One of the most appalling practices in the current world of online hacking and phishing is the constant attacks on our elderly friends and family because the attackers know they are easy targets. Unfortunately, I don’t see technology becoming any easier for anyone, especially the elderly, so if they are going to continue using technology for things like shopping, paying bills and handling various elements of their health and property, see if you can get them to abide by some simple but critical rules when they get into unfamiliar situations. This may mean more calls to you on trivial things, but if you are like me, I’d rather that then getting the, “I’ve been hacked,” call.
Rule Number One: “Never trust popups on your devices that warn you about something scary and ask you to call a number.” None of the legitimate malware protection software on the market will do this. This is nearly always a scam. If they get something like this on their computer, tell them to take a picture of it and then just power off the device, manually if it won’t shutdown normally, and physically by unplugging the cord if that doesn’t seem to be working. These fake popups are meant to be frightening, disorienting and sometimes incredibly annoying. If the popup comes back after powering up their device (and it may, as many are designed to do just this) it may require some additional, technical expertise to get rid of it. For actual tech savvy users, it’s a quick fix, but it may be hard to explain over the phone if the recipient is flustered or otherwise frightened. If you can’t go yourself, it may require a visit from a local technician.
Rule Number Two: “Don’t “google” the contact number or email for important services.” All of the popular search services offer ad results at the top of actual search results that are often hard to distinguish from the legitimate information you were seeking. Bad actors are paying for ads that pretend to provide support for various commonplace companies. They will answer the phone as that service, including pretending to be Microsoft, Amazon, Apple, or Google in order to trick callers into giving them access to their devices. If your loved one is fond of using the phone in this manner, provide them with a printed list of known-good numbers for their most used services like their banks, pharmacies, etc, as well as including lines like “FACEBOOK: NO NUMBER TO CALL-DO NOT TRY” as a reminder that certain services are never available via phone.
Rule Number Three: “Always call someone you trust about anything on which you are uncertain.” Our loved ones often will refuse to call us because they don’t want to be a bother. Frequent calls may seem like a nuisance, but they pale in comparison to the absolute disaster you will both have to handle if they get hacked. I’d rather have dozens of calls of “Is this OK?” than the single, “I may have done something bad.” Reinforce their caution with approval, and if you have the time, perhaps explore with the caller what clued them into making the call. If it boils down to them just applying the above 3 rules, then score one for the good guys!
Image by Fernando Arcos from Pixabay
It seems rare to find feel-good information about artificial intelligence lately, so when I spot it, I like to share it, especially when it has to compete for attention with discouraging stories where AI technology is enabling the spread of hate and misinformation. After a young woman in Rhode Island lost her voice due to a brain tumor removal, a team of Doctor’s and ChatGPT-maker OpenAI were able to utilize a short voice recording to create a specialized app that allows her to speak again with an accurate recreation of her own voice.
Stop there if you want to keep feeling good.
Still reading? OK, I warned you. While I’m not going to go into details because I don’t want to give them any more publicity, there are plenty of other AI startups who aren’t focused on limiting their platforms to only medical applications where all parties involved are providing ongoing consent for the use of their voice. While I’m sure they claim their software can only be used in completely consensual situations, we’ve already seen spreading usage of deepfakes for political propaganda, extortion and reputation destruction.
Given the potential AI has, many companies may have started out with stars in their eyes for all the imagined possibilities the technology could enable, but once buyers with suitcases of money started showing up, ethics seem to be relegated to a secondary (or lower) concern, if it was ever a constraint in the first place. As always, money and politics complicate matters, and we humans are not known for approaching things cautiously, especially when being first to the prize means establishing dominance. It’s heartening to know that at least some folks are intent on developing genuinely helpful applications of AI technology, even if in the end, their efforts will most assuredly be monetized. Our hope here, like 3-D printing, is that the technology becomes so widespread that it levels the playing field for (most) everyone.
Image by bamenny from Pixabay
Once again it looks like we will have to leave it to the European Union to be the adult in the room, especially when it comes to US companies running roughshod over everyone in pursuit of the almighty dollar. We have them to thank for things like taking Microsoft to task for various monopolistic tactics with the Windows OS, getting Apple to make iPhones with USB-C charging ports and the whole General Data Protection Regulation thing which made the internet a little obnoxious for everyone for a short while, but sometimes medicine doesn’t always taste good. This time around the EU has Meta in its sights for Facebook’s recent plans to decommission its political election monitoring platform CrowdTangle without offering any sort of replacement, something that the European Commission says could be a violation of the recently implemented Digital Services Act.
What this means for you
Normally, regulatory reform started in the EU takes a while to make its way across the pond to us (if it makes it at all), but fortunately for us, election season starts in June for the EU, and the EC is concerned that Facebook is not doing enough to combat misinformation on its platform. Facebook isn’t the only platform the that is under DSA scrutiny: both TikTok and Twitter also have pending investigations that will hopefully result in something more than the wrist slaps handed out by US regulatory bodies. In the case of Facebook, they could be facing fines upwards of $8.5 billion for failing to “tackle the spread of illegal content, online disinformation and other societal risks.” Even for a company as big as Meta, that’s going to sting. The EC has given Meta 5 days to provide an explanation. While it’s likely that Zuckerberg and crew will provide the usual corporate platitudes it always trots out in these situations, the EC’s track record seems to indicate that hand-waving and vague promises won’t be enough. Everyone, cross your fingers!
Image by Ralph from Pixabay
If there’s one thing I can state with certainty in 2024, technology is not getting easier. Just about every aspect of our lives, personal and professional, is getting automated, appified and otherwise “wired up” like we were living in a 90’s cyberpunk novel. Many aspects of those landscapes were eerily prescient (hello mega corporations), but there is one trope that you might not have considered yourself to be a part of: “hacking” your own technology to fix a problem or change an outcome. Let’s be clear, when I say “hacking” I’m referring to the more genteel, non-criminal activity of solving a technical need or problem via unconventional and/or creative methodology and materials. At a certain point, lots of people started using the term ironically (or in self-deprecation) when they managed to solve technical issues on their own, sometimes without even understanding how it was done.
Hang on, Neo. You don’t know Kung Fu yet.
Internet purists will lambast me if I don’t post the usual disclaimer, “In order to truly hack something, you need have a full understanding of how that thing works.” In the day and age of YouTube videos on just about anything and everything, it’s possible to find an endless supply of “How to hack (a thing)” and a lot of them are quite good. But many of them are not, so how do you sort out the bad from the good? Well, you can either work for 30+ years as a technology consultant, or you can at least try to get some basics under your belt, at least as far as hacking personal technology is concerned. I’m only going to outline the topics – there isn’t enough space nor attention span to spell it out in full. Not all of these areas of study are compelling – some are hella boring, but these are things that I believe everyone should know at least a minimal amount about in order to be competent, productive person.
- Know how your internet works – do you know the difference between a modem, router, firewall and access point? Wired and wireless? What’s an SSID? Do I have guest WIFI? How do I “reboot” my router? Is Bluetooth the same as WiFi? What’s bandwidth and why is it important (or not)?
- Know the parts of your computer and peripherals – is that USB-C port or a Thunderbolt port? What’s a function key? Is that a power button or a reset button? Is my printer wireless or wired? Whats the difference between “sleep” and “shutdown”? How do I change my ink cartridge? Does my phone have a sim card? Is there a warranty on my device? How would I go about getting it repaired?
- Know who provides your technology – whats the brand or manufacturer of your smartphone? Model? Who provides your email? How do I contact technical support for this bit of software? Do you know who your internet provider is, and what they are supposed to be delivering to you for your monthly internet bill? Is this software free, or do I pay for it? Do I even own this software?
- Understand where your data “lives” – is it on your computer’s internal storage? How do you navigate your device’s internal storage to find things? Is your data in the cloud? Which cloud provider? How do you get access to that data from something that is not your computer or phone? Can you? Is your data backed up? Is it encrypted? Should it be? Who owns my social media posts? Is my private information searchable on the internet?
We are well past dismissing this type of knowledge as something only “nerds and geeks” need to know. Whether we like it or not, we should start thinking about this type of technology savvy on the same level of importance as understanding how road traffic works, managing personal finances and differentiating fact from fiction. Failure to grasp the basic concepts of technology will just add more struggle on top of the regular uphill battle we face everyday.
Image by Bruno /Germany from Pixabay
Depending on how long you’ve been using computers, you may well remember a time when, “Have you tried turning off and back on,” was the first thing you heard when trying to troubleshoot any issue. In the 90’s and into the 00’s this was the go-to first step of tech support. And then we entered what some of you might call the golden age of business computing ushered in by Windows 7, somewhat tarnished by Windows 8, and then, with Windows 10, an era that even I can look back on as a bastion of stability when compared to what we have now.
What the heck happened?
Two words: Internet and Cybercrime. I know, I know, both of those things have been around for a lot longer than Windows 10 and even Windows 7, but up until maybe 2012 or 2013, technology companies like Symantec, McAfee and Microsoft had the upper hand in that war. In 2013, with the arrival of the widely successful CryptoLocker-powered attacks, criminals understood what sort of money was at stake and poured all of their resources into cybercrime infrastructure that has evolved into a never-ending escalating battle of security breaches, software updates and increasingly complicated security rituals. All the while, technology itself has permeated every facet of our lives, resulting in things that we would have considered absurd 10 years ago, such as doorbells that require a two-factor login. Everything requires a password because everything is connected to the internet, and because of the ongoing arms race in cybersecurity, everything around us is constantly being updated in this frantic race with no finish line anywhere in sight. Long story short: expect to reboot your devices frequently going forward. There was a time when I could say, “Hey, reboot your computer every other week and you will be fine.” Nowadays, that guidance is, “Reboot your computer at least every 3 days, if not daily.” Microsoft Windows is being updated weekly, as are the major office productivity apps like Office and Acrobat, and not all of their updates are well tested – resulting in more crashing and rebooting until someone notices and issues yet another update to fix the previous update. If it feels excessive, it’s because it is excessive, but for the moment, we don’t have much choice. Right now, cybercrime has the edge, and it’s running everyone ragged.
Long-time readers will notice that it is pretty rare for me to post good news to this blog. I’m sure good technology things happen every day, but we don’t get called when something is working properly, and the mainstream media usually don’t report on anything but bad news. Fortunately for us – because let’s face it, we are sorely in need of “W’s” in the fight against cybercrime – a prominent hacking group responsible for thousands of cyberattacks worldwide resulting in more than $120M in ransom payments has been dismantled by a joint law enforcement operation led by the UK and US. The action resulted in what they are calling a complete dismantling of the APT (advanced persistent threat) known as Lockbit.
What this means for you
On top of seizing control of nearly all of Lockbit’s operational assets, including 34 servers, 200 cryptocurrency accounts and arresting 2 Russian nationals, they actually converted Lockbit’s own dark website into a “reverse” leak site that touted the task force’s takedown of the APT as well as posting their own countdowns to when additional data on the Lockbit crew would be leaked to the internet, turning a commonly used cybercrime tactic back on the criminals. Before the site was “pwned” by authorities, it was used by Lockbit to publish a list of its victims and ransom countdown timers.
This was no small effort – it required coordination between 10 countries and at least three major law enforcement agencies. It will hopefully result in some of the victims being able to recover encrypted data and maybe discourage some portion of the cybercriminal element from continuing operations, but let’s be realistic – this APT was one head of a massive hydra, and the assets neutralized were a fraction of the compromised computers and accounts used as zombies or command and control servers across the globe. In the above-mentioned “Operation Cronos” action 14,000 rogue accounts were shut down. For perspective, a cybercrime botnet was discovered in 2009 that was comprised of nearly two million computers. That number has likely been dwarfed many times over by now. It’s too early to declare victory by a longshot, but as the old proverb instructs, “How do you eat an elephant? One bite at a time.”
Image by Schäferle from Pixabay
In 2019 I wrote about the arrival of deep fakes and posited that it might take an election being stolen before anyone in the country takes it seriously. Welcome to 2024 where someone engineered a robocall in New Hampshire designed to suppress the vote in that state’s January 23rd primary elections. The call featured what appears to be an artificial intelligence-generated clone of President Biden’s voice telling callers that their votes mattered more in November than in today’s primary. To put a nice ironic cherry on top, the robocallers seemed to have spoofed a phone number from a Democrat PAC that supports Biden’s efforts in New Hampshire. Here is the actual release from the NH Department of Justice website that signals the official investigation, in case you are skeptical of the above website’s veracity.
What this means for you
I imagine that regardless of which side of the political spectrum you sit on, this presents a very scary future where we cannot trust our eyes or ears or practically anything on the internet at a time when truth and objective reasoning are crucial. The technology to do the above is readily available and accessible, and it seems a small but influential number of us cannot be trusted to act responsibly with powerful technology. If you are thinking, “well, let them duke it out in their political battles over there, I don’t need to worry about AI fakes affecting me,” let me spin a “fanciful” situation for you to consider. Let’s say you have a disgruntled ex-employee who is looking to strike back at you or your company and decides to use the above tool to fake a harassing phone call from someone in company leadership to someone else in your organization. Do I even have to tell you that this service is likely already on offer in questionable corners of the internet? What can you do?
Make your voice heard in the upcoming elections by voting for leaders that represent your values (which are hopefully based on lifting people up instead of pushing them down). How do you know who that might be? Time to step up and ask directly. Don’t rely on third parties to put words in their mouths. It’s time for direct accountability, for you, me and them.
Register to vote. Get out and vote.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
If there’s anything I’ve learned in the 30-odd years working in technology, it’s that I am terrible at predicting where technology is going next. When I was younger and considerably more optimistic, I had hoped for a world where technology would help us to replace both the dangerous and hideously mundane jobs allowing us more time to engage in loftier pursuits. While it has definitely done plenty to automate the mundane and make things much safer, it has also helped profit-driven companies amass vast fortunes even while the rest of us struggle with increasing costs and diminishing quality of life. It has given equal footing or even an advantage to those who would exploit others for personal gain, while seemingly making it even more complicated for those of us just trying life a peaceful, compassionate life. If I were a billionaire, you can bet there would be some things I would attempt to change, but as I’m not, all I can do is hope certain things come to pass.
Here’s my wish list for 2024
- I’d like to see social media platforms take some responsibility for their power. Likelihood: Possible, but maybe not this year.
- I’d like our Government to take more interest in keeping us safe technologically. Likelihood: In the works, but could be dismantled by politics.
- I’d like to see everyone take more interest in privacy and security. Likelihood: Slowly, slowly happening.
- I’m praying for a breakthrough in identity authentication. Likelihood: Unlikely, it seems.
- I’d really like to see an increase in technology quality control. Likelihood: Not happening this year.
- A breakthrough social media platform focused on lifting humans up instead of winning 15 seconds of fame. Likelihood: Probably not this year.
- Technology that is easy to understand and safe to use for everyone, especially the elderly. Likelihood: Improving, but still a long, long way to go.
Image by Michael Schwarzenberger from Pixabay
Back in October of this year, we wrote about DNA testing company 23andMe’s reported data breach. Initially thought to “only” impact 1.4 million people, 23andMe has revised that estimate to a whopping 6.9 million impacted users that had data exposed including names, birthdays, locations, pictures, addresses, related family members, but not, as the company has strenuously emphasized, actual genetic data. I’m fairly certain that little nugget is not providing the relief they might hope.
Why this should matter to you
Even if you nor any immediate family is a 23andMe customer, it’s important to understand why this data breach is particularly noteworthy. 23andMe wasn’t hacked in a manner that is more commonplace for large companies – hacked or stolen credentials for someone inside the company that had privileged access, but rather through a mass breach of 14,000 customer accounts that were secured by passwords found in dark web databases, ie. these stepping-stone customers were using the same passwords that were exposed in other breaches and leaks. The hackers used those compromised accounts to essentially automate a mass cross-referencing data harvest that in the end, exposed data on nearly 7 million 23andMe customers. This last data exposure is on 23andMe – it would seem they didn’t anticipate the built-in cross-referencing services that the genetics testing company offers would be turned against itself. Also, there was the minor omission of not enforcing multi-factor authentication to secure everyone’s accounts, which might have compensated for the poor password discipline of its customers. The two take-aways? Unique passwords and multi-factor authentication should be the minimum security requirements you should expect from any service that contains your valuable data.
Image courtesy of geralt at Pixabay
There is a conflict brewing in the workplace that many will view as just another symptom of corporate greed. Regardless of its source it’s about to come to a boil, and Microsoft and the other tech heavy-hitters are turning up the heat whether we are ready or not. To be fair to them, they aren’t doing it to be jerks, but as part of an overall shift to a concept called “security by design” which part of the Biden Administration’s overall “National Cybersecurity Strategy” released earlier this year. The strategy is way too complex to even attempt covering in our tiny blog, but there is one element that touches all of us: multi-factor authentication and the push to move past simple SMS codes to authentication apps.
What this means for you
The core concept of “security by design” is focusing the responsibility of security on the manufacturers and vendors and not relying on the end-user to know what is best. As a prime example of this, Microsoft, by default, now requires multifactor authentication for its new customers (which can then be manually disabled), where before, this service needed to be turned on manually by the customer (or their designated IT professional) themselves. All well and good – as a security professional this makes perfect sense to me, and I support the trend – BUT this also requires those employers who don’t provide smartphones to their employees to “ask” those employees to install one or more authenticator apps on their personal devices in order use critical services for their work. Unless you are providing your employees with some sort of reimbursement or have stated in their employment contracts that this is a requirement of the job, this is going to be a problem for many people who are still trying to keep their work and personal lives separate. As a business owner, this ship sailed for me personally a long time ago, but for my employees and yours, what was once a tacit, unspoken arrangement may now have to be formally addressed. Now that smartphones are essentially the easiest way for us to implement multifactor authentication, and everything will soon require it, that personal cell phone has ceded more territory than any of us could have predicted, and employers may need to get in front of this issue before it becomes an employee grievance.
Image courtesy of blackzheep at FreeDigitalPhotos.net