How to become an American ex-pat

I have known Rich and Marcia, an American married couple, for decades, both of whom work in tech. This is their story about how they decided to pack up and move to a suburb of Lisbon Portugal. I recently interviewed them via Zoom.

They started looking at so-called Golden Visas back in 2016. (You can figure out the significance of that date.) This type of visa is a way for ex-pats to emigrate to a country, with sufficient means to live there permanently. The couple became interested in Portugal and vacationed there a few times before the Covid lock-downs. “There was no second choice country,” Marcia said. They got temporary resident status last summer, and moved there for good in March. They are both about my age, and mostly retired, although Rich continues to work in tech a few days a week. “We wanted a higher quality of life, and wanted to find a place where people aren’t as obsessed with work or doing the Silicon Valley 24/7 hustle to get ahead,” they said. So far things are working out — “We are eating better things that taste better and cost much less.”

Well, almost. “March was horrible,” she said. “Our cognitive load was intense, and we found bunching up errands wasn’t going to work. We had to spread them out more.” Part of the problem is the way Portuguese do things is somewhat different, such as activating a credit card (you first use it to buy something in an actual store, then go through the activation process in person) or doing more business f2f, or navigating governmental processes that involve multiple forms and understanding the sequence involved. (I would say I have the same problem dealing with the City of St. Louis.)

But since then things have gotten better. “It really changes your nervous system, and we are a lot more chill here than in the States,” she said. As an example, the recent extended power outage wasn’t any big deal for either the couple or their neighbors.

Here are some lessons they have learned:

  1. If you make the move, understand that you aren’t going to replicate your American lifestyle. “You need to figure out what the natives do and how they live, and build on that,” they said.
  2. Throw away any preconceptions that you have formed before the move. “Most of them were flat out wrong,” they said. Amazon Prime next-day delivery? Not in Portugal. Packages will arrive seemingly at random. (I could say the same thing about my own Prime service, sometimes.) Two-factor authentication works slightly differently too. Milk is sold via shelf-stable ultra-pasteurized containers, not in the fridge aisle. There is less of a selection of consumer goods but a wider range of less expensive options to balance it out.
  3. Be patient with building your personal friend community. “There is a lot more emphasis on f2f interactions,” they said, and also your community might end up spreading across several cities or even countries. Expect this to take months if not years to build up your network. They initially picked their location because of a large ex-pat English-speaking community, which while true still will take time to find their peeps.
  4. Understand your relationship dynamics as a couple. If you are thinking about moving as a couple, realize that after you move you will be dependent on each other for large portions of the day and the majority of situations. If you are used to spending time apart for particular activities, that may require some adjustments. “We are a much more tightly bound to each other and have a different dynamic, because we don’t speak the language and have to depend on each other,” she said.
  5. Get your consulting team together to ease the transition, especially if you aren’t fluent in the language. The couple does speak a little Spanish, which is a different language from Portuguese. “But it is the little things that catch us,” they admitted. Who is on their team? Someone who can help navigate the healthcare system (a combination of private and public providers), someone who can help navigate government paperwork and processes, a relocation consultant that is local to your target area to help set up your household, and a lawyer to handle the initial visa requirements. All of these folks will save you a lot of time and frustration and school you in how Things Get Done.
  6. Don’t make the move all about saving money. Yes, plenty of places are less expensive than the States (which the couple charmingly refer to as “the old country”), but not necessarily by a big enough discount. And not necessarily uniformly across all expense categories. For example: healthcare. “We get ten times the service at a tenth of the cost of what we had in the States,” Rich said. “Healthcare is a human right here,” said Marcia.

Book review: Hive by DL Orton

The book Hive by DL Orton is a winner. We have time travel, the multiverse, a romance that spans decades, and an evil billionaire who is trying to conquer the world with his technology. There is something in this sci-fi novel for everyone, and I thoroughly enjoyed it. The couple at the center of the plot finds themselves in dire circumstances, trapped in an biosphere-like structure with a snappy AI companion that is part HAL, part Hitchhiker’s Marvin, only in much better moods. There are cameo references to that and other seminal sci-fi works to further delight readers. I won’t tell you how it ends, but the couple’s journey through multiple universes and space time is interesting, and delightful Highly recommended.

CSOonline: Top tips for successful threat intelligence usage

Enterprises looking to stem the tide of breaches and attacks usually end up purchasing a threat intelligence platform (TIP). These can take one of several forms, including a managed cloud-based service or a tightly coupled tool collection that provides a wider risk management profile by tying together threat detection, incident response and vulnerability management. More than a dozen vendors offer TIPs, and I will be posting my buyer’s guide in a few weeks that go into more details of some of them. In the meantime, you can examine my top tips tor selecting a TIP here on CSOonline.

 

 

Privacy perils of the connected car

The connected car has become the latest casualty in the war on personal privacy. This is because your car’s “subscription-based features drastically increase the amount of data that can be accessed during law enforcement investigations,” Dell Cameron wrote for Wired magazine recently. And while most car makers state that they can’t obtain access to this data without some kind of court order, that isn’t the final answer. What congressional investigators found is that some car makers will divulge this data when contacted by law enforcement. And then there is this: there is no hard and fast rule of what data can be collected, because it varies by the make and model of your car, whether you once had any connected car subscription service (such as GM’s OnStar), and what broadband provider you use.

Re-read that last sentence again. Even if you cancelled your OnStar subscription, your Chevy might still be recording when you took it to the levee.  There is some direct evidence of this, based on data found in police documents that Wired and the ACLU saw from several investigations.

I wrote about connected car issues almost three years ago, but not from a privacy POV. That post shows that car companies have embraced subscription services, thanks to Telsa’s early lead (so much for that) and a realization that they could extract recurring revenue that had a better aura than so-called “extended warranties.” Figuring out the costs of the various subscription options is still not easy. For example, GM’s OnStar has a confusing series of different plans. With BMW, you can get an idea of what connected service is available here, but to get actual prices you will first have to become a BMW customer. Some features are free and some require the latest car OS v9 or are only available on particular vehicles. And for those of you still interested in Tesla, they have a free basic plan – which just includes GPS. If you want more features you will have to sign up for its premium plan that includes dozens of other features for $10 a month. And we found out the hard way that all Teslas are really roving reality video studios – meaning that they are constantly recording from their numerous cameras — when one of their cars blew up outside a Vegas casino.

Think of the data originating from your connected car as the hidden browser pixel: you know there is something fishy going on. Whether or not you are paranoid enough to worry about it, or just accept it as another part of modern life, is up to you.

 

CSOonline: CNAPP buyer’s guide: Top cloud-native app protection platforms compared

It is time to re-examine my review of cloud native protection products, commonly known as CNAPP. The category has expanded to include more devsecops coverage, such as API and supply chain security, and more posture management tools for tracking data and SaaS apps.

The category is also under scrutiny because the CNAPP vendor landscape has shifted, most notably around Wiz. They recently were purchased by Google, who will maintain it as a separate division. Check Point Software has formed a strategic partnership with Wiz, and has discontinued selling its own CloudGuard CNAPP and will migrate its customers to Wiz. Lacework has been purchased by Fortinet and is now called Lacework Fortinet FortiCNAPP. Palo Alto Networks has rebranded and reconstituted its CNAPP offering as part of its Cortex Cloud product line.

My review for CSOonline has been updated to include 11 CNAPP vendors. 

Time to get online with the feds

I probably should have written this post a few months ago, but a friend reminded me that it is still relevant, even though many of us filed our taxes last week. As the number of federal employees drops, the time to get online with various agencies makes more sense. And for those of you that have so far resisted the effort to do this — and of course, it is an effort, even for the most technical and computer literate among us — now is the time to get online with the feds. If you have tried to call the IRS for example, or visit a local Social Security Administration (SSA) office (those that are still staffed), you will have to have a tremendous dose of patience.

I should state that getting online with the US government is not quite what it could be, and for that we should look to Estonia where they have been doing this really well for a number of years. The initial experience in getting on board was also somewhat daunting, but now every federal agency there has some form of online access using a single system.

Anyway, back home we have two different central authentication service providers, because why not? The two are ID.me and Login.gov. Not all agencies use both — such as the IRS, which only uses ID.me. But if you pay your taxes online through the EFTPS.gov service, and want to access your account with the SSA, you can authenticate with either one. The two providers have somewhat different processes to get your credentials verified and your account setup.

ID.me has had a lot of growing pains when it was first introduced several years ago. (I wrote about this for Avast’s blog here.) I would not recommend using ID.me if you can use Login.gov as a way into your accounts.

One additional caveat about the IRS. Every January you should be using your online account to request a filing PIN. This prevents anyone else from filing a return with your social and name. Make sure to put this PIN someplace where you will remember it when you do file several months later. you need to request a new PIN each year.

Still with me?

Once you sign up and prove who you are to the service(s) — and the effort isn’t trivial and can be frustrating — you can then create an online account with whatever federal (and in some limited circumstances, state and local) agencies you want to conduct your affairs with that supports the provider. And even if you aren’t old enough to start receiving SSA benefits, you should still have an account with them just to check and make sure your deposits over the years have been properly recorded.

The back sides of the USB-C/NFC Security Key and USB-A/NFC Security Key are shown side by sideOkay, one final caveat about setting up your accounts. You should protect your account with an additional authentication factor, and both Login.gov and ID.me offer numerous options. The one that I use is a USB hardware key (Google sells its Titan keys shown above, but there are other vendors if you would rather deal with someone else). If you go this route, you should buy at least two keys, and put them in different places (such as office and home). You and your spouse can share the same key if that works for you. After you login to either service, you are asked to insert the key in your computer or phone (or use its NFC radio) and press the blinking icon on the key to finish the login process. One authentication method you should NOT choose is to send a code via SMS to your phone.

Once you get a hardware key, you should augment your logins with it wherever you can. Google, Facebook, your bank, your insurance company, etc. Not all places that you’d like to use it support these keys, which is sad and frustrating. Some banks only support two different keys, which is annoying.

I understand that getting this all setup will take time, and working through the various user interfaces will try your patience. But once this is done, you can interact with the feds digitally, which is a Good Thing. And maybe someday we will approach the digital density that they have in Estonia.

Book review: The Influencers

This novel by Anna-Marie McLemore takes a popular movement, that of social media influencer, and wraps a murder mystery around it. Actually, a family of influencers not unlike that infamous LA clan. The family has a bunch of siblings with month names to keep things either interesting or confusing. We quickly learn that the multiple narrators have strikingly different takes on the murder, their roles in the social media pecking order, and whether they deserve all the attention or not from their digital fans. One daughter has grown to hate her “highly-curated, affiliate-linked life” and tired of being as glam as possible even if just running out for a few groceries. The family matriarch led the assent into influencer-land, making millions off of her product recommendations and fancy lifestyle. But the attraction of always being on camera and in front of an audience of admirers eventually cools and there is trouble in paradise. Solving the murder — and hearing various whodunnit theories — occupies most of the book’s back-and-forth conflict amongst the family members, and whether the murder is an asset or a liability in each person’s brand identity. I initially liked the initial setup and the personalities of the family, but like them I eventually got tired of trying to keep all the month-names straight.

CSOonline: Agentic AI is both boon and bane for security pros

AI agents are predicted to reduce time to exploit by half in two years, here is what you need to know to figure out if your business need agentic AI and how to find the right one. Agentic AI has proved to be a huge force multiplier and productivity boon. But while powerful, agentic AI isn’t dependable, and that is the conundrum. In this post for CSOonline, I describe some of the issues and make some recommendations for how to safely and productively deploy this tech.

 

A new type of disinformation campaign based on LLM grooming

Most of us are familiar with the Russian state-sponsored Internet Research Agency. The group has been featured in numerous fictional spy movies and is responsible for massive misinformation campaigns that center around weaponizing political social media posts.

But the Russian misinformation network is branching out into the world of AI, specifically around poisoning or grooming the training models used by western AI chatbots. A recent report by NewsGuard documents this latest insidious move. 

Called Pravda — not to be confused with the print propaganda cold war “newspaper” of the former Soviet Union — it targets these chatbots by flooding search results and web crawlers, It doesn’t generate any original content. Instead, it aggregates a variety of Russian propaganda and creates millions of posts of false claims and other news-like items. The Pravda network serves as a central hub to overwhelm the model training space. As a result, many of the most popular chatbots reference these fictions a third of the time in their replies. In effect, they have turned chatbots into misinformation laundering machines. “All 10 of the chatbots repeated disinformation from the Pravda network, and seven chatbots even directly cited specific articles from Pravda as their sources,” Many of the responses found by their researchers included direct links to the Pravda-based stories, and in many cases, the AI citations don’t distinguish between reliable and unreliable sources.

What is curious about the Pravda network is that it isn’t concerned with influencing organic ordinary searches. Its component domains have few if any visitors of its websites or users on Telegram or other social media channels. Instead, its focus is on saturating search results from automated content scanners, such as would happen with AI training models. On average, the network posts more than 10,000 pieces of daily content.

Researchers at the American Sunlight Project call this LLM grooming and go into further details on how this works and why the Pravda network isn’t designed around human content consumption or any interaction. They show how Pravda makes extensive use of machine translation of its content into numerous languages, which post awkwardly worded pages. “The top objective of the network appears to be duplicating as much pro-Russia content as widely as possible,” they wrote.

The NewsGuard researchers examined 10 leading large-language model chatbots: OpenAI’s ChatGPT-4, You.com’s Smart Assistant, xAI’s Grok, Inflection’s Pi, Mistral’s le Chat, Microsoft’s Copilot, Meta AI, Anthropic’s Claude, Google’s Gemini, and PerplexityAI.

NewsGuard has been around for several years now and provides various auditing and transparency services. They found Pravda uses more than 150 different domains spreading more than 200 false claims in more than 40 languages, such as describing Zelensky’s personal fortune and how the U.S. operated secret bioweapons labs in Ukraine, just to pick two. The company, founded by Court TV’s Steven Brill and former Wall Street Journal publisher Gordon Crovitz, began tracking AI-based misinformation last summer. The American Sunlight Project is run by Nina Jankowicz, who has held fellowships at the Wilson Center and other NGOs as well as working for a Homeland Security disinformation board during the Biden years.

The risks are high: “There are few apparent guardrails that major companies producing generative AI platforms have deployed to prevent propaganda or disinformation from entering their training datasets,” writes the Sunlight team. And as this data is flooded with garbage, it will get harder for AI models to distinguish genuine human interaction in the future.

Personal cyber insurance may be a good idea but has issues

(revised 4/25/25)

A few weeks’ back, I wrote about a friend of mine that I called Jane who had suffered from a phishing attack that led towards her losing more than $30,000 in a pig butchering scheme. She called me last week and stopped by to show me that thanks to her homeowners’ insurance policy, she was able to be reimbursed for $25,000 in losses. This is because of an endorsement that included personal cyber insurance. This is the first time that I have ever heard of such coverage, so naturally I wanted to take a deeper dive.

Probably the best starting point is this 2023 Nerdwallet blog, which also helpfully links to the various insurers. It shows you the numerous perils that could be covered by any policy and makes a point that this insurance can’t cover things that happened before the policy is in force. Another good source is this 2023 blog in Forbes. If scroll down past the come-on links, you will see the perils listed and some other insurers mentioned.

This complexity is both good and bad for consumers who are trying to figure out whether to purchase any cyber insurance. It is good because the insurers recognize that cyber is not just a category like insuring a fur coat, or some other physical item. If your washing machine springs a leak and you have coverage for water damage — something that happened to me a few years ago — it is nice to be insured and be reimbursed. Whether you get the level of reimbursement that will enable you to rip out your floors, replace it with something of approximate value, and get your expenses of having to move your stuff and live in a hotel for a couple of weeks is up to the insurer. And whether your claim will eventually trigger your insurer to drop you, and place you on a block list for the next five years is another story. But you can still purchase coverage and the coverage is — for the most part– well defined.

But cyber insurance is not well defined, because of all these various categories of perils can spill over. If your computer is infected with malware and the attackers ultimately get access to your bank accounts, how do you prove that causality to the satisfaction of the insurer? What happens if you are faced with a demand to pay a ransom to get access to your data? Or if you think you are sending funds to help a family member or co-worker in distress that turns out to be a criminal? Many of the problems happen at that hairy intersection between technology and human error.

Before you go any further down this path, I want to take a moment and describe an entirely different approach. What if the financial vendors took a more pro-active role in stopping cyber fraud? It is happening, albeit slowly and under certain specific situations.

One such example is Coinbase, who wrote about what they are doing in a February blog here. The post presents a series of situations where social engineering played a role in a particular fraudulent scheme. “Coinbase will never make an unsolicited phone call to a customer. Anyone who calls you indicating that they are from Coinbase and wants you to move assets is a scammer. Hang up the phone!” There are other recommendations that span the technical spectrum such as using better authentication factors and rotating API keys. As you may or may not know, Coinbase is deeply involved in crypto transactions, so this is a natural fit.

Contrast this with Bank of America, just to choose someone at random. If you know where to look, you can review five red flags used by scammers, including being contacted by someone unexpectedly, being pressured to act immediately, pay in an unusual way or asked for personal information. Unfortunately, they only allow you to specific two hardware security keys, which seems to go against best security practices.

And this is why we are in the state of affairs with scammers today. Incomplete, imperfect solutions have enabled the scammers to build multi-million dollar scam factories that prey on us all the time. Just this past weekend, both my wife and I got text reminders that the balance on our EZ Pass accounts was low. There were only two problems: neither of us use or even live near anyplace we can use them, and both originated from a French phone number. Sacre bleu! This is an attack which has been around for some time but recently resurfaced.

If you have decided to purchase this type of insurance for you or your family, there are two basic paths. First is to see if you can add a cyber “endorsement” to your existing homeowners or renters policy. If this is possible, decide how much coverage you need. Many insurers have these programs, and here it pays to read the fine print and understand when coverage will kick in and when it won’t:

If you have an insurer that doesn’t have this capability, you can go with one of two specialist cyber policies. Nerdwallet summarizes these offerings by NFP (they call it Digital Shield) or Blink, a division of Chubb. USAA (my current home insurer) works with Blink for example and offered me an add-on policy for $19/month. Blink doesn’t cover fraud from malicious family members or cyberbullying by employers, a widespread cyber-attack and some other situations. From my reading of the NFP’s Digital Shield webpage, it seems like these situations are covered by their policies. They told me, “We provide coverage under two different plan options, DigitalShield Advantage and DigitalShield Advantage Plus. Because it is a policy designed specifically to cover cyber risks, it may offer more flexibility and broader coverage than the options afforded by some of the “add-on” cyber options offered by home insurers. We offer coverage limits starting at $25,000 for $64 a year, with options up to $250,000 and also additional home office coverage.” You can price these out on this webpage.

The bottom line? While my friend was able to benefit from her cyber policy, you might not. Visesh Gosrani, who is a UK-based cyber insurance expert, told me “The limits these policies come with are normally going to be disappointing. The reason these policies are being bundled is that in the future homeowners are expected to realize that cyber insurance is important and more open to increasing their coverage if they have already had the policy. The short-term risk is that they end up being disappointed by the policy that they had for free or very little cost.”