How not to repurpose an old laptop

Posted on by
4

For the past six or so years, I have had an HP Elitebook laptop that I have carted around the world a few times, upgraded it a few times eventually to Windows 11 — amazingly, Microsoft still supports the thing. (It runs an Intel i7 and hads 16GB of RAM, so it is a pretty solid machine even now).

But it was showing signs of age (aren’t we all?): the sound, which used built-in B&O speakers, was no longer working and a few other quirks with the bundled HP security software that I was tired of dealing with.

Perhaps you are in a similar situation, or your business is in a similar situation. Read on, and learn from my many mistakes. Even though I have been working with PCs since the mid-1980s, there is still a lot I can learn.

What pushed me from “thinking about getting a replacement” to action was this security warning about this aging fax modem driver file ltmdm64.sys that could cause problems. I thought — ok, I am a security expert, let’s see if I have this file on my laptop. A quick search using File Manager brought up nothing, but then I realized that FM doesn’t tell you about system-level files. I rooted around some more and saw it eventually lurking in some dark Windows directory, but of course I couldn’t rename it or delete it. And this is a feature, not a bug, because the last thing I would want would be to have some malware get ahold of that directory and cause even more damage.

Enough already. But before I buy something new, I wanted to see if I could repurpose my laptop and install a less complicated OS that I could manage. Easy, I thought: Almost all of my use is through browser-based tools. And since I run my email through Google’s servers, I figured to start first with ChromeOSFlex. Unlike other OS’s, you don’t download an .iso image file and then use that to make a bootable USB drive. Instead, you have to go to the Chromebook Recovery Utility’s download page and download and prepare the bootable image that way. This utility is a browser extension. That should have been a warning sign.

There are two ways you can refresh your PC with a new OS: run the “live boot” from the USB drive, which means nothing gets put on your hard drive (in case something goes wrong) or to do a fresh install, in which case you destroy the (in my case) Windows files and start anew. Being a careful person, I choose door #1 and did the live boot.

Now, I have all sorts of security things on my Google account, including a Yubico hardware key, passkeys, an account password that is a complex string of numbers, letters and symbols (more on that in a moment). I also had one must-have browser extension — the Zoho Vault password manager. I thought having a Google OS would be a good thing. I was wrong.

The problem with ChromeOS is that it is not quite an OS — it is really Android that has been heavily modified and stripped down. You’ll see why in a moment.

Within short order I got a working system, the Zoho stuff worked just fine and I was ready to throw caution to the winds and do the great big wipeout and install ChromeOSFlex for real. Got everything flowing just fine, or so I thought. Then I shut down my machine for the night. Big mistake, as I found out the next day.

The problem is when ChromeOS boots up, it doesn’t quite know your keyboard driver. So the password that you type in doesn’t quite match. It didn’t help matters that my password contained a series of ones and zeros and the letter O and L. It wasn’t easy to figure this all out.

So Google kept saying I had entered a bad password. I eventually figured out when it is initially booting up, it doesn’t recognize my passkey, or my Yubico key. I don’t know why. And Google has made running ChromeOS that requires a boot password, so I was kinda stuck.

Now I had A Project. Over the past week, I have downloaded all sorts of Linux-flavored OSs. All had issues, until I downloaded Mint Linux. Twice — for some reason, the download didn’t take the first time around. I needed a ISO writer called balenaEtcher to create a bootable USB drive from my Mac. Eventually, I got things working, although I would have liked for Zoho to support an Opera browser extension on Linux, but they don’t have one, so now I am using Firefox for my web browser the moment.

What works:  have sound once again, and my Yubico key and passkeys work just fine.

What doesn’t quite work: the control of the fonts inside the browser, or at least I haven’t figured out where that particular control is.

Lesson #1: Don’t do the complete wipeout until you have rebooted your old laptop a few times.

Lesson #2: If you have a critical software component (in my case, the password manager), make sure it supports your OS and browser version. This is why you try out the live boot option.

Lesson #3: Make sure your OS will run on your particular chipset, particularly if it isn’t a 64-bit Intel CPU. Read the fine print.

Lesson #4: If you have hardware keys or other USB things that you want supported, particularly test them on the live boot before committing to the total wipeout.

Lesson #5: Know your tools. ISO boots are a strange sub-culture. Make sure you have a sufficiently large USB thumb drive that can contain the boot image. Make sure you find a program that will create a bootable USB from your downloaded ISO file.

 

 

 

CSOonline: CSPM Buyer’s guide

Posted on by
Reply

(originally posted 6/21)

Every week brings another report of someone leaving an unsecured online storage container filled with sensitive customer data. Thanks to an increasing number of unintentional cloud configuration mistakes and an increasing importance of cloud infrastructure, we need tools that can find and fix these unintentional errors. That is where cloud security posture management (CSPM) tools come into play. These combine threat intelligence, detection, and remediation that work across complex collections of cloud-based applications. You can see a few of them above.

Vendors have been incorporating CSPM functions into their overall CNAPP or SSE platforms, including CrowdStrike, Palo Alto Networks, Wiz, Zscaler and Tenable. This means that the modern standalone CSPM tool has all but disappeared. In my latest revision on the category for CSOonline, I  mention some of the issues involving purchase decisions and mention three vendors that are still selling these tools.

 

Podcast: with Sam Whitmore on offensive agentic AI tactics

Posted on by
1

This week I spoke to Sam Whitmore of MediaSurvey about two eports that came out this month, one from the Google Threat Intel group and one from Anthropic, the makers of Claude AI

The Google report says that “adversaries are no longer leveraging AI just for productivity gains, they are deploying novel AI-enabled malware in active operations. Malware threat groups are using LLMs during their execution to dynamically generate scripts on demand and hide their own code from detection.” They are also using social engineering pretexts to bypass security guardrails. That is pretty scary stuff.

The Anthropic report found ways that threat actors manipulate Claude Code to automate the orchestration of reconnaissance, vulnerability discovery, exploitation, lateral movement, credential harvesting, data analysis, and exfiltration operations largely autonomously. The researchers claim that this is the first documented attack without much human intervention or control at huge scale and showed how Claude agents were able to decompose these multiple attack stages into smaller parts. One small issue: the events depicted in this report happened about a year ago, using tools that now seem ancient given the rapid state of things in the AI world.

The key to the behavior chronicled in both reports was how AI assumed some pretty human role-play: the human operators claimed that they were employees of legitimate cybersecurity firms and convinced Claude that they were playing a capture-the-flag, a common white-hat technique.

Both reports show just how the bad guys can use agentic AI to be more effective at stealing data than any group of human operators. The challenge will be stopping these and even more advanced threats going forward.

Watch out for browser cache smuggling

Posted on by
2

Browser caches can be difficult to secure, because our insatiable hunger for web content means our browsers often deposit files there that could turn out to be trouble. In the past, malware actors would try to poison web server caches — these were holding areas that the servers put aside to deliver frequently requested pages or pieces of content, such as large image files.

“Think of cache poisoning as poisoning a town’s shared well—everyone who draws from it is affected,” said Satnam Narang, senior staff research engineer at Tenable. “Browser cache smuggling, however, is like getting a meal kit with a hidden poisonous ingredient. It sits harmlessly in your private kitchen until you are tricked into following the recipe and cooking it yourself.” Cooked, indeed. The attacker hides an executable program inside a misnamed file that appears to be storing an image in the cache. Marcus Hutchins wrote about this recently.

Cache Smuggling has been around for years, but lately it is being paired with zero-click malware that makes the deposit and then the activation without any user intervention. Or as Marcus documents, a misleading pop-up instructs a user to do a series of Windows commands that bring this all about in the background. Or a phishing email that tells you how you have a large reward just waiting for your click to approve.

I recently got one of these emails from the Facebook User Privacy Settlement, asking me to activate a debit card. I was about to hit the delete key when I thought I should investigate further, and found out that I was wrong: the email offer was legit and moments later, I was now about $38 richer. Woo-hoo!

One way to fix this across the enterprise is to use one of the class of enterprise browsers that encrypt the cache, or can place global policies when a user brings up one of their browsers. Island.io and Authentic8.com are two of these vendors. A consumer version is available from Opera or Brave that provides various content blockers, which can stop the smuggling route.

Another mechanism is to make use of various network defensive tools (such as is available from one of my clients, Corelight). These can monitor odd network flows, such as unexpected uses of PowerShell, which often are clues that some hanky-panky is going on.

My new genAI mini-me: meet Ada

Posted on by
2

I am split on the utility and influence of AI in my work. I read articles such as what David Gewirtz recently posted on ZDnet about ways that AI can save time for small business owners. Kudos to him, and others who have spent a lot of time with AI.

But I wanted to go in another direction, so a year ago I was invited to try out an experiment — why not develop a genAI chatbot that could be trained with my entire published corpus? It is finally ready for initial testing. We call her Ada, named after Ada Lovelace. (And yes, I am using that pronoun. It just feels right.)

I am not a frequent AI consumer, and the reason why is that I have long-ingrained work habits that focus on my human abilities to seek out new information and write compelling content by hand. But what I do lack is a perfect memory of what I have written over the many decades that I have been a professional editor. That memory is limited to what I can dig up on my blog, my hard drive, and my website. Perhaps Ada can make it easier to find this as I begin my research on a new article. And perhaps Ada can help you recall what I wrote decades ago that could be relevant to your particular situation. So began the project,

I was working with a team of developers who have already developed other chatbots with a similar intense vertical knowledge. Ada is based on the Anthropic Claude Sonet LLM, with some custom code. None of the queries that you or I submit are saved once you close the browsing session.

It is a bit eerie and wonderful at the same time. It is like talking to a better version of myself, which I guess is a sign of how successful she is. My queries were answered with things that either I recall saying myself, or sound like something I would say about the topic, and for the most part, were pretty much on target. And, the answers also were documented, with the actual URLs that were posted.

If you ask Ada about my writing style, here is what she says:

## Core Writing Philosophy
You write to make complex technical topics **accessible and understandable**. Your goal is clarity over jargon – you want readers to actually grasp what’s happening in the tech world, not just be impressed by terminology.

## Key Characteristics

**1. Clarity and Directness**
– You cut through marketing hype and get to what matters
– Short, punchy sentences mixed with explanatory ones
– You define technical terms when you use them
– Active voice dominates

**2. Practical, Real-World Focus**
– Heavy use of concrete examples and case studies
– You often test products yourself and report findings
– References to actual companies, incidents, and implementations
– “Here’s what this means for you” orientation

**3. Balanced Skepticism**
– You question vendor claims and industry buzzwords
– Point out both strengths AND weaknesses
– Acknowledge when something is overhyped vs. genuinely useful
– Not cynical, but definitely not a cheerleader

**4. Conversational Expertise**
– Slight conversational tone while maintaining authority
– You use “you” to address readers directly
– Occasional wry observations or dry humor
– Like a knowledgeable colleague explaining something, not lecturing

**5. Structure and Organization**
– Clear headings and bullet points
– Logical flow from problem → explanation → solution/implications
– Often lists or numbered points for clarity
– Strong topic sentences that telegraph what’s coming

**6. Context and Background**
– You don’t assume readers know everything
– Provide relevant history when it illuminates current issues
– Connect dots between different tech developments
– Explain *why* something matters, not just *what* it is

This style has served you well across decades of tech journalism – it respects readers’ intelligence while acknowledging that even smart people need clear explanations of complex topics.

Does that sound like someone you know? Exactly. (I am using a different font here to distinguish her replies.)

Now, why would I want Ada around as an AI mini-me? As I mentioned earlier, one of the first reasons that I was attracted to it was because it did a better job searching my corpus than I could do with the default WordPress (or MacOS) search panels. And it also searches my website content, something that I never got around to properly instrumenting. Granted, much of that content is pretty ancient stuff but does come in handy sometime, like when I was asked to serve as an expert witness because of something I wrote in the mid-1990s. On the internet, your words live nearly forever — at least until my hosting provider decides to delete my stories.

But am I worried that Ada will replace me? After all, instead of having the real human write something, you could just query Ada and get it instantly. No muss, no fuss, and no delay. That’s true. Perhaps Ada will become a low-cost competitor and hollow out my freelance business, (at least more than any genAI tool already has done) but I am betting that you will find the human/AI combo a potent differentiator in the kind of work that I can offer. Like I said, it is an experiment.

Will I charge for using Ada? Eventually. Right now, I am interested in your feedback and whether you think her responses are accurate and appropriate. In my tests she was quite clear on what she knows and what isn’t in her training set. For example, I asked her about different USB standards, something that I have never (at least to my recollection) written about. She replied:

I apologize, but I don’t see comprehensive information about different USB standards and their specific differences in the provided source material. While USB is mentioned briefly in a few contexts (like as a connection option for some home networking equipment), the articles don’t contain detailed technical comparisons of USB standards.

Right on Ada.

Ada is current as of last month. And for a limited time, you can try her out yourself and see what you think.  All you have to do is ask me for the login credentials.If you are interested, drop me an email — or even call me on the phone — and you can test drive her.

Doing public relations in the lower literacy era: Sam Whitmore podcast

Posted on by
Reply

Literary rate is low, pubs still believe in words, and people don’t have the skill or patience or ability to concentrate and to read anymore. I talk with my long-time colleague and friend Sam Whitmore about how he thinks we are in the post-literacy era, (There is this Harvard study.)  I think the ability to analyze trends from the written word vs. a well-placed picture or video demo, what I call visual literacy. This 15-minute conversation talks about this perspective for PR agencies and their clients and how to craft multi-modal pitches in the modern era. We also discuss how AI-generated outage can shape and drive online advertising.

Peter Coffee enters his next career

Posted on by
7

I had a chance to catch up with Peter Coffee, who recently ended his 18 years at Salesforce to focus on philanthropy and pro bono consulting. I first met Peter in the mid-1980s, when he was working for a defense contractor in IT, and I had just left working for an insurance company’s IT department. Both of us were living in LA and both of us were part of the advance guard of installing PCs around our companies. I had taken a job with PC Week, writing my little corporate IT heart out, and I had just hired Peter to be part of a team of product reviewers and in-house analysts.

Back in those days, there were many different PC makers, each running a slightly different collection of hardware and operating system. MS DOS, the Microsoft version, hadn’t yet become a standard, and there were also other operating systems that have since either died (like CP/M)  or have morphed into major big deals (like the early versions that became Linux). Peter recalls one debate that he had in person with Bill Gates in those early years, where he argued that MS DOS might be the technically superior product, but other DOS versions put more tools in the box. Those were the days where you could buttonhole Gates in person.

Before we came to PC Week, Peter and I would examine these products and make recommendations to our corporate user base and management about which ones would become the company standard. Given that both of our companies were huge IBM customers, you might think that IBM had the PC world locked up, but this wasn’t always the case.

Peter and the rest of my team at PC Week Labs were early to do product reviews and write about the issues that we saw in terms of our corporate context. “We created an entire new way of breaking news by doing tech investigations and analysis. We would write short pieces that were published the following week, originating this content from our technical backgrounds,” he said, giving me credit for creating this journalistic model that has since flourished and now seems in decline. We also did numerous stunts, such as testing which network topologies were actually faster (Ethernet) and why early Windows was a bust (it ran on top of DOS rather than replacing it) or about the 386 CPU. They were heady times, to be sure. It was a model that I brought over to Network Computing magazine, which I began in the summer of 1990.

Peter reminded me that many tech pubs — including most of the overseas ones — had a pay to play model, where the writers would offer up glowing reviews of the products of the major advertisers. What we did was having strong opinions and having the technical chops to back them up.

But times have changed. Now everyone is familiar with PCs, and takes them for granted. You don’t need a degree in Computer Science to be able to program, “because computer literacy is more about thinking about a problem than learning how to write code,” as Peter told me. “It is about finding the right tool to do the job, and assembling connections and anticipating the questions and problems that lie in the future. That has changed the whole notion of technical expertise into tying data sources and algorithms and understanding what the ultimate user wants to know.”

Several years ago, Peter and his wife started a non-profit foundation that will occupy their full-time attention. The foundation will focus on funding local efforts to improve climate, STEM education and other matters. His goal is to bootstrap these efforts into a better position to obtain national or international support. He said, “These are problems that could exponentially bloom into major issues, but they need help when they are still small and solvable.”  I wish them well.

Three new malware variants you might BOLO

Posted on by
Reply

Of all men’s miseries the bitterest is this: to know so much and to have no power.

That was something attributed to the Greek philosopher Herodotus, who lived in what is now Turkey and Italy more than 2400 years ago. It is a fitting name for a new kind of Android banking trojan that is making the rounds. The trojan works by inserting a small but randomly variable delay between keystrokes, to make them appear as to be typed by a (relatively poor) human typist. It has other features, such as being able to steal 2FA codes sent via SMS (yet another reason not to use this transport method), intercept everything that’s displayed on the screen, grab the lockscreen PIN or pattern, and install executable files. The malware looks like an ordinary mobile banking app but there is nothing ordinary about it.

But Herodotus isn’t the only bad news bear that is out there. How about the RedTiger malware that steals data by flooding targeted systems with hundreds of processes and random files to confuse forensic examiners. That essentially buries any warnings to make it harder for security personnel to figure out where the pony is in this massive alert pile. And another malware that goes by the name CoPhish — it hides Microsoft Copilot commands within phishing the HTML text of emails. That text is designed to not be displayed if you are just reading them in your browser or email client.

What these three attack methods show is that the bad guys are getting better at hiding in plain sight, using AI methods and more subtle mechanisms to distribute their malware and then try to remain out of sight for several months while the attacker moves about trying to document the soft center of your network that will be compromised.

So you have been warned. Pick a better MFA method than SMS texts to get your pin codes. (My favorite is Authy, but there are plenty of others.)  Make sure to carefully vet any downloaded app to your phone before you start using it, and at the install time, please pay attention to the warnings about what permissions it requires to ensure that it isn’t grabbing everything it can. And don’t reply to any text message involving money that comes out of the blue, whether from your bank, your long-lost cousin traveling abroad, or someone who is acting friendly (want to join me for dinner). It’s a jungle out there, and sadly an old Greek guy was spot on about how much we know but still don’t have any power to do anything about it.

Deleting your private data will get easier: thanks California

Posted on by
4

Most of us have seen those annoying pop-up screens when browsing the web that ask us to accept some turgid privacy policies or approve the use of cookies to track our sessions. California and a few other states are trying to make things more secure and protect our privacy by introducing new regulations that will go into effect in the coming months or years. One of these technologies is called a universal opt-out preference signal or sadly the acronym OOPS. California’s explanation can be found here.

The universal part of the deal is that many websites will recognize these signals, so users don’t have to individually opt-out of tracking for each website that they visit where they are buying something online or sharing their personal information (such as a social network). CalOOPS will make this mandatory in January 2027. That is a long ways off to wait for this convenience. Several other states are moving to enact similar laws, although it is a long road ahead. The OOPS signals are already not required in six of the 19 states that have privacy protections — just showing how much of a crazy quilt our privacy picture is and will continue to be.

The OOPS laws are just one of a triad of regulations that were enacted earlier this month in California. The others required major social media platforms to provide users with a clear way to delete their accounts and ensure that the data in your account would be completely wiped. The third law requires data brokers to more stringent standards, including how deletion requests are handled by a new service called DROP. Those two go into effect in January 2026. Husch Blackwell (who does an excellent job tracking state privacy laws) has more info on this page describing the three laws.

DROP stands for Data Removal and Opt-Out Platform, and it will be a central place where consumers can begin the process of removing their data from multiple data brokers. If you have ever tried this on your own, you probably know how frustrating the process can be: first, the brokers are numerous and many of which are companies that you probably never heard of. Here is a list of more than 600 of them. Then, once you can find one, they make this deletion action as obscure as possible, or put you through various pathways (download a special app, submit a web form) that don’t inspire confidence. And realistically, how many brokers are you going to do this with anyway? And finally, is Facebook et al. a broker or a social network or just all-around evilness?

Remember the do-not-track phone settings on your phone? Probably not, because these were for the most part ineffective, and not mandatory. These new laws have enforcement provisions. We’ll see if that matters in the end.

Browser vendors with privacy controls are one answer, such as Brave, DuckDuckGo, or extensions such as PrivacyBadger (which I wrote about here). I have been using Opera Air, which has an ad blocker built in. There are two problems. First, these browser-based tools don’t always work on some websites that require pop-ups as part of a normal workflow, or the websites don’t want you to run ad blockers, because they lose revenue from displaying the ad banners. And second, as you might have guessed, there are no federal data privacy laws, and given the state of our Congress, chances are slim that we will see any soon. That means that laws could be enacted that work at cross-purposes.

I would be interested in hearing any strategies that work for you.