Despite what Hollywood, Apple, Amazon and Google might want you to believe, accessing and securing our technology lives still takes more than scanning various body parts and shouting at inanimate objects. These fancy biometric gateways are still powered by the clumsy password mechanism that has been around for decades and will probably exist for a while longer. Despite much effort from the industry to innovate ourselves beyond this particular security mechanism, we’ve only managed to make it somewhat easier to keep track of the growing number of passwords we are required to maintain just to be a part of modern society.
Post-it notes won’t do anymore
Even though password management platforms like LastPass, 1Password and Dashlane have been around for several years now, the majority of my clients still manage their passwords manually, either via bits of sticky paper, a spreadsheet or a little black book. Even though very insecure, this was at least somewhat do-able when all you had to keep track of was a dozen or so passwords. According to a 2017 report written by password manager LastPass (full disclosure: C2 uses LastPass to manage passwords), the average business user has to keep track of nearly 200 passwords, and I am certain that this number has only grown over the intervening 3 years. Unless you are incredibly disciplined and well organized, managing that many passwords manually is just not practical. If you need to share these passwords with co-workers or family, that system just became wildly unmanageable and very insecure.
Password management platforms are designed to step in to replace the notes, spreadsheets and little black books, and they can add other perks as well. Most will provide browser plugins and mobile device apps that can, once unlocked, automatically enter tracked passwords into your websites and apps as needed, as well as tracking and updating your password database whenever one is changed. These same platforms will also see when you create new passwords and offer to save them, and some, like 1Password and Google will even warn you if you are using a known compromised password. Several of these systems can also be upgraded to allow you to safely and securely share passwords with other people.
While the above-mentioned platforms typically have a subscription fee, there are several no-cost alternatives that are still better than the analog equivalents. Google’s password management service is cloud-based and can help you retrieve passwords across multiple devices, as is Apple’s iCloud-powered Keychain. Firefox also has a password management function if you create a Firefox account.
Ironically, using any of these password management platforms does require yet another password, and on top of that, most will also require some form of 2-factor authorization on top of the complex password you should memorize and never write down. The advantage here is that you only have to keep track of a single password instead of 200+, which should allow you to use your brain for more important things like birthdays, anniversaries and where you put those dang car keys.
Most of my clients are surprised to learned that we spend a large percentage of our troubleshooting time on password issues, and within that particular category of issues, the majority of that time is spent on recovering or resetting lost passwords. They also worry that they are unusually bad at this aspect of their professional life, and are somewhat comforted to know that this is something that everyone, including C2, struggles with on a daily basis. Passwords are like the life insurance of technology usage – nobody wants it, but everyone needs it. I’ve yet to meet someone who was excited or pleased because they’ve been presented with a password prompt. It’s a chore, but you shouldn’t make it more work than it needs to be by leaving the management of it to a stack of sticky-notes, unsecured Excel spreadsheet or little black book that is safely tucked in a drawer of your desk, but unfortunately unreadable from your hotel room half way around the world.
Passwords aren’t going away any time soon
By now, you’ve probably realized that writing down, let alone memorizing passwords in today’s world is a losing proposition. Everything is internet connected, not just work technology – your doorbell, your fitness tracker, your thermostat, your car – everything has a password, and if you are doing it right, they all have unique, hard-to-guess passwords, right? Riiiight. Most of these types of services and devices rarely require you to enter the password, meaning you probably won’t remember them, or even realize they have a password that needs to be written down. But when it comes time to troubleshoot or access the service, you don’t want to be scrambling to find that password, or worse, wasting precious time resetting it.
Once you convince yourself that your current method of (barely) managing passwords isn’t going to be sustainable there is also the fear of letting someone else keep track of them for you. My clients’ biggest concern is, “What if my password management platform gets hacked?” which is a fair concern given that it seems like everyone and everything is getting hacked these days. There are no guarantees out there – hackers are clever and humans, as a rule, are careless enough that this combination results in security that is as flawed as we are. What I always tell my clients is that they don’t need to be perfectly secure – they just need to be more secure than the average person to improve their defenses significantly. I also remind them that they are more likely to be successfully hacked than a business whose primary mission is to protect your data. If there is one thing that criminals do not want to do is waste time chasing difficult marks. So make sure you’re not an easy target by upping your password game.
Next week – showing those passwords who’s boss
Image courtesy of Graphics Mouse from FreeDigitalPhotos.net
In my not so humble opinion, there is no lower form of life than those who take advantage of disasters and tragedy to spread misinformation, fear and hate, either for profit, political gain, or even worse, for their own entertainment. Sadly, the internet, as I have written about previously, is amazingly efficient at spreading information paired with the unfortunate inability to provide any differentiation between truth and lies. Ideally, this is how the internet is supposed to work – no one should have the ability to censor any of the information shared on the internet, but this double-edged sword cuts both ways.
Who can you trust for news?
The outbreak of the Corona Virus has dominated the news headlines lately, so it’s only natural to expect a lot of buzz in social media about the illness, and because the internet is a target-rich environment for anyone looking to spread misinformation, either for profit or general mayhem, naturally all sorts of crackpot miracle cures, conspiracy theories and racist stereotypes are finding audiences starved for information about the disease. It doesn’t help that the outbreak is happening in China, a nation with a history of other deadly viral outbreaks and a notorious lack of transparency, on top of having a bit of a human-rights image problem at the moment.
Unfortunately for us, most of the major social media outlets are already struggling to combat “fake news” and general distrust of scientific procedure and evidence on a wide variety of topics. While some have prevaricated on politics, most of them seem to have their heads on straight when it comes to medical matters, especially when misinformation can lead to significant health issues. Even though they have fact checking organizations publishing corrections, algorithms downgrading inaccurate posts, and moderators cracking down on pseudo-science discussion groups, plenty of misinformation continues to spread.
The “signal to noise” ratio on the internet is not getting any better, which only it makes it harder for those of us who are trying to make sure the information we receive not only confirms our beliefs, but is also backed by facts and scientific rigor. Here are a list of trusted organizations that can help us all separate fact from fiction online:
- https://www.factcheck.org/
- https://www.snopes.com/
- https://www.politifact.com/truth-o-meter/
- https://apnews.com/APFactCheck
- https://climatefeedback.org/
- https://www.poynter.org/ifcn/
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
It seems apropos with all the recent chatter about our country’s Constitution to discuss a well known bon mot from an eminently quotable founder, Benjamin Franklin.
Our new Constitution is now established, and has an appearance that promises permanency; but in this world nothing can be said to be certain, except death and taxes.
Benjamin Franklin, 1789
I make no claim on being nearly as clever or influential as our esteemed sixth president founding father, but I can say with some confidence that we should add a third certainty: hard drive failure. If my thirty-odd years of working in technology has taught me anything, it’s that devices can and will fail. Whether it’s a device that is spinning magnetic platters at thousands of revolutions per minute, or tiny bits of metal and mineral pushing millions of tiny sparks around an object the size of your thumb nail, the laws of nature say that at some point, chaos wins and your orderly world of ones and zeroes turns into a lot of, “Oh no’s…”
“If you fail to plan, you are planning to fail.”
You can probably guess who said that, right? I’m pretty sure Mr. Franklin would have felt right at home with today’s technology. This week alone I’ve seen more hard drives fail than feels comfortable, and in at least 2 of those cases, the individuals did not have a backup of their data.
Mechanically, all hard drives will inevitably fail. Even though most models are supposedly built to run for years of non-stop operation, statistically, we are seeing that the average life span of a spinning hard drive to be between four and six years. Just because you’ve got a hard drive that seems to have beaten the odds and is still performing like a champ, the opposite is way more likely – you are working on borrowed time. And the same goes for drives that are younger – just because they haven’t hit their expiration date doesn’t mean something can’t go wrong.
Instead of planning to fail, why not plan for failure by backing up your data? For less than $100 a year you could be backing your data to the cloud with essentially zero effort. It almost takes more effort to not back up your data given how pushy Microsoft is with OneDrive, so why aren’t you you backing up your most important digital assets?
Image courtest of Stuart Miles from FreeDigitalPhotos.net
As you are reading this, Microsoft will have officially ended support for Windows 7 on January 14, 2020. It’s a testament to the popularity of the OS that despite Windows 10 being offered as a free upgrade for any licensed copy of Windows 7 or 8, it took Windows 10 nearly 4 years to finally surpass the installed base of Windows 7 users. Even now, though the upgrade is still being offered for free, 26% of all PC’s are still running Windows 7. In prior years, I had warned about charging headlong into upgrading to 10, as the process was fraught with problems, and some of you inadvertently upgraded through Microsoft’s rather heavy-handed and confusing update messages. Fortunately, though it still has its problems, the upgrade process is much more stable and many computers, even though they may be relatively old (in computer years), can run the “new” OS just as well as they ran 7.
January 15 begins the slow retirement of Windows 7
One of the things that is worrying most of my clients are the various dire warnings they are receiving from many software vendors that “Windows 7 will no longer be supported” by that company. When conversing with the support desks of these various software vendors, you can ask them point-blank, “Will your software stop running on Windows 7,” and you will receive the answer, “We no longer provide support for computer running Windows 7,” which doesn’t really answer the question. Any well-trained support representative cannot answer this question without getting into trouble, as any variation of “Yes, but…” will result their customers continuing to use an OS that is no longer guaranteed to get fixed by Microsoft if something breaks. And therein lies the heart of the matter.
Though we can’t guarantee it, it’s pretty likely that your software, if it was running properly on Windows 7 on January 14, will continue to run properly on January 15th. While it is technically possible that a software developer could code their applications to stop running if it sees your computer running Windows 7, you can see how that may not sit well with customers if a program they paid for just stopped working. Instead, they are taking a gentler path, hoping to use a thinly veiled threat/warning instead of an outright cattle prod.
In the short run, if you hit a problem with a piece of software that requires a call to tech support, you’ll get nowhere fast as soon as they notice you are still on Windows 7. Though the software may still be running despite the issue, you’ll be on your own to solve the issue (even if it’s not caused by Windows 7), and if it’s not running at all, you are out of luck.
In the long run, continuing to use Windows 7 will be a problem for everyone, as the Microsoft will likely stop producing security patches after a year if they follow a similar retirement path to the one used for Windows XP. Not only will this make the OS increasing dangerous to use, it will likely result in Windows 7 becoming more unstable as time passes, and performance will decrease as new hardware and software are optimized only for Windows 10.
Even though you will probably be just fine running on Windows 7 for the next few weeks (or even months depending on your environment), unless you have a compelling reason to not upgrade, moving to Windows 10 should be on your first or second quarter to-do list. Be prepared for some disruption, whether you upgrade the OS or buy a new computer with 10 already installed. If you need a primer on what to expect on going to 10, have a look at our three part series here:
Just saying the year sounds like the opening of a science fiction movie, “In the year 2020, human technology had long outgrown the archaic communication medium known as ’email’…”
To be fair, quite a few famous sci-fi films were wildly off on where we would be in 2020. Instead of interstellar travel by 2016 (Blade Runner), moon colonies and superhuman AI (2001: A Space Odyssey), or hoverboards and flying cars in 2015 (Back to Future Part 2), instead we have entire governments, economies and even generations struggling with overflowing, polluted inboxes based on a technology developed in 1972.
Email is 48 years old. Microsoft Outlook is officially 30 years old.
In celebration of exactly how much email has stayed the same, I’m cataloging past blogs I wrote about managing email that, sadly, still apply, even years later. Fortunately, they should still be useful to you, managing your email in the distant year “2020”:
- Petraeus-Gate and Fallacy of Email Privacy (2012) – TLDR: your email is not private. Seven years later, surprise surprise – still not private.
- Your email is not private (2014) – TLDR: Email providers host your email governed by Terms of Service that state they can read your email. Still true in 2020.
- Email’s growing problem (2015) – TLDR: Email boxes got huge, but programs to manage them haven’t kept up. Sadly still true, and even more so now that people have a decade or more of email stored.
- Dealing with oversized inboxes, Part 1 and Part 2 (2015) – TLDR: Part 1 has several ways you can thin out your bloated inbox. Part 2 discusses why you might not be deleting your emails.
- Get rid of those old email accounts (2017) – TLDR: Wherein I exhort you to get rid of your old email accounts. Full disclosure 2020: I still have my Gmail account that I created in 2005.
- What to do with all those old emails (2017) – TLDR: I discuss ways you can keep the data but not the email accounts. Three years and umpteen-thousand emails later, those old emails aren’t going away by themselves.
- How to spot fake emails (2017) – TLDR: I dissect a fake email that almost fooled me. Fast forward to now – fake emails are still around and trickier than ever, but the basic spotting concepts still apply.
Photo by Christin Hume on Unsplash
Given the number of accounts included in this recent action, it’s highly likely you were one of the 44 million people with a Microsoft account that were recently subject to a forced password reset. Sadly, the number of accounts affected is no longer considered unusual – it doesn’t even crack the top ten in terms of size according to website Have I Been Pwned – but what is interesting is how Microsoft determined which accounts needed to have their passwords reset. In this particular case, the 44 million affected weren’t exposed in a new security breach, but were using passwords that were known to be compromised.
Is Microsoft psychic?
Though it may seem like magic, Microsoft’s prescience actually comes from utilizing really large databases. In this case, their own massive internal database of passwords was matched against over three billion known compromised passwords and 44 million Microsoft users were identified as currently using a password found on that list. Microsoft’s proactive action undoubtedly saved a lot of people and businesses quite a bit of time and money, but given how frequently breaches are exposing millions of passwords with each passing week, how practical is it for anyone to run this sort of back-end search, if one even had the technology to do so? Fortunately for you, there are password managers that will check your passwords in a similar manner to the method utilized by Microsoft above. You shouldn’t need another good reason to use a password manager – not a day goes by where I don’t commiserate with a client on their password woes, but the fact that both LastPass.com and 1Password.com will proactively check your passwords against known compromised databases should a really dang good reason to start using one of them now.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
Since Android OS version 6, the widely used smart phone platform has been vulnerable to an exploit of a feature that Google touts as a competitive advantage over its chief competition – multitasking. Without getting down into the technical weeds, the vulnerability takes advantage the operating system’s inherent ability to do multiple things at once, allowing malicious apps to impersonate a legitimate, trusted app on your phone while asking for permissions that it will then use to invade your privacy and steal data.
Surely Google Play’s security scans will stop this?
Despite being documented as far back as 2015, Google has continued to downplay the security loophole even though up to the time of the article’s publication, 36 different apps were available on the Play Store that were identified as exploiting the weakness, dubbed StrandHogg, and apps exploiting this “overlay” technique have been showing up in the store since 2017. Unfortunately, despite Google’s efforts, many malicious apps still manage to make it through their security screening, including highly popular apps such as the infamous “CamScanner” app that had been compromised and turned into hidden malware conduit.
“What can men do against such reckless hate?”
Unfortunately, there’s only so much heavy lifting you can do on your own. In the case of the CamScanner incident, even the developers allegedly did not know their app had been compromised and injected with the malicious dropper library that went on to infect its users. If you were being diligent on updating your apps to repair bugs and patch security holes, you walked right into a trap you couldn’t possibly have avoided. That being said, there are things you can watch out for:
- Apps that suddenly ask for permissions it should already have.
- Apps that ask for login credentials it should already have.
- Apps that ask for permissions that don’t make sense, ie. a Calculator app asking for permission to access your camera or microphone.
- Permission or login popups that look strange or don’t match the app it supposedly comes from.
- Spelling, grammar and punctuation errors.
- Email warnings from services detailing unusual activity or unexpected logins.
If you notice anything of these things, immediately stop and assess the situation. If you are uncertain how to check your phone for malicious apps or compromised security, definitely do not grant new permissions or enter confidential information into any prompts until you can verify your devices integrity.
Every year clients ask us what they should be watching for on Black Friday and lately, Cyber Monday as a possible replacement for their aging desktop or laptop. As online shopping has steadily stomped out brick-and-mortar outlets in the electronics and technology market, finding a good deal is a combination of vigilance, internet savvy and luck as well as a willingness to push that “buy” button knowing that a better deal is always around the corner. With that caveat, here are some deals I can spot right now on November 24. Prices may change as you read this, or may not be in effect until Black Friday/Cyber Monday, but you can also use these as a guideline when evaluating similar deals.
- Dell Inspiron Desktop, Intel Core i3-8100, Intel UHD 630, 1TB HDD Storage, 8GB RAM for $329 – This is a fantastic deal if you are looking to replace your old desktop tower PC. The only real downside is the hard drive is a standard spinning device (not solid state) and the OS is Windows 10 Home, which would need to be upgraded to Pro for proper use in an office. That upgrade is $99 and can be done later, so altogether, still a great deal.
- Inspiron 15.6″ Touch-Screen Laptop for $349 – Actually an outstanding deal if you can get it, as it’s a “Doorbuster” at Best Buy. This can easily function as a work laptop once you upgrade it to the Pro version of the operating system ($99). Only downside is the weight, which is a hefty 4.4 lbs and that it arrives in “S-mode” which is Microsoft’s locked-down (for security) version of Windows 10. You can switch out of S-mode, but it’s a one-way change.
- HP 14 Laptop, Intel 10th Gen Core™ i5 for $399 – Another outstanding deal on a mid-range laptop, this time from Walmart as a pre-Black Friday sale. It’s a little chunky in design, weighs in at 3.2 lbs, and a bit light on storage with only 256GB SSD drive, but otherwise has rock-solid technical specs. Looks like it’s available online, so it may go quick.
- HP Pavilion Gaming Desktop Tower for $579 – If you have an aspiring e-sports athlete or streamer in the family this might be a nice upgrade. It can also serve well as a business machine, though the hard drive is a little small. Fortunately, the case has plenty of room for expansion, and the beefy graphics card will be good for video and photo editing. Downside – it’s a Walmart Doorbuster – good luck!
- ASUS – VivoBook 15 15.6″ Laptop for $499 – This is a great deal on a solid office laptop. Excellent technical specs are only held back slightly by a smallish (265GB) SSD storage and Windows 10 Home, but it’s lighter than the Inspiron above at 3.75 lbs.
- ENVY x360 2-in-1 15.6″ Touch-Screen Laptop for $749 – If you need power and don’t mind the extra weight (4.5lbs), this laptop is very well priced for what it offers – 10th gen i7 CPU, 12GB RAM and a 512GB SSD. Touchscreen, convertible, thin and loaded with premium features. Ships with 10 Home, so using it in an office may require an upgrade to 10 Pro ($99).
- ASUS ZenBook S UX391UA-XB71-R Ultra-thin and light 13.3-inch Full HD Laptop for $789 – If you are looking for a very portable (2.3 lbs) but powerful laptop, this Asus ZenBook well priced against the competition. Be aware that the ultralight form factor and cost comes at the cost of durability, limited ports, and a relatively petite (256GB) SSD hard drive.
General Advice and Cautionary Tips:
- All of the computers listed above come with Windows 10 Home, which can be upgraded to Pro for $99. You need the Pro version for hard drive encryption (important for laptops), connecting to your work’s domain (if you have one), and if you want to remote into your PC using Microsoft’s built-in RDP software. Otherwise, the Home version of Windows 10 is perfect for home office and family use. You can still use LogMeIn, TeamViewer or RemotePC as alternatives to RDP, but business use of those services require a subscription.
- If the deal seems too good to be true – check the fine print. Doorbusters have the obvious downsides, and are sometimes deceptively attractive and scarce to get you to the store.
- Watch out for refurbs and open-box deals. They may be fine functionally, but make sure you are getting some form of full warranty from the manufacturer or return guarantee from the seller.
- There is a reason Chromebooks are so cheap: they can’t run desktop versions of Microsoft Office and should only be considered for specific office tasks like email and cloud-based applications.
- Avoid AMD-powered computers if you are intending to use it for business. While their latest generation CPUs can definitely stand toe-to-toe with Intel, many holiday sales take advantage of less tech-savvy buyers to dump older, poorer-performing AMD technology at ridiculously low prices.
- Don’t use Black Friday sales as an excuse to under-spend on business technology. Instead, consider it a fun way to stretch your technology budget a little further. Cheap technology can end up costing you more in the long run.
- If you want to see if the Black Friday price is really a deal, or just a typical discount, you can check price trackers like https://camelcamelcamel.com/.
It’s late and we’re fighting through a rather difficult month of technology challenges for our clients, but I wanted to make sure you got a heads-up on two important news items that happened this week. The first one actually happened months ago, but we are only hearing about it now, after the companies involved were able to plug the gaping security hole. As you can imagine, I’m fairly jaded when it comes to hearing about yet another vulnerability in our technology, but this one raised an eyebrow as it literally affected hundreds of millions of Android users.
Really Google? Again?
Google and Samsung recently confirmed a rather large security failure in the Camera app of both Google and Samsung smartphones that could be exploited to gain essentially unfettered access to the camera, microphone and GPS functions of your phone, all by installing a simple app that only requests storage access permissions. Discovered by security research firm Checkmarx back in July of this year and eventually fixed (supposedly) in August, Google and Samsung only just recently approved the publication of this vulnerability after confirming the patch has been successfully deployed to counteract this weakness.
While this particular incident wasn’t even out of sight of our rear-view mirror, news of a new email-delivered ransomware attack hit my inbox. For this latest campaign the hook was set to exploit everyone’s heightened awareness of keeping your computer up to date, an awareness that we have played no small part in pumping up, and now, ironically, may end up tricking clients into infecting their computers with ransomware. This time, the attack comes as the form of a fake email notification from Microsoft urging readers to, “Install Latest Microsoft Windows Update now!” and provides a spoofed EXE file renamed to appear as a JPG image file. If the reader happens to fall for the con, the attachment downloads the Cyborg ransomware variant and quickly encrypts the users data in files ending with “777”, leaving behind a note with instructions on how to get your files back if you pay the ransom in bitcoin.
The average Windows user probably doesn’t realize that Microsoft doesn’t use email to notify its customers that updates are available, primarily because it can do so right through the operating system. Unfortunately, we are all so used to receiving information via email that we’ve grown accustomed to these types of notifications for just about every other aspect of our digital lives. As a whole, we’ve become too trusting to question everything we receive digitally out of necessity as researching or vetting everything is essentially impractical for the average human. As such, you should continue to make it a rule to NEVER open an attachment that you haven’t vetted fully. Always call the sender to verify if you receive an unsolicited attachment, and if you are at all unsure, check with your nearest IT professional.
Image Courtesy of Stuart Miles at FreeDigitalPhotos.net











