Most of you know by now the meaning and importance of MFA, having multiple pathways to authenticate yourself for your various logins. But here is a story that is somewhat chilling: thanks to the NYC subway authority MTA, someone who knows your credit card number could track your movements about the system, thanks to their implementation of zero factor authentication.

Before Joe Cox, the business journalist who now writes for 404media (I know, miserable branding IMHO), wrote a story about this, you could bring up a page on the MTA’s website, enter the card number and you could see a week’s history of the station entry and exit times for each station you swiped your contactless fare card (or Apple or G payments on your phone). Well, you used to be able to do this, until Cox’s story ran exposing this vulnerability. Then the MTA wisely took this down a day after the story ran, saying they were evaluating the “feature.” Well, it is a feature for your estranged spouse (or someone who is looking to do you harm) to track your movements and establish a pattern of life. For the vast majority of us, it is a major-league problem and privacy disaster. Credit card numbers are remarkably easy to obtain.

Now, I call this somewhat ironically zero factor authentication, although sadly many security vendors are now using this term to refer to ways to authenticate your account without using passwords, which technically it is. But There Is No Authentication Involved Here Folks.

Contactless cards — and the phone-based payment apps — are a big convenience. You don’t have to touch any public turnstiles or fumble with putting your card inside those pesky slot readers upside down and backwards. But the MTA went overboard and for some reason was completely brain-dead when they turned this “feature” on.

If you believe the 2020 elections experienced massive fraud, or that electronic voting machines were running some software from space, then please skip this post. If you believe otherwise, then I would urge you to read my thoughts.

I was party to a massive elections fraud back in the 1970s, when I lived and worked for the city of Albany NY. Albany at the time (and still today!) was under the grip of a powerful Democratic machine, and as a city employee I was told as election day approached that I will vote, and that I will vote the Democratic party line. If I didn’t show up, or if I strayed into supporting GOP candidates, I would lose my job. Whether or not everyone’s votes were being monitored, I wasn’t going to risk it, especially as this was my first job out of college. I can’t prove anything, and my recollection might be fuzzy, but there was no denying that the city spent decades in the iron grip of this political machine.

I am telling you this because I have spent a lot of time researching voting fraud over the past several years, and can tell you that our elections have come a long way since my Albany days. I based this on first-hand knowledge, having spoken to IT managers at state offices, election researchers, and others who are in the know. Let me first present a few links for you to establish some bona fides.

First up is Alex Halderman’s analysis of the 2020 voting irregularities in Antrim County, Mich. This was the scene of numerous recounts — five of them — and the source of a lot of conspiracy theories. If you read Alex’s paper, you will see that many of these theories were easily explained by more obvious error sources, namely humans. I have met Alex in person and interviewed him on this topic and he is a very sharp guy.  His paper concludes: there is “strong empirical evidence that there are no significant errors in Antrim’s final presidential results, including due to any scanning mishap.”

Copies of the voting machine software eventually found their way to Mike Lindell and his bogus “CyberSecurity Summit” that he held in South Dakota in the summer of 2021. One of the attendees at that conference was a long-time colleague Bill Alderson. He was interested in getting the promised reward of $5M to prove voting irregularities. You can watch Bill’s interview with local TV news where he unequivocally states that the data claimed by Lindell was a nothing burger (he had more colorful language when I spoke to him this week). In other words, there was no fraud, no evidence, nada. Bill never got a dime for his troubles, BTW.

There was several other county voting offices who were invaded by so-called security analysts looking for fraud. But they ended up doing their own fraud — and are now being charged for this by various legal efforts. These folks obtained copies of similar machine software and vote tally data cards. One of these locales was Coffee County, Geo. The AP ran this story about what happened last September and there was plenty of video footage, along with the data cards shown in the photo below that were given to these analysts. (Here is an excellent analysis from Lawfare too.)

As the 2020  election was happening, I was part of the CISA press group who was on the phone interviewing various officials on November 3rd. Granted, CISA had their own horn to toot, but from the evidence that I saw, the election happened without any major troubles. Yes, Chris Krebs lost his job shortly thereafter, which should tell you something about his integrity.

One lie that I hear often is the manipulation of mail-in ballots was done in a such way to swing the vote totals. Here is another data point: Colorado has been running universal mail-in ballots (meaning every registered voter gets one by mail, whether they want to use it or not is up to them). For years they have running fair and accurate elections. Neither major party had a problem with that, until the more recent elections. Here is a link to their info page, just to give you an idea of what they do. (Many states have had pre-Covid universal mail-in operations, BTW.)

Now, I warned you  — here comes the hard part for me to write about. We are approaching a very dangerous time in our country. There are many people who believe this massive voting fraud happened, despite various genuine IT consultants’ evidence to the contrary. I am not here to try to convince them of the error of their ways.

But let’s talk about something that I find even more distressing. Please check out this recent Politico post on what happened last week at the Vegas BlackHat conference. To provide some context, each year this hacking event features various “villages” where a bunch of attendees come to try to break stuff, in this particular case voting machines. (I wrote about the 2020 election village DEFCON event for Avast here.) Given the state of our society right now, this year they put on some extra physical security for the event. And if you believe Politico’s reporting is accurate, it is very chilling to see.

By now many of us have heard about how elections officials have been threatened both at home and at their offices. According to a March 2022 study from NYU’s Brennan Center for Justice, one in six election workers have experienced threats because of their job, and 77% said those threats had increased in recent years. Many have quit the field entirely.

That is bad enough, but now these threats have blossomed beyond the folks running the elections to include digital security researchers that are looking into election and voting-related matters. And I am thinking about my early Albany experience. Yes, we have issues with vote counting and certainly there is plenty of mistakes made over the years. But to annoy and threaten the people who in many cases volunteer their time and do their civic duty and claim they have evil intent, just because the election didn’t go your way is a horse of a different color.

Where do we go from here? I don’t know. But thanks for reading this far.

Small businesses have so much trouble with their IT support, especially if they are really small, have been around for a long time, and have owners that have just enough knowledge to know that they can do better. This was brought home to me with a nearly hour-long call with a friend of mine whom I will call Bob. Bob has four full time staff and several part timers, and has been in business for decades. We go back to the 1990s and have remained in touch, and he has called me for help on numerous times over the years.

I don’t mind being his IT support guru, and hey, I get to write this column as a result to share his pain with you. Let’s dive in.

Bob has several problems that he revealed by peeling layer by layer during our conversation. First was an aging Mac, and by aging I mean of late 2015 vintage. It is too old to run the current MacOS, a situation that I am all too painfully aware of myself. More on that in a moment. Then he needs a new printer. And what about his website? That has been down for some time, thanks to a variety of things.

And for DNS nameservers he is still using a friend from the dawn of the internet who has his own business to run — and the friend sometimes forgets that Bob’s email depends on him when he upgrades his servers, which will happen from time to time over many years. Bob is fearful about making any changes without understanding what he is doing. Oh, and by the by, his emails are getting blocked because he hasn’t set up DMARC/SPF et al. properly. And by properly, I mean he hasn’t set any of this up at all. And could his issues be due to a bad DNS entry somewhere? Perhaps.

Bob is typical of many small business people. They aren’t computer experts, even though Bob certainly knows his way around the tools mentioned above. But Bob has several things working against him:

1. As he reminded me, I once told him his problem is that he takes really good care of his gear, but then hoards it way beyond the sell-by date. I am alot like him in that regard: last year I bought a Mac Studio that replaced a ten-year old Mac Mini. But the longer out you go with your gear, the harder it is to replace it. It took me months agonizing about this decision, so long that I missed several product review opportunities because I couldn’t run modern applications. Bob just wants to get his work done, he isn’t using anything special. Just old.
2. He likes the all-in-one iMacs. I don’t: if you have to upgrade, you have to toss the whole unit out. Much better to have a separate monitor, and to have a system that you can add parts to it as needed. He does max out on memory when he buys his gear, which is a good strategy. But that 2015 vintage is time for the donation bin.
3. He has multiple suppliers for his online presence. Having one ISP as his registrar, another one for his email, another for his website, and probably a few others for bits and bobs isn’t a good situation. I have two major ISPs: one for my registrar (GoDaddy) and Pair.com for my content (email lists, website). Make that three ISPs: I also use Google Workspace for my regular email functions. See how hard it is to keep track? As for Bob, his friend from the dawn of the ‘net is now ghosting him, and he doesn’t know what to do.
4. He set a lot of this up years ago, back when things were simpler. That means his security exposure is a lot greater. Take the DMARC/SPF issue. It took me about six months and lots of help (in my case from Valimail) to get this working properly. Bob is frozen in indecision about how to even start on this particular project.
5. He likes to have vendors that he can call up on the phone and talk him through things. I do too — that got me into trouble when my ISP died from Covid. He was a one-man operation, but once he was gone there wasn’t anything there. The trick is finding a company that prides themselves on good phone support. I am happy to report that Pair does a terrific job in this regard.

Bob will eventually figure this stuff out, get the right gear, and bring his operation at least into the 2020s. But all of this takes time away from doing productive work that generates income for his business. And that is the rub that many smaller businesses have to deal with: they aren’t IT specialists, and they don’t want to be. I don’t have that excuse: I have to play an IT guy on TV, or at least on the internet, every day.

You no doubt have had a package stolen from your front porch or know someone who has experienced this. And thanks to Covid, we are all using delivery services more often, which just increases the market size for porch pirates, as they are called.

The pirates are getting some pushback thanks to tech. First came the video-streaming door cameras (like Ring, now part of Amazon) that could capture them and report them to authorities. That made a small dent in their operations. But a better solution is happening in Singapore.

If you live there, for the last several years you can have your packages delivered to one of now 1,000 public lockers that are all over the island. If you have ever used the lockers that Amazon has at Whole Foods or one of its other storefronts, you get the idea. It is a wall of lockers of various sizes with a computer controlling access. Once you authenticate yourself, a door opens and the package is revealed. The lockers are built and operated by Pick Network and are called the Locker Alliance Network (which sounds vaguely Terminator-ish but let’s move on). You choose the locker installation nearest to your home or office or wherever you happen to be, and the delivery company will get the package there. On the company’s website, you can locate the nearest locker and you can see by the map how dense they are spread around the country.

To give you some sense of scale, Singapore is a very densely settled area about half the size of Rhode Island but with five times its population. I spoke at a conference there back in 1998, and was amazed at its diversity of languages and culture: fortunately for me, almost everyone these days is educated in English. It is very modern and apart from the signs in Chinese characters, you could have been in any major downtown city. Back then their freeways had one of the first open road toll collectors (meaning no booths that were designed for variable congestion pricing and no slowing down), something that took a while to show up elsewhere in the world.

It isn’t completely one humongous city like Hong Kong, but the density it does have makes something like the locker network functional. Pick claims lockers are within walking distance for most people. You can also drop off packages at the lockers, again like what we can do at Whole Foods.

Having a “last mile” solution is significant in that it has other benefits: there are fewer delivery vans tying up the roads, and less carbon consumption too. BTW, don’t you hate that term? How else should we refer to the contact with customers — maybe “first mile!” You get my point. And it is an open network, meaning (unlike Amazon), any delivery company can integrate with their own systems.

According to this article in the local newspaper, usage was initially slow but seems to have caught on, at least given by the increasing size of the locker network. It helps that Pick is federally funded. The delivery companies saw major increases in their own productivity, the story reported, although not clear how this was calculated.