopping for, you might be thinking, “What shortage? I can walk into my neighborhood big box and buy a computer right now!” Absolutely this is true, but even those supplies are dwindling. For anyone looking purchase what we call “business-class” or “enterprise-grade” equipment, we are seeing backorders between three to four weeks and certain models are out of stock through the end of the year as wholesalers and manufactures sell out of their standing, domestic stock. Computers aren’t the only thing impacted: this shortage is affecting everything from videogame consoles to new cars to medical equipment to smart phones
Industry analysts are predicting this supply-chain shortage will last well into 2022, and it will likely make the upcoming holidays a little challenging if you were planning to make up for last year’s sober shortages in the usually red-hot electronics and videogame markets. Scalpers are still showing no mercy, and the chip shortages won’t be helping us battle their profiteering. Long story short – make sure to include a multi-week delay in shipping if need new technology. Take good care of your existing equipment as it may hard to replace or repair for the next 6-8 months, minimum.
Image by Dan Williams from Pixabay
We’ll keep it short and sweet this week. Earlier this year, an advanced form of spyware was discovered on a small group of Middle-Eastern journalists’ iPhones that was eventually traced back to a developer in Isreal called NSO Group. Purportedly designed for law enforcement agencies to combat terrorism, the spyware known as Pegasus appears to have been utilized by one or more government agencies to spy on a select group of iPhone users. At the time, it was unclear how the exploit was being deployed, so no defense or patch could be provided to stop Pegasus from being installed. After months of research, Canadian internet watchdog group Citizen Lab uncovered the flaw and announced it this week in the news, timed in concert with a security update from Apple that should be applied immediately to all iOS devices and MacOS devices.
What this means for you
If you have a late model iPhone, Mac computer, Apple Watch or iPad, check the settings immediately for any available updates and apply them as soon as you can get to a solid internet connection and have your device connected to a power source. The iOS version you are looking for is 14.8, and on Macbooks and iMacs it will be MacOS 11.6.
- Update your iPhone, iPad, or iPod touch – Apple Support
- Update your Apple Watch – Apple Support
- Update macOS on Mac – Apple Support
As of this writing, the actual number of people who have been impacted by this flaw and Pegasus is very small, but now that the actual flaw has been revealed, there is a possibility that others beside the NSO Group will attempt to take advantage of the window that is typically open while people get patched which can be days or even weeks. While Pegasus is designed for spying, there will surely be other malware types released to attempt to exploit this flaw that may be more straightforward in doing harm. Don’t be one of the ones caught sleeping on this update. Get patched now!
Warning: this article will melt your brain. Consume in small portions and rest frequently. Or skip to the end for the simple advice.
In the not so distant past of technology, the account name you used to access your service or software was usually a single word. Sometimes it was your name, or some variation of first initial and last name, or it was something you got to choose like “soccermom72” or “sunnysdad” or “bruins4ever” etc. As online services grew in popularity and the number of people needing accounts exploded, most service providers realized they no longer needed you to pick a name (and suffer through finding one that wasn’t already taken) as you were already providing them with a unique identifier, so they got rid of all the “catmom2013” ID’s in favor of using your email address. From a technical perspective, this makes perfect sense, but for many users, this can lead to confusion and frustration if you aren’t keeping careful track of your passwords, or worse, using the same password for everything.
When an email address is more than just an email address
Microsoft, Apple and Google are the primary causes of email-as-account-name confusion, especially if you’ve created an account with those services using an email address that has nothing to do with any of those providers. For example, when setting up a new Windows computer, one of the first things it does is ask if you have a Microsoft account, and if you don’t (or think you don’t) it asks you to put in your email address and it will create one for you. So you put in your email address that you’ve had for years (something-at-aol-dot-com?) and the set up process has you create a password for this new account. Many people misread this prompt as “enter your current email” password, and don’t realize Windows is actually asking you to create a new password for your new Microsoft account, but also, typing in your email password (Twice? Why is it asking me to enter it twice?) works, because as far as Microsoft is concerned, your current email password will also work as your new Microsoft password. Do you see where this is going?
So now you’ve got a new Microsoft account that uses your email address and password as the login. “Convenient,” you think. “One less password to remember.” Until you need to change your email password because maybe it got hacked, or your IT consultant warned you to stop using it. Whatever, you’ve changed your email password. Then you go to log into your Windows computer, which is using that same password, right? Wait. Why isn’t this new password working? I just changed it and I know I wrote it down correctly! OK, I’ll try the old one. Why is that working? But the old password doesn’t work for my email now? WHAT IS HAPPENING?!?!
For most folks that don’t daily marinate their brains in technology, it’s a common mistake to think that using your email address for an account name confers global login capabilities to your services with your email address and password. It does if you use the same password and never change it, but the moment any of the services insist on a password change, confusion is imminent. And here’s something that will really bake your noodle: if you set it up right, your email credentials can actually do this with a lot of services and keep in sync with password changes! But it has to be a certain type of email address (Microsoft, Google or Apple powered) and the services all have to have that capability (usually labeled as “login with your XXXX account”). This was a very popular authentication method in the early 20-teens, but once major password leaks started occurring, more services were shying away from “single sign-on” as folks were having their entire online lives stolen with a single password. In reality, most people will have a mixture of single sign-on services and regular logins, all using their email address as the login name. And if they don’t make a point of recording passwords used with particular services (especially if those services don’t ask for passwords often), human memory will just mash all of it together under “email address and this password.” Even writing it down is confusing sometimes, especially if you look back later at your notes and see the following, “Microsoft account uses Gmail address and this password,” or “Google account uses my AOL email address as login.” Wait, my email doesn’t come from Google, it comes from AOL, doesn’t it?!?
What’s the solution to this madness? Password trackers and unique passwords, and understanding that just because an account is using your email address as a login, it doesn’t necessarily mean that it’s using the same password. In fact, if you are “doing it right”, nothing should have the same password unless you are using a collection of services that are designed specifically to authenticate against email services that provide single sign-on capabilities. Still confused? You are in good company. Just take good notes, track your passwords, and make sure you have C2 on speed dial when things get weird.
Image by Gerd Altmann from Pixabay
Today’s smartphones are incredibly powerful. If you are savvy enough, and determined, you could probably do a good portion of your office job and manage most, if not all of your personal life just via a late model smartphone. Even someone like me can do a significant amount of work via smartphone. The tools are there, and the screen is just big enough to make it possible with some squinting and finger cramping, but I only do it in an emergency when I don’t have access to better tools or platforms. For most of you, email, video conferencing and phone conversations cover a large chunk of your professional life, and when you add in the social media apps, you’ve got the bases covered. But should you be using your smartphone for anything other than for what it was originally designed?
Should you be getting off my lawn?
I’ll admit it, I’ve definitely become much more conservative *gasp* when it comes to considering where technology intersects with our personal lives, especially as it pertains to privacy. Back when I had a full head of hair and maybe less brains, I fell firmly into the “what do you have to hide” category of privacy, but that was before our data was essentially and mercilessly monetized with zero regard for the consequences. And after it was purposefully gathered, categorized and analyzed, it was carelessly and unapologetically leaked repeatedly, where it could again be gathered, exploited and manipulated by folks with even less care for ethics or humanity in general. While most of us haven’t been significantly damaged individually by this in any way we can quantify, the merciless monetization of our data has definitely been to the detriment of society in general. While it might feel usefully prescient that Amazon seems to know exactly what you need when you visit their website, I’m betting you start feeling a little unsettled when every other website you visit thereafter also seems to know what you’re shopping for, like you just stepped into the Twilight Zone, or Black Mirror, for the younger generations. Whether you like it or not, the breakthrough in data gathering was courtesy of rise of the smartphone and its cornucopia of useful apps. For every function of your professional and personal life that you pursue with your cellphone, the carriers and app makers and their data-hungry customers gather oodles of telemetry about you – where you shop, what social and political beliefs you peruse and pursue, what kind of foods you like, what games you play, on and on. People view smartphones as a window to the world, but don’t forget that windows work both ways, and you are providing stark, unexpurgated view of your life to folks who only see you as a profit center.
Full disclosure: On top of email, texting and phone calls, I do no small amount of social media lurking (though not posting), GPS navigation, music listening and a little shopping here and there on my smartphone. I’ve made my peace (for now) with the Faustian deal I make in trade for services I (and my clients) find incredibly useful, and to be extremely clear, even I don’t know to what extent my data has been harvested, exploited and monetized, but I like to think I’m going into it as clear-eyed as one can be in this day and age. Should we be considering this a reasonable tradeoff? Would you be willing to pay for services you use for free right if it meant you had more control over your data? Do you even care? Even I don’t know how to answer these questions right now.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
Most Americans have stopped keeping count but this will be the fifth or sixth data breach for T-Mobile, the second largest mobile service network in the United States. In case you’ve forgotten or gotten it confused with the 12 other breaches you may have been a part of recently, the previous T-Mobile breach included PII such as addresses and phone numbers as well as your billing data, but not credit cards or Social Security numbers. This time around, according to the hackers who are attempting to sell the database via the dark web, they have names, addresses, Social Security numbers, drivers licenses, and IMEI numbers of over 100M T-Mobile customers. T-Mobile and independent investigators are attempting to determine if this is true, but according to Motherboard, who first broke the story, the sample data they were provided as proof appeared to be legitimate.
What this means for you
You don’t need to be a security expert to understand how bad this is, but in case you want my hot take, if I had to rate this on a scale from one to ten of “bad”, this pins the needle at a solid ten, if only for the fact that having IMEI numbers exposed opens the possibility for wide-scale phone cloning which could then result in completely undermining any security provided via SMS-based two-factor authentication. In case parsing that last sentence was tough, the reason you implemented two-factor was because the second factor was you getting a text message to your phone that no one else could see…unless your phone was cloned.
As of this writing T-Mobile hasn’t verified that all 100M or so customer records were breached, but from various proofs provided by the hackers, as well as the fact that they are selling a subset of 30M records for $275k, seems to indicate that they indeed have the goods and you can bet this data is as good as sold, even at such a high price. For comparison’s sake, the previous breaches T-Mobile admitted to were 1M and 2M records 2 of the previous incidents.
This news is still developing, but keep your eyes and ears wide open, especially if you are a T-Mobile customer. If you see sudden two-factor prompts that you did not request, be prepared to act quickly to secure the account. If possible and it’s offered by a two-factor protected service, switching to an app-based two-factor method to secure account will remove this particular danger of a cloned phone, but only if you get it done before the hackers get you in their crosshairs. Keep in mind that the hacker will need to know your password (the first factor in a two-factor scenario) in order to trigger the second factor, so as long as that password wasn’t revealed in a previous breach, you will probably be fine. You used a unique, strong password for every service, right?
For the dwindling few of my clients who had any energy left to be outraged at something, a recent article from Forbes highlighting Google’s rather blatant disregard for user privacy energized at least a handful of them to delete the Gmail app from their iPhones. For the rest of you who haven’t encountered this story yet, it’s actually not something new that has occurred, but rather something that has been going on for awhile now, that is only coming to light in an understandable way thanks to Apple’s new privacy policy and its ongoing battle with Facebook. Up until now, Google has been letting Facebook take the brunt of the media attention on this issue, but it was only a matter of time before their equally egregious data harvesting practices came to light.
What this means for you
Let me be 100% transparent with you. I send out an email newsletter weekly via a platform called Mailchimp, and I’m using their “Free” tier of service in exchange for allowing them to use a portion of my email to advertise their service. I’m also quite certain they are gathering metadata from every email I send out, aggregating this data across all their other clients (paid or not!) and then reselling that information to various advertisers and market research firms. As we’ve been repeatedly told even well before the birth of the internet, there’s no such thing as a free lunch. Google’s Gmail service, for something that is free, is actually one of the best email platforms in existence, but, as you should already know, comes at a price.
If there is something I’ve gleaned from working with people and technology for over 30 years now, it’s that we all have a calculus we perform internally that measures convenience and cost against privacy and security. For some of us, that teeter-totter tips heavily on the privacy and security side, and for others much less so, especially if the convenience means that we are able to invest effort into other things that matter more. Regardless of how your inner-seesaw is tilted, privacy and security are not balanced or elevated without significant effort, and more is being required everyday. The longer companies like Google, Facebook, and yes, even Apple sit on one end of the teeter-totter gorging themselves on your data, the harder they will be to lift or even dislodge so that you can properly enjoy the ride with someone who doesn’t always tip the scales in their favor.
Don’t expect any company, especially a for-profit one, to stand up for your privacy regardless of what they tweet or tout in their advertisements, and the same can be said for many politicians who plainly have their pockets lined by big corporations. Whether we want to admit it or not, many of us are using services that may or may not be worth the privacy we give in exchange. Your privacy is valuable, so don’t give it up so easily. You’ll definitely miss it when it’s gone.
It’s become abundantly clear from how we handled the pandemic that humans, as a general rule, aren’t very good at planning for, and dealing with, unexpected scenarios, especially if it is something that they don’t believe can happen to them. Life insurance agents will tell you this, and as a guy who’s spent the past 30+ years working in technology, I can also say that regardless of how long you’ve been using a computer for whatever reason, most of you aren’t planning for when it breaks. Some of my clients do actually plan for failure, and even they are caught off guard sometimes. If there’s one thing that you can count on with technology, failures won’t go as planned.
Not the kind of exit you might be thinking
We don’t want fires to happen in buildings, but when they do, it’s of paramount importance that we know how to get to safety. While I can easily list plenty of failure scenarios for your technology, I can’t tell you when they are going to happen. But there are plenty of things I can help you plan for because our use of technology is fairly predictable, and if we prepare accordingly, we can react effectively when failure rears its ugly head. Here are some examples and some ways to approach common internet problems:
“Our internet just went down.”
This happens all the time, and is always at the worst possible time. You should always know (a) who to call when it goes down, and (b) know where to go to get internet when (a) tells you that the outage is being worked on but there is no ETA at the moment. Do you know how to fire up a hotspot on your mobile phone? Do you know where the nearest free WIFI source may be? Do you know how to reboot your router? Is it just WIFI that is down, or your internet connection, or everyone’s internet connection?
“My computer just stopped working.”
Windows is going through a rough time at the moment – their QA is absolutely crap lately, but not applying updates is almost as bad as applying them, so have an idea of how you can get your important work done without your primary computer. What can be done via another device, platform or even someone else? Do you know how to access your email via the web or on your phone? Could you pull that important file off a cloud backup and work on it on another computer, or even your phone?
“Know where your data resides.”
In the end, for those of us who need technology to perform our work, it is as fundamentally important as know where your data is as it is know how to safely get out of a building in an emergency. If the thing you need to do isn’t accessed via the internet, then the internet being down isn’t (necessarily) a problem. If the thing you need to do can be done on another computer, then your computer being down is just an inconvenience that can be worked around. As long as you know where your data resides and you understand how to access it, the technology you use to get there is just a means to an end. Just as most of us aren’t meant to fight fires in buildings – we just need to know how to get out quick, fixing broken technology should not be your focus – instead plan and learn how to work around those eventualities.
Image by Alex Fox from Pixabay
Hot on the heels of a moderate backlash on their Sidewalk initiative, Amazon has decided that maybe Ring doorbells should be a little more considerate of your privacy. Up until today, if you had subscribe to the Ring Protect Plan which provided a means for you to store history of your Ring camera’s footage in the cloud, that video – in theory – could be viewed by Amazon and local law enforcement depending on the partnerships they have set up with various jurisdictions. There has been much debate about whether doorbell camera videos should be considered private, but once you account for all the various uses and placements of the devices, especially backyards and sideyards, the video footage really shouldn’t be considered “public space.”
Make your Ring truly private
Assuming you are using one of the 13 models that are compatible with the service, you can add device-specific encryption to your videos which essentially makes them only viewable on your mobile device with the Ring app. Previous to this new feature rollout, law enforcement could send out bulk-requests to users in a geographic area to “share” their video footage. Now, if you opt-in to the E2EE version of the Ring app, law enforcement must request access via warrant, and supposedly neither Ring nor Amazon can see this footage without requesting it from the specific user. Keep in mind that you have to OPT IN to this feature and it will break certain accessibility, such as viewing on Alexa devices or Shared User access. If privacy is more important to you than accessibility, you should enable this feature immediately:
https://account.ring.com/account/control-center/video-encryption/advanced-settings/end-to-end
Image by Tumisu from Pixabay
Reports are now popping up in my technology news feed that a database containing information from over 700 million LinkedIn members is now available for purchase on the dark web. Unlike some of the other information dumps that have made headlines recently, this one doesn’t contain passwords or other sensitive information, but it does contain the information that LinkedIn members typical put in their profiles, including phone numbers, addresses (mail and email), job and education history as well as whether or not a particular member might be looking for a job. According to LinkedIn and which other sources seem to corroborate, this isn’t actually a data breach, but what is known as an “information scrape” which is shorthand for a database built by reading and indexing information that is readily available on the web. Keep in mind, “readily available” does not necessarily mean authorized use, especially when it is gathered and put on sale by someone not LinkedIn.
What does this mean for you?
Even if you aren’t on LinkedIn, if you do any sort of business that requires to you interact with others via the internet, you should be aware of why these types of databases are still considered a significant security risk, and I can sum it up in one word: Phishing. One of the most common tactics in use now by phishers is leveraging data gathered in these databases to build and send fake emails that contain enough real information to trick even the most savvy email veteran. Especially vulnerable are the millions of job seekers who use LinkedIn everyday to contact plenty of people they don’t know directly, and have to rely on information found on the website. Cybercriminals are using this particular weakness to infect job seekers with trojans as part of a fake employment application, which can then lead to identity theft, extortion and a definite disruption in the job seeking process. In the end, there isn’t much you can do about this except the following:
- Set up 2-factor authentication on all your important accounts, especially email.
- Back up your important data. Cloud-based backups are best.
- Make sure you are running malware protection on your computer.
- Make sure your network (home and work) is protected by a proper firewall.
- Establish freezes on all your major credit reporting identities via these websites: Experian. TransUnion. EquiFax.
- Never trust an email link, especially one that seems to ask for a password right off the bat. Always call and verify.