Though it may surprise you to know that Microsoft isn’t the biggest company in the world in 2023 (that honor belongs to Apple this year), you can bet they can field enough lawyers to literally bury any litigation Joe Everyman could think to bring against them. This hasn’t stopped a New Jersey attorney for suing Microsoft because he can’t access his email, even after days of attempting to get help from Microsoft’s eldritch technical support bureaucracy. I can see some of you breaking out in a cold sweat already, imagining the nightmare your job or life would be if you couldn’t access your email. Well, you don’t have to imagine – just read the complaint if you’d like to have it outlined in bulleted, stomach-churning detail.
What this means for you
The internet has democratized many things including providing easy, affordable consumer access to the technology services everyone needs to get even the most banal things done to survive in today’s world. A Microsoft 365 email box can be had for as little as $5/month with a credit card and a few minutes of time. Though you may encounter a glitch or two along the way to spending your handful of dollars to getting a very powerful and reliable email service, any difficulty you will have encountered in “buying” the service (psst, you’re renting, btw) will pale in comparison to navigating the platform when something goes wrong. Here’s why: you are paying $5/month for a service that is built to scale for the world’s largest organizations and once you punch past the paper-thin “training wheel” trappings that makes the service marketable to New Jersey attorneys (and you and me) you uncover the cosmic horror of Microsoft’s technology leviathan. What sort of Faustian bargain did you get into? A necessary one, but this is why you hire someone like C2 to help you put a leash on the beast you just bought. Make no mistake – Microsoft’s technology is sometimes just as incomprehensible to us as it is to you, but instead of being paralyzed by fear when the beast rears up on its hind legs, we roll up our sleeves and walk straight into the belly of beast, “Hello darkness, my old friend, I’ve come to talk with you again.”
Image by Colin Behrens from Pixabay
A Russian-backed ransomware gang known as “Cl0p” has put about 50 notches in its belt in the past two weeks by exploiting several vulnerabilities in a Managed File Transfer (MFT) platform called MoveIt. Though you might never have heard of MFTs or MoveIt, you are probably very familiar with DropBox, Google Drive and OneDrive, all of which feature the ability to share files with others (ie. MFTs) as part of their overall service. MoveIt is purchased by organizations that want to set up their own private file sharing service and one of the distinctive features of MoveIT is that is premise-based and not cloud-based. Even now many organizations believe that “rolling your own” on-premise services is more secure than putting everything in the cloud, but this batch of breaches is proving the exact opposite.
What this means for you
Fifty seems like an impressive body-count, and those are only the ones we know about. According security researchers, Cl0p may have been probing weakness in MoveIt implementations as far back as 2021. The group is following the usual extortion playbook – they are threatening to release the stolen data unless their demands are met, though in several instances they seem to be walking a careful path to steer clear of extorting entities that might draw literal crosshairs on their backs. While Cl0p seemed proud to enumerate the US Department of Energy on its list of victims, it said in a statement that it would not be exploiting any data taken from government agencies and that such data would be erased, presumably to avoid global politics (and “lettered agency” involvement) getting in the way of profits.
The key takeaway for us smaller targets is pointing out that premised-based systems are no more secure than cloud-based systems, and in this particular case, because onsite systems require active monitoring and maintenance by trained professionals to stay secure, this becomes a fundamental weakness if the organization cannot maintain the premise system as well as a cloud-based (and centrally managed) platform. Most on-premise platforms are far from the “set and forget” applications of the previous decades, and any system that is internet-facing like MFTs require constant policing, something that most companies are ill-suited to provide or even afford.
Image courtesy of David Castillo Dominici at FreeDigitalPhotos.net
Though it is becoming increasingly difficult to do it, I do try to find positive technology news to share with you. Given all the doom and gloom surrounding artificial intelligence lately (for good reason!) it seems rare to find a silver lining to the black cloud hovering over everything else, but like a lone ray of light piercing the foreboding dark, comes news of a critical medical discovery made by a team of university researchers and an AI algorithm.
Technology should supplement, not replace, people
In the abstract of the article published to the Nature Chemical Biology journal, the researchers stated it with deceptively terse simplicity:
Here we screened ~7,500 molecules for those that inhibited the growth of A. baumannii in vitro. We trained a neural network with this growth inhibition dataset and performed in silico predictions for structurally new molecules with activity against A. baumannii.Abstract of Deep learning-guided discovery of an antibiotic targeting Acinetobacter baumannii
In case you aren’t a microbiologist with institutional access to Nature’s publications, you can read a nice break-down of the paper from MIT News, but I’ll also give you the shorthand: scientists dumped a bunch of data on a computer program that was told to sift through and look for anything that might work against a drug-resistant strain of bacteria known as A. baumannii. And it found something that has the promise of being highly effective against the deadly bacteria in two hours of analysis (after a lot pre-programming and data gathering).
The most important distinction between the above and the almost carney-like uses of ChatGPT that have been making the news lately is simply this: where we seem to stumble is when we attempt to substitute technology for humans instead of using it to amplify and augment what makes us human. Among the many who are protesting the alarming rise of AI are the ones that corporations seem most eager to replace – the writers, artists and musicians. And not because they are doing a better job of it – quantity and speed do not equal quality – but because at least some part of our society seems willing to accept the slightly off-kilter, lifeless and sometimes completely misinformed AI-generated content because it’s cheap or free. Are we guilty of readily grabbing up what we can get, even if it’s not nearly as good as the “real thing”? At what point would be it be acceptable to get medical counseling from an AI – perhaps when the real thing is only available to those who can afford it?
Image by bamenny from Pixabay
Some of my clients are convinced that my technology is trouble free and works perfectly all the time. Nothing could be further from the truth. Technology consultants use the same technology and services you use. You could argue that by virtue of our training and experience we are able to manifest more potential from a given product or service and see through a lot of the marketing that cloaks inherently bad products and services, but in the end, we are subject to same random quality problems, hardware quirks and internet outages like everyone else. Fortunately for us, our professional skills translate well granting us “Physician, heal thyself,” capabilities.
“Never let them see you sweat.”
I like to tell my clients that the only time they should get nervous about a technical problem is if they see me nervous or worried about a technical problem. I can’t cram 30 years of experience into a blog article, but I can tell you how I deal with my own technical problems (which is the same way I approach your problems), and most of them are dirt simple, tried-and-true tactics that can be used to solve numerous technical issues.
- Reboot. Even though I chant this like a mantra to everyone, even I am sometimes reluctant to reboot my PC when I’m having trouble. Even though I have technical expertise to actually diagnose why my PC needs a reboot – it doesn’t change the actual solution.
- Check the power. For the devices that are stubbornly not turning on – make sure your cords, adapters, batteries, power strips are working. Test them with other devices (carefully) to see if you can isolate whether the problem is truly a dead computer and not an unplugged power cord.
- Look for the signs of the problem. Most technology, hardware and software, will tell you it’s having a problem, whether it be a warning icon, or message splashed across the top of the screen or a more discreet pop-up that has since dismissed itself. There may be audible cues or other physical evidence that you might be missing because you are laser-focused on the screen and missing the obvious grinding noise or flashing LEDs on the computer itself.
- Is anyone else having a problem? Less useful if you are the only person working at your location, but there are ways to reach out to co-workers, fellow residents or neighbors to determine if the problem is just you or more widespread. Determining scope and scale of a problem is key to solving something that a reboot does not solve.
- Google it. This is a more advanced level skill as sometimes describing the problem is as difficult as diagnosing it, especially if your technology vocabulary is limited. Fortunately, there are way more laypeople on the internet than technicians, so even vague descriptions of the problem might lead to a diagnosis and possible solution. The search engines all keep track of all searches, both carefully crafted and otherwise and can comb through the static to bring most things into focus. Sometimes you find out that it’s not actually a problem but a new “feature.”
- Try repairing the software or app. This is easier to do on mobile devices but depending on your familiarity with your computer’s OS and your access to the software installers, also a quick, relatively simple fix for the bigger devices. The repair function is meant to restore an application back to “new” while (usually) retaining your settings.
- Did you try rebooting it a second time? I’m still surprised how often this works.
The majority of our clients have principals or senior team members who have been working with computers in a business capacity for 10 years or more, and some more than 20 years. Just about all of them have asked me if I think technology has become easier or harder to use recently. Without hesitation I answer, “Definitely more complex, and today’s business systems, hardware and software, are not as reliable as they were six or seven years ago.” Take my opinion with whatever grains of salt you still possess – my view only encompasses a very small slice of the world, but it does span over 30 years of working in the industry, and as anyone close to me will attest, I don’t wear rose-colored glasses often.
What this means for you
The primary thing we didn’t have 10 years ago at the scale we have now is the vast increase in cybercrime and the resulting arms race in cybersecurity. Security rarely makes things easier, and if there was one thing that everyone expected from technology was that it was supposed to make our lives, both business and personal, easier. I don’t think anyone reading this would be able to say this has come to pass for them. We don’t have the ability to bypass today’s security requirements, nor can we affect the lack of quality control that seems to be permeating software and hardware manufacturing lately. Businesses hang by the thread that is technology without realizing (or believing) how tenuous it is. What we do have is the ability to control how resilient our businesses can be by focusing on two key elements that have atrophied from our (forced) reliance on technology: flexibility and redundancy.
Flexibility is what you think it is – wherever you have the latitude to be flexible in your business processes, you should absolutely be prepared to test and use that flexibility, whether that be understanding how to check your email through a web browser, accessing critical client information via your phone, or changing marketing strategies based on recent world events. Lest you forget, technology is only a means to an end – the real resource of any business is its information and people. If your work processes require complex Rube-Goldbergesque technology and processes, you are treading on increasingly thin ice.
In the event that certain elements of your technology infrastructure are in fact inflexible, whether by regulation, requirement or the very nature of the process, plan for redundancy. Data is itself not something you can normally be flexible about – either you have it or you don’t, and redundancy in this regard is better known as “cloud backups.” Need the internet to get things done, and sending folks offsite with hotspots isn’t an option – then get yourself a backup internet circuit. Workers can’t work without a laptop? Engineers can’t work without their high-end workstations? If downtime is not something you can be flexible about, get backup hardware and establish budgets to regularly replace that hardware.
Image by Amit N from Pixabay
There was a time, many years ago, when Elon Musk was something of a celebrity in the technology industry, to the point where many folks were calling him the “real life” Tony Stark. This was due in no small part to his association with groundbreaking (at the time) technology companies Tesla and SpaceX and billionaire status. His cameo appearance in Iron Man 2 just stoked the nerd fandom even further. Fast forward a few more years and the bloom has come off the rose, though there are still many who defend him as a business genius, or even just a genius in general. Make no mistake, he is the richest man in the world, but apparently money can’t buy wisdom, just the marketing to cover up the lack of it.
All aboard the Twitter hate train
It’s no secret that I’m not a fan of social media. Before Musk took over Twitter it was already well on its way to becoming a haven for trolls, misinformation and hate speech, and it seemed like Twitter management at the time was only concerned about these problems when advertisers threatened to pull out of the platform. Enter Musk in 2022 who promised upon taking the company private to loosen content restrictions as well as crack down on the spam and follower bots. While there does not seem to be any noticeable change in the number of bots on Twitter, he certainly seems to have succeeded in removing whatever vestigial content moderation that had existed prior to his takeover. According to a paper published by the University of Southern California “Auditing Elon Musk’s Impact on Hate Speech and Bots,” the amount of hate speech has nearly doubled on Twitter since his purchase of the stagnating social media platform in October of 2022. For any other reasonable human being, this would not be considered a win, but Musk seems to be intent on riding this particular handbasket all the way to hell, including claiming the exact opposite, without providing any sort of backing evidence. In case it’s not immediately clear what my position on Twitter might be, any platform that blindly labels an imposter account as a certified representative of one of the largest entertainment companies in the world should not be entrusted with the level of influence Twitter still wields.
Image by Htc Erl from Pixabay
I initially distrusted this bit of recent news because of how it was disseminated. Twitter still has considerable reach for widespread messaging, but it has lost any trustworthiness as far as I am concerned since being taken over by a billionaire with questionable judgement hellbent on running the platform into the ground. Doing as one should do with something this ominous tweeted by the Denver office of the Federal Bureau of Investigation, I performed my due diligence to confirm a tweet posted a few days ago the aforementioned office’s Twitter account warning people away from using public chargers to power their mobile devices, as “juice jacking” is apparently still a thing. This was confirmed by the FBI’s official online safety webpage: https://www.fbi.gov/how-we-can-help-you/safety-resources/scams-and-safety/on-the-internet
What this means for you
I say “still a thing” as the Los Angeles District Attorney’s office got enough attention focused on this in 2019 by the mainstream media for it to actually make headlines for a few days until Covid showed up to hog the limelight. Despite this juice jacking’s inexplicable resurgence in the news in 2023, there doesn’t appear to be any documented cases of this exploit actually being used “in the wild.” Public charging stations have been steadily appearing at various other public venues like malls, shopping centers, hotels and tourist attractions since at least 2011, which is when the idea of juice jacking was first presented to the public at a Defcon exhibit entitled (insultingly and pointedly) “Wall of Sheep”. The objective of this display was to demonstrate the ease of which a mobile device (like your smartphone) could be compromised when physically connecting it to something which the user had no way of knowing was safe or even provided in their best interest. Ironically, even though seems to be more FUD marketing and yet another example of why we can’t have nice things, this is still actually solid security advice. You should always think twice before connecting your device, wireless or wired, to something that you don’t control, own, or at least have some reason to trust (ie. WIFI provided by your work, a friend’s battery pack, etc.), and this definitely includes charger cables which, in case you forgot in this day and age of wireless everything, can also be a data connection cable. Be safe, bring a battery pack with you or turn on battery saving mode until you get to somewhere you can trust.
Image Courtesy of Stuart Miles at FreeDigitalPhotos.net
One of my favorite story tropes is where the main character is magically transported back in time, enabling them to use their “modern-day” scientific knowledge to appear powerful and gain advantage over the relatively primitive denizens of their new surroundings. The most famous, well-known example would be the Wizard in The Wizard of Oz, but this idea appears throughout literature and film as far back as 1889 in Mark Twain’s A Connecticut Yankee in King Arthur’s Court. I’m also known to repeatedly quote Arthur C. Clarke (who also used this trope in his seminal work Childhood’s End), “Any sufficiently advanced technology is indistinguishable from magic.”
It’s not magic but it might as well be
The information security industry is currently abuzz with quantum computing talk, particularly so because of President Biden signing into law the “Quantum Computing Cybersecurity Preparedness Act” at the close of 2022 which instructs government agencies to begin preparing their security to withstand quantum-computing powered encrypting breaking tools. For most of us, quantum computing sounds like something you would read about in a Clarke novel, and if you try to get into the details, it might as well be sorcery. The second line of the Wikipedia article literally states:
Classical physics cannot explain the operation of these quantum devices…Quantum computing – Wikipedia
And there are probably very few of us who could even begin to explain how today’s computers work, let alone one powered by quantum physics. Knowledge is power, and we are increasingly at the mercy of devices that are essentially magical to us, and more so to the ones that control the knowledge and technology that powers them. This is particularly relevant with regards to the vast amount of valuable data locked in LastPass’s stolen but encrypted data vaults. If I could tie it to another famous movie trope, imagine bank robbers attempting to crack a massive, steel vault with a fancy laser drill while counting down the seconds until the lock is drilled through. Substitute quantum computing for the drill, and hackers for the bank robbers, and you have today’s unfolding scenario: an escalating technology arms race that requires federal laws to be passed and a select few wizards anointed to make sure we are kept safe. Wizards are traditionally feared and respected in fiction for good reason, and as in Baum’s famous tale, not necessarily always operating with everyone’s best interests in mind. Does it require you to understand quantum computing, to become a wizard, just to keep yourself safe? No, but keep your eyes on the wizards (and their handlers – kings, presidents, lawmakers, etc.) to make sure they wield their power ethically and safely.
Image generated by deepai.org based on the single word “Wizard”
The news is aflutter with Artificial Intelligence bots doing things like writing job descriptions, college essays, passing Bar exams and apparently various other menial tasks that we humans would clearly rather have someone else doing, especially if that someone else doesn’t need to get paid, or at least paid a living wage. Both Microsoft and Google have announced their intentions to include AI in their business platforms, and while some of the things people have had AI do are pretty nifty, we also seem to be conveniently forgetting or at least disregarding the consequences of letting technology do everything.
“I’ll be back.”
Terminator is probably an extreme example of AI gone horribly awry, but we can already see faint echoes of a future where we become complacent about machines replacing humans across all aspects of our lives. Sure, it is nice that technology can assist with the dangerous, dirty and banal tasks, and for it to augment our capabilities in things where our physical bodies limits us, such as space exploration or virology or disabilities, but once it starts replacing things we should know how to do (even if not as well as a machine), we are placing a dangerous amount of trust in something that can (and will) fail. The most common manifestation of this is how most humans handle password management. We rely on technology to remember and automatically enter passwords for us on everything, including the most critical services such as email, banking apps and even the password management platform itself, and as a result, don’t remember any of them, or even realize that a password is required at all.
As a simple test of how vulnerable you might be to this over-dependency, if you imagined yourself being sat down in front of a brand-new phone or computer, would you know how to get access to something like your email, or your bank account, or even where your passwords are stored? If even imagining this scenario is triggering your fight or flight response, you might be relying on technology too blindly. There is a fine line between allowing technology to augment our capabilities as humans versus replacing basic skills that everyone should have in a rapidly evolving world. No AI spam filter in the world will beat well-trained common sense and skepticism. Using technology and our humanity together is the difference between utopia and dystopia.
Image courtesy of Geerati at FreeDigitalPhotos.net
If you were confused about what exactly was stolen in 2022’s LastPass breach – join the club. I think much of the confusion is stemming from the damage control LastPass is attempting to do around their massive data exposure that happened in August and was revealed to the public in December. We know that much of the info that was stolen was unencrypted – login names, email addresses, URLs, etc. and there was some debate as to whether or not the hackers stole encrypted data that contained actual passwords. I’ve had several folks tell me point blank that the passwords weren’t exposed and that LastPass is still safe. Well, guess what – we can put that misconception to bed now. LastPass has dropped another bombshell – one of their devs got hacked and the hackers used the dev’s compromised home computer to gain access to LastPass’s Amazon secure cloud storage to steal the encrypted password vaults of 30 million customers.
What this means for you
There’s a whole lot of gobbledy-gook in the LastPass release – it reads like technical explanations filtered through an army of lawyers and PR flacks (because it was), and beats around the bush on the most important part: LastPass is confirming that Hackers have exfiltrated everyone’s encrypted password vaults – and as I have been warning you about since I learned about this – it is only a matter of time before someone brute-forces their way into someone’s encrypted vault and is rewarded with the password trove within. And they have all the time in the world to do this, which means you have much less time to change any passwords that were stored in LastPass. Hackers will target high-value password vaults first – they will look for ones that have lots of bank account logins or other potentially lucrative access points, but you can bet they will put computers to grinding out every single vault, big or small – because they can, and they have the resources to make this investment pay off.
Stop reading. Go change your passwords.
Image by Gerd Altmann from Pixabay