Category Archives: digital home

Beware of Clawdbot, a new AI tool and potential threat

Posted on by
4

When I began writing about the potential dangers and benefits of AI a few years ago, I quickly came to the conclusion that the two are very closely tied and both directions present new challenges for enterprise IT managers. The latest development of Clawdbot (AKA Molt.bot or OpenClaw) are a very instructive case study. So what does it do, and what is the threat?

Basically, it is a powerful way to automate your digital life using a variety of AI agents. It is an AI-based assistant, and its use is spreading like wildfire. The top line is that Clawdbot is taking over — Token Security has found it has collected more than 60,000 Github reviews and nearly a quarter of its enterprise customers are using it and running it mostly from their personal accounts. They say “It is also a security nightmare, with exposed control servers that can lead to credential theft and remote execution over the internet.” This is no Chicken Little deal — “This rapid adoption signals a significant shadow AI trend that security teams need to address immediately.”

Here are two places that provide a deeper dive: First is security blogger Samuel Gregory, who has an excellent 15 minute demo video where he says “If you don’t know what you are doing, you can cause a lot of damage.” He shows you some of the guardrails you need to install, explains a bit of the bot’s history, and is well worth watching. But many of his suggestions mean you have to do a lot more work to isolate the bot from your online life — which shows quite starkly the tradeoff of security with ease of use.

Shelly Palmer, who actually uses the tech he writes about has this post where he documents what it took to get it up and running across his digital life. The bot connects his Slack, iMessage, WeChat, and Discord accounts. He has spent several hundred dollars in tokens to fine-tune it, and says it costs him anywhere from $10-$25 a day — “the bot just eats tokens.”

Part of Clawdbot’s problem is that you can run it on your local hard drive, but that it sends its feelers deep into your corporate SaaS infrastructure. For this to work, the bot needs access to your accounts and credentials. The bot’s website (mentioned above) is proud of this connectivity, saying up front that it “Clears your inbox, sends emails, manages your calendar, checks you in for flights. All from WhatsApp, Telegram, or any chat app you already use.” A story in El Reg goes into further details about the security implications. Not surprisingly, as they mention, “Users are handing over the keys to their encrypted messenger apps, phone numbers, and bank accounts to this agentic system.” Gulp.

The bot has its own package registry where you can download various “skills” as they are called to do various tasks for you. This sounds great until you realize — as this one researcher describes (sorry it is a Tweet, forgive me), there is absolutely no vetting, and 100% chance that something you have downloaded has evil intent.  Daniel Miessler Tweeted this warning shown below on how to harden any Clawdbot implementation. But many of the fixes depend on personal choices deeply rooted in the realm of Shadow IT. The issue is that it is easy to install, but difficult to install securely, something that many users might not realize in their joy of having a clean inbox and automatically delegating their mundane tasks.

Image

SOCPrime used its own tool to find users who have jumped on the Clawdbot bandwagon, and I am sure other threat intel tools will soon have similar posts.

“Yes, there are real issues: plain-text secret storage, misconfigured admin UIs on the open internet, and a skills ecosystem where people blindly install untrusted code,” says Matt Johansen. So keep your eyes open, scan your networks for the appropriate indicators, and educate yourself and your end users on what they are doing and how they do it more securely.

When spreadsheets first entered businesses, I recall how hard IT had to work to stay ahead of our users who were enamored with the new tech. But that was a single piece of software. With Clawdbot, we have an entirely new layer of digital infrastructure, and one that is complex and could be costly as well as open up multiple security sinkholes. Proceed with caution.

I have too much security today

Posted on by
3

This morning, I had three tasks to complete that involved using various web sites. First, I had found an old recall on a part to my Cuisinart food processor. The recall notice cited a web page that (I assume) was such an old reference that the page has since evaporated.  Then I was trying to review the latest charges on my credit card. And finally, I wanted to pay a doctor bill online. Each of these tasks would have taken minutes to accomplish. Instead, the elapsed total time was several hours.

Now, I am not one of those Gen Z’ers that would rather text (or use the web) than talk to an actual human being in real time. Nevertheless, that was going to be how I would solve the Cuisinart Challenge. While the URL for the recall wasn’t in service, they had provided a phone number in the recall notice.

So I called the number and I was told all lines would be busy for the next five minutes and if I wanted them to call me back, just press 1, which I did. A few minutes later I got  my calll back. Once the support person took down my info, it quickly processed and a new part was promised within a few weeks. Excellent service: I think I bought that appliance probably 17 years ago.

Next, on to checking my credit card. I called the bank, they started to walk me through the process, and then we both realized that I was using a “secure” browser (Opera Air) that I remembered had some odd quirks, particularly because it blocks ads and popups. Sure enough, once I brought up Chrome, I was off to the races and able to login without any problems.

That made me think my doctor’s bill was suffering from the same condition, so I tried that in Chrome and hot diggity, problem solved and I could pay my bill just in time for lunch. So much for my morning.

Now, you might ask why am I using Opera Air? I got tired of all the popups and effluvia that I was experiencing with Chrome, and also annoying with the Googleplex in general. (Yes, I know, Opera is based on the Chrome code base, but that is just the way the modern browser worlds operate these days — with the exception of Safari and Firefox. Even Microsoft uses Chrome for Edge nowadays.)

Is there such a thing as using too much security? No. But there is a constant trade-off among security, privacy, and usability. It is a three-way tug-of-war. And the more you tug on one of the three legs, the more the other two will give way.

Coming f2f with a nuclear missile

Posted on by
5

Last week I happened to be on a vacation in Tucson and stopped by a rather unique museum. Those of you who are long-time readers will recognize this as a feature, not a bug (see my work on the St. Louis AquariumNSA’s museum, UX museum design, and the Lincoln presidential library). I went to the site of the last Titan Missile silo.

Titans were first created to launch a massive retaliatory strike back in the 1960s. Each missile contained a single 9 megaton warhead, perhaps the biggest bomb ever deployed. (By way of comparison, the original blast over Hiroshima was 15 kilotons.) They were designed to be launched within a minute or so after receiving the go-code. Three locations were picked, each field containing 17 silos that were essentially self-contained underground environments consisting of a dormitory, a control center and the silo itself. In the mid-1980s, all of the other silos were completely decommissioned and made inoperable.

The museum contains the last remaining silo that has a missile in it (minus propulsion and the warhead of course). If you take the tour you spend about an hour underground seeing it up close as well as witnessing a simulated launch sequence with some of the original control gear.

Now, I thought I knew a lot about nuclear missiles, but I found the experience both fascinating and chilling, especially as we seem to be talking about them more often these days. One fact that I learned is that the Titan collection would be launched entirely when the order was given: that meant that all 54 of them would be airborne at once. Whether life on Earth could survive that combined blast isn’t clear, it reminded me of the “Doomsday Machine” that was popularized in the 1960s — of course, that machine was automated. To launch each missile required two human operations to go through a sequence of authentication steps (double-keyed locks, one-time passcodes and the like) to verify things. The movies represent this sequence in spirit. In reality – at least in our simulation – is very involved with multiple steps, which makes sense.

One of the reasons the Titan was decommissioned was the era of a single big bomb per missile evolved into having one rocket with multiple smaller warheads, which is what the vast majority of the world’s some 12,000 weapons look like today. Another point in Titan’s disfavor is that it doesn’t make sense to have much in the way of land-based weaponry, since they are essentially sitting ducks for the enemy to target. Most of today’s weaponry is mobile, based in subs or on planes, such as the UK or France.

But whether you count by warheads or rockets requires a lot more nuance. China, for example, has a huge stockpile, but fewer weapons that are ready to launch. And I would argue that another aspect that doesn’t get much discussion is the world’s 400-plus nuclear power plants that are scattered around 30-some countries. While these plants are doing something useful – producing electricity – they are also sitting ducks for enemy targets. Russia has specialized in this arena, sadly. About a year ago, the Chernobyl nuclear power plant was targeted by Russian drones that punched a hole in its protective roof. Some have said it was an accident, and Russia denies they fired anything, both not very credible statements.

As you might remember, the damaged reactor was encased in a huge building with several layers of steel and concrete, designed to keep the escaping radiation inside and away from humans. To my way of thinking, this was the second time a nuclear strike was used in warfare. The first was an earlier Russian missile fired at Ukraine’s nuclear power station. Why no one is making a bigger deal out of these events is curious.

After my friend and I did the Titan tour, we decided to watch Dr. Strangelove to see how accurate their depiction of nuclear warfare was. While the exact details differed, the movie has held up well over the years, and I would recommend you screen it too.

When is the cell phone age of consent?

Posted on by
1

I realize that I am not using the term precisely, but you most likely understand the meaning. You could interpret my question as asking, at what age as parents do we provide cell phones for our kids? I asked my readers to share their own experiences, and most opted to remain anonymous, so I will refer to them with descriptors to distinguish them. In addition to the age of consent, I also asked other details about their kids’ usage and what controls they used to formulate their family phone policies.

The Fortunate family has two boys that are now in college. They got their phones when they were 12. “We trusted our kids and never had a problem,” at least to their knowledge. They initially used a Verizon blocking and monitoring phone app. They never had access to their kids’ phones and “on the whole it wasn’t a problem.” That is why I call them “fortunate.”

The Strict family also has two teen-aged boys (19 and 12), both of whom sort of got their phones when they were 12. The older boy “has only an Instagram account now but rarely uses it (mostly just to see occasional friend’s posts). He has the right priorities and values, and we don’t need to stay on top of this for him at all—he limits himself.” The younger boy is why I say “sort of” because his device is a locked-down iPad, which also comes with usage limits (“we collect it at night, and he’s not allowed to get it until all homework and other responsibilities are completed”). What is more significant is that “he has learned to bypass the controls on his school Chromebook and knows where to find unblocked games — that’s a big enough headache for me frankly.” Oh, and the parents are keepers of the passwords too.

The OnRamp family has a boy and a girl that got their phones between 16 and 18 (and are now in college). “I would caution any parent who would allow a phone prior to age 16,” they said. “Our kids needed an on ramp, you can’t just lock them down and then cut them free in an instant.” This family saw the need for phones at discrete moments, such as when traveling. But having an on ramp also meant restricting social apps or with a lot of oversight or forbidding them in places such as their bedrooms, when the phones would be relegated to a charging shelf. They also recognize that they didn’t do as good a job at teaching them other worries such as doom scrolling or going down rabbit holes, because “any content consumption can be addictive.”

When my cousins had teen girls, they got their first phones both at age 12 (they are now 19 and 21). They had access to their AppleIDs and PIN codes so they could monitor which apps they had, and also banned phones at their dining table and collected them at night.

One reader has four daughters from 4 to 10 years old, call them the Home School family. He said, “I can’t imagine ever giving them cell phones, and believe strongly in parent/child attachment.”

Several readers were pretty vocal about not allowing cell phones in the classroom. Of course, that places the responsibility on each teacher to detect usage, which can be an issue. But then this is just another part of their responsibilities.Many years ago, I taught a high school networking class for 10 boys. The class was done in a hard-wired network lab (wifi hadn’t yet become popular or available in the school). When a student was giving me problems, I would unplug their computer. That public shaming seemed to work for me — and the related peer pressure for them as well.

Others suggested buying phones without any internet data plans or GPS-enabled watches, such as from Mint Mobile, Gabb.com, Bark.us or Tello.com. These vendors have a wide range of products and Gabb has an impressive amount of content that can help you pick out the right piece of tech for your kids.

However, like any blocking or protective tech, these solutions may create additional problems. The Contract family used the Bark.us app and did help out in one situation, but he grew tired of its frequent and buggy updates, and discontinued its use last year. They also made their kids sign a multi-page cellphone agreement, which he has agreed I can share with you here. This might work for you, but I think many of you would find this level of pseudo-legality a bit much. Another source worth exploring is Delaney Ruston’s blog (she has interviewed many families for her documentary films about family tech use), and this post goes into great detail about how to formulate your family’s phone policies.

Another reader, we’ll call him Childless Man, says that “if I had had a cell phone when I was 12 to 15, I would have gotten myself in lots of trouble. I can’t be the only kid who’s libido was running overdrive!”

Finally, there is the Watch family, with two daughters 8 and 11. So named, because they have focused on getting watches rather than phones, at least initially. “The Apple watch is great, because when it is not paired to a phone it cannot access any apps.” They also manually add contacts to the watch so they can control who their girls communicate with, and are the keepers of the passwords too. “The watch is restricted to contact with mom&dad only after 8:30pm and is also on “school mode” during the day. Our kids’ schools are also complete black holes of cell service.”

I originally thought about this topic in terms of kid’s social network usage, but as I was corresponding with you all I see that I haven’t really understood the breadth and depth of the issue. Yes, we can try to block TikTok, Facebook, and Instagram. But what about YouTube, Discord, and playing online games? And kids are clever at getting around app blockers, as I mentioned with the Strict family earlier. I probably will have more to say about this topic and welcome your input as always.

So what can you glean from these examples? There is no perfect solution, and the important thing is to match your level of expertise (many of the families cited here are from parents who are computing professionals) and also the kind of kids you have and how they develop and what tech their peers are using. (To that end Ruston pointed me to the Waituntil8th.org, which promotes parents to act together to wait until eight grade before giving their kids phones.) That shows that your policies and restrictions will of course change as your kids grow up. Thanks to all of you who answered my query, and if you want to share your own experiences, feel free to comment here or send me a private message.

How not to repurpose an old laptop

Posted on by
5

For the past six or so years, I have had an HP Elitebook laptop that I have carted around the world a few times, upgraded it a few times eventually to Windows 11 — amazingly, Microsoft still supports the thing. (It runs an Intel i7 and hads 16GB of RAM, so it is a pretty solid machine even now).

But it was showing signs of age (aren’t we all?): the sound, which used built-in B&O speakers, was no longer working and a few other quirks with the bundled HP security software that I was tired of dealing with.

Perhaps you are in a similar situation, or your business is in a similar situation. Read on, and learn from my many mistakes. Even though I have been working with PCs since the mid-1980s, there is still a lot I can learn.

What pushed me from “thinking about getting a replacement” to action was this security warning about this aging fax modem driver file ltmdm64.sys that could cause problems. I thought — ok, I am a security expert, let’s see if I have this file on my laptop. A quick search using File Manager brought up nothing, but then I realized that FM doesn’t tell you about system-level files. I rooted around some more and saw it eventually lurking in some dark Windows directory, but of course I couldn’t rename it or delete it. And this is a feature, not a bug, because the last thing I would want would be to have some malware get ahold of that directory and cause even more damage.

Enough already. But before I buy something new, I wanted to see if I could repurpose my laptop and install a less complicated OS that I could manage. Easy, I thought: Almost all of my use is through browser-based tools. And since I run my email through Google’s servers, I figured to start first with ChromeOSFlex. Unlike other OS’s, you don’t download an .iso image file and then use that to make a bootable USB drive. Instead, you have to go to the Chromebook Recovery Utility’s download page and download and prepare the bootable image that way. This utility is a browser extension. That should have been a warning sign.

There are two ways you can refresh your PC with a new OS: run the “live boot” from the USB drive, which means nothing gets put on your hard drive (in case something goes wrong) or to do a fresh install, in which case you destroy the (in my case) Windows files and start anew. Being a careful person, I choose door #1 and did the live boot.

Now, I have all sorts of security things on my Google account, including a Yubico hardware key, passkeys, an account password that is a complex string of numbers, letters and symbols (more on that in a moment). I also had one must-have browser extension — the Zoho Vault password manager. I thought having a Google OS would be a good thing. I was wrong.

The problem with ChromeOS is that it is not quite an OS — it is really Android that has been heavily modified and stripped down. You’ll see why in a moment.

Within short order I got a working system, the Zoho stuff worked just fine and I was ready to throw caution to the winds and do the great big wipeout and install ChromeOSFlex for real. Got everything flowing just fine, or so I thought. Then I shut down my machine for the night. Big mistake, as I found out the next day.

The problem is when ChromeOS boots up, it doesn’t quite know your keyboard driver. So the password that you type in doesn’t quite match. It didn’t help matters that my password contained a series of ones and zeros and the letter O and L. It wasn’t easy to figure this all out.

So Google kept saying I had entered a bad password. I eventually figured out when it is initially booting up, it doesn’t recognize my passkey, or my Yubico key. I don’t know why. And Google has made running ChromeOS that requires a boot password, so I was kinda stuck.

Now I had A Project. Over the past week, I have downloaded all sorts of Linux-flavored OSs. All had issues, until I downloaded Mint Linux. Twice — for some reason, the download didn’t take the first time around. I needed a ISO writer called balenaEtcher to create a bootable USB drive from my Mac. Eventually, I got things working, although I would have liked for Zoho to support an Opera browser extension on Linux, but they don’t have one, so now I am using Firefox for my web browser the moment.

What works:  have sound once again, and my Yubico key and passkeys work just fine.

What doesn’t quite work: the control of the fonts inside the browser, or at least I haven’t figured out where that particular control is.

Lesson #1: Don’t do the complete wipeout until you have rebooted your old laptop a few times.

Lesson #2: If you have a critical software component (in my case, the password manager), make sure it supports your OS and browser version. This is why you try out the live boot option.

Lesson #3: Make sure your OS will run on your particular chipset, particularly if it isn’t a 64-bit Intel CPU. Read the fine print.

Lesson #4: If you have hardware keys or other USB things that you want supported, particularly test them on the live boot before committing to the total wipeout.

Lesson #5: Know your tools. ISO boots are a strange sub-culture. Make sure you have a sufficiently large USB thumb drive that can contain the boot image. Make sure you find a program that will create a bootable USB from your downloaded ISO file.

 

 

 

Watch out for browser cache smuggling

Posted on by
2

Browser caches can be difficult to secure, because our insatiable hunger for web content means our browsers often deposit files there that could turn out to be trouble. In the past, malware actors would try to poison web server caches — these were holding areas that the servers put aside to deliver frequently requested pages or pieces of content, such as large image files.

“Think of cache poisoning as poisoning a town’s shared well—everyone who draws from it is affected,” said Satnam Narang, senior staff research engineer at Tenable. “Browser cache smuggling, however, is like getting a meal kit with a hidden poisonous ingredient. It sits harmlessly in your private kitchen until you are tricked into following the recipe and cooking it yourself.” Cooked, indeed. The attacker hides an executable program inside a misnamed file that appears to be storing an image in the cache. Marcus Hutchins wrote about this recently.

Cache Smuggling has been around for years, but lately it is being paired with zero-click malware that makes the deposit and then the activation without any user intervention. Or as Marcus documents, a misleading pop-up instructs a user to do a series of Windows commands that bring this all about in the background. Or a phishing email that tells you how you have a large reward just waiting for your click to approve.

I recently got one of these emails from the Facebook User Privacy Settlement, asking me to activate a debit card. I was about to hit the delete key when I thought I should investigate further, and found out that I was wrong: the email offer was legit and moments later, I was now about $38 richer. Woo-hoo!

One way to fix this across the enterprise is to use one of the class of enterprise browsers that encrypt the cache, or can place global policies when a user brings up one of their browsers. Island.io and Authentic8.com are two of these vendors. A consumer version is available from Opera or Brave that provides various content blockers, which can stop the smuggling route.

Another mechanism is to make use of various network defensive tools (such as is available from one of my clients, Corelight). These can monitor odd network flows, such as unexpected uses of PowerShell, which often are clues that some hanky-panky is going on.

The latest digital divide spans multiple governance dimensions

Posted on by
3

When we used to talk about the digital divide, we thought about who had what technology and how they used it. A new book has opened my eyes to yet a new series of dimensions, and these take both a closer look at the technology as well as place it in a different and more complex framework of multi-stakeholder inclusion and governance.

The book is Geopolitics at the Internet’s Core, and it is a most unusual and very helpful effort by four co-authors that have been long involved in shaping technology policy and governance: Fiona M. Alexander and Nanette S. Levinson, who both hold various research positions at American University in Washington DC; Laura DeNardis, a professor at Georgetown University and author of numerous books on tech governance; and Francesca Musiani, a researcher at the French National Center for Scientific Research. I got a copy to review and reading this book made me want to talk to Alexander directly about the inclusion issue. (If you would like to purchase the book, use PALAUT to get a 20% discount.)

But first, let me lay some foundations.

If we look at how IP protocols are distributed across the globe, we’ll see that their DARPA origins are still very much in evidence. There are several of ways to measure this. One is by counting Internet Exchange Points — the places where large ISPs can connect to each other. These are still mostly congregated in western countries, and many countries have either no IXPs or a single place. The absence or paucity of an IXP means that residents of that country will have longer latencies, less local content and higher cost of internet access.

There is also measuring the number of available IP address ranges available in any given locality. We know that the IPv4 “classic” address ranges have been mostly consumed, but in Africa there are still many available address ranges.

And then there are the distribution of DNS servers, because having one logically “nearby” also effects traffic latency and resiliency of digital networks. It took until 2022 before Africa had its own managed DNS cluster, meaning that prior to then most of its DNS traffic had to transit to another continent.

If we move our lens to a wider angle to examine the actual languages used online, we see that English dominates, and despite there being thousands of different languages spoken and written, 82% of online content is represented by ten languages: English, Chinese, Spanish, Arabic, Portuguese, Japanese, Russian, German, French and Malaysian. For much of the internet’s early years, non-ASCII domain names weren’t supported, and today there are still gaps in having local character set support.

Let’s move our lens to a still wider angle to internet governance. This is also instructive in showing the unequal distribution of these resources. The various standards bodies that determine internet policy still have a very western bias. And as conflicts spread to the TCP/IP space — such as one country asking to terminate access into another country, who is serving on these bodies can be significant. This is not a new problem.

Geoff Huston, who works for the Asia Pacific Network Information Center, is a keen observer of these and other issues. “The problem is that the distribution of this digital wealth is very uneven, and while a small clique of individuals may live in an extreme level of opulence, large proportions of domestic populations are disenfranchised and marginalized. Having valuable digital enterprises domiciled in a nation does not translate to widespread economic prosperity. It’s extremely challenging to espouse the benefits of an open multi-stakeholder global communications environment when the dream has been so basely corrupted by the exploitative excesses of the small clique of digital megaliths.” He is of course referring to the major US online companies such as Google, Facebook, and Amazon.

These and other issues were part of a chapter of the Geopolitics book. This chapter is devoted to the role of the internet ecosystem to become more inclusive and involve multiple stakeholders in developing technical standards and to be adopted and supported across multiple geographies and cultures. The authors write that “the intersections of the internet with governing bodies are neither hierarchical nor linear. Thus, approaches to inclusion should involve models that complement the kaleidoscopic design of IP and reflect its very nature.”

I spoke to Alexander about her book and her role in shaping US and internet policy over her 20-year government career. “The internet has been a resounding economic success, but what is needed now is a more holistic assessment of policies to forge a path forward,” she said. “There is no singular multi-stakeholder approach — it is the tool and not an outcome, and it works best when more people and more transparency are involved.” She relishes her early years when she worked for the Clinton administration and wishes that we could have more opportunities for bringing the right people from around the world to debate these future policy choices. “Not everyone sees that, but hopefully it will happen. I remain an optimist.”

Huston fears that various national pressures might drive us away from inclusive gains of the recent past. “Maybe it’s the broader challenges of our enthusiastic adoption of computing and communications that have formed a propulsive force for widespread social dislocation in today’s world,” he says.

New developments in tinnitus treatment

Posted on by
3

As many of you know, I have been a chronic sufferer of tinnitus, or ringing in my ear, for decades. Back in 2018, I went to Iowa City for the annual summer conference on this subject, which I reported on here. Attending this conference changed my life, and my interaction with the medical-industrial complex. I saw first-hand how research items became clinical trials which further evolved into accepted science and treatment options.

I went back to this summer’s conference and today’s post summarizes what I learned. I apologize for the numerous links in this post but wanted you to have access to this material  as you explore your own health journey.

One of the problems with treating tinnitus is that it is a very personal set of symptoms and handicaps. That makes it hard for medical professionals to treat it. One way to figure out what “flavor” a patient has is to use a series of self-reporting questionnaires that can try to guide treatment. One of them is the Miller Hope Scale, a series of 40 questions that is used to show how the patient sees themself. Another is the Tinnitus Reaction Questionnaire, which can quantify how the patent reacts to their tinnitus, and the Iowa researchers have two others of their own design. Another is the Meaning of Life Questionnaire. The first two instruments have long been used by Dr. Brittany Grayless, such as this summary of her research shown below. As the lead off speaker last week, she mentioned how a provider needs to set realistic goals so patients can be encouraged to progress towards them, something that makes total sense to me but that I never thought about before — either with respect to tinnitus or other professional or personal choices.

Harnessing Hope for Tinnitus Recovery

Over the years I have gone through these and other questionnaires, and they are very hard for me to complete. Maybe I am bad at self-assessment of my own tinnitus or emotional state. Maybe I am uncomfortable with such subjectivity, and would rather be asking a medical professional to interpret a blood test or something more concrete. Maybe these tests are designed more for folks that have more severe tinnitus. I raised these issues with several of the speakers when I was in Iowa, and they agreed with me that these tools are admittedly imperfect, but the best things we have at present.

Ann Perreau from Augustana College also makes use of these questionnaires to develop a sequence of self-paced online videos that help provide remote counseling. She reported on the clinical benefits she saw — sadly, this courseware is not yet available to the general public.

Sarah Kingsbury of the Mayo Clinic in Arizona presented her research on the connection between diet and tinnitus, showing some progress (she has been working on this area for many years). Some patients benefit from additional vitamins. I might give this a try.

One enormous data source that was cited by several speakers is the UK’s Biobank effort to catalog 500,000 patients’ data over a long period of time. Ishan Bhatt used this for his research into what is now called the “gut/ear” connection to see if genetic markers could be a cause of both tinnitus and depression. He disproved this connection, although both conditions make use of the same genetic code.  Other work was presented at the conference to further understanding of this connection.

When I was first investigating getting hearing aids, I wasn’t too sure that they would help my regular hearing — irrespective of tinnitus. Last week several researchers pointedly mentioned how aids can help people with “normal” hearing solve other issues, such as social awareness or anxiety in noisy situations, or for children.

One of the reasons why I like the Iowa conference is that it brings together doctors, nurses, audiologists (some of whom are doctors doing active research), patients and vendors. After decades of covering enterprise technology, I love hearing from vendors and last week saw several both presenting their wares and describing their research efforts, such as SoundPillow (that embeds speakers to play custom programs inside a pillow), Neuromonics (an iOS-based software solution that has a six month course to habituate patients), and Neuromod (hardware that stimulates the tongue while playing sounds). Neuromod was just starting clinical trials back in 2018, and now has a commercial product called Lenire that has given relief to some tinnitus patients. (It is rather pricey, just so you know.)

After the first Iowa conference that I attended, I got my first hearing aid, and learned how to own my tinnitus. This year, I upgraded to a second pair of aids, running programs not just for masking tinnitus but also providing stereo sound via its CROS software. A careful reading of my prior posts will show you that I wasn’t impressed with the older CROS capabilities, but they have come a long way and I am now a big fan.

There will never be “a cure” for tinnitus, but bit by noisy bit there are ways to make it better for those of us who have it. Thanks for tagging along and hearing about my own journey.

Why email makes for a bad login identity

Posted on by
6

For the past three decades, I have had the same email address and domain name. The time has come to consider selling the latter, which means I have to figure out where I am using the former. It isn’t a pretty picture.

Part of the problem — a big, messy, and difficult part — is that my email is used as a primary login ID in several hundred websites and apps. This wasn’t my choice, and sadly, for many website logins, it is still the standard operating procedure.

When I first began this project the number of my site logins was over 500. How do I know this? It is because for many years I have used password managers to handle my logins. I began using LastPass and moved two years ago to Zoho Vault. This project would have been impossible without a password manager.

That being said, it was time for a major cleanup on aisle P. Many of these websites have gone the way of the dodo, or at least evaporated into the dim reaches of cyberspace. Remember efax.com or tweetsmap? The former was an internet faxing site that for years had a secret free service for low-volume receiving faxes, the latter a Twitter analytics service. Both sites will forward to more recent domains, but my logins have disappeared.

There were plenty of other domains that I will no longer be visiting, and they read like a testimonial to the early days of the web: I can’t recall when the last time I rented a car from Hertz ,made a payment using Paypal, had a conference using Webex or used Quickbooks for my accounting needs. All of these items were true back in the early 2000s. That made me a bit sad, seeing how innovative each of those sites were (and many others that you probably wouldn’t recognize what they did back in the day). Rather than mourn their demise, we should be glad that the march of time has brought us Lyft and Venmo, to name two more recent examples.These bygone logins show how far we have come, where we think nothing of tracking and then getting into some stranger’s car or sending a digital payment from our phones.

The issue is that if I do sell my domain, I have to move away from my email ID to something else, and to do the move before my legacy email stops working. Many of the logins have a very convoluted way to change your email address, and often one step is that they first send a notification message to the old address to make sure that it is you that is doing the changing, and not some Russian hacker that is about to gain access to your identity. I am not complaining (well, maybe a little bit) and glad there is some security, however fragile.

There is really no way to automate this process. Making matters worse is that each website tucks away the spot where you can make an email change, which is a massive UI issue too. The airlines are the particular worst offenders here: for Delta and United, I had better luck using their mobile apps than their web interfaces to make the change. For Southwest, I had to call them and walk through a very odd series of steps to find that buried treasure — but first I had to log out of my account. I know, actually talk to someone? On the phone? Let’s party like it is 1999.

For those few sites that offer a non-email ID, this is a better mousetrap because it eliminates the authentication step and places the email portion out of the login stream. Better yet are those sites that offer a passkey, but hey, that is still considered new tech (ahem, it has been around for nearly a decade).

And BTW, I managed to weed out more than 150 logins as I made my way through my password manager. So some progress!

But wait, there is more. Since I use Google to manage email, I also use Google to manage my contact address book. Over the years it has contained thousands of people. For years now I have been dutifully making CSV backups of these contacts, but never really tested to see if I could restore the entire list, with all its metadata labels, to another account. Bad practice to be sure. I am happy to report that I was able to import the list just fine. I still have Google Docs/Sheets/ etc. content to migrate over too. Lots of weeding to be done, for sure.

My love affair with MS-DOS

Posted on by
Reply

I wrote this in 2011 when I was running a piece of the ReadWrite editorial, and recently discovered it. Other than making a few corrections and updating the dates, I still share the sentiment.

Can it be that DOS and I have been involved with each other for more than 40 years? That sounds about right. DOS has been a hard romance, to be sure.

Back then, I was a lowly worker for a Congressional research agency that no longer exists. I was going to write “a lowly IT worker,” until I remembered that we didn’t have IT workers 40+ years ago: Information Centers really didn’t come into vogue for several years, until the IBM PC caught on and corporations were scrambling to put them in place of their 3270 mainframe terminals. Back in 1981, we used NBI and Xerox word processors. These were big behemoths that came installed with their own furniture they were so unwieldy. We had impact printers and floppy discs that were eight inches in diameter. The first hard drives were a whopping 5 MB and the size of a big dictionary. But that came a few years later.

At the agency, one of the things that I figured out was how to hook up these word processors to a high-speed Xerox printer that also was the size of a small car. We had to use modems, as I recall: you know those things beeped that used to be included on every PC? When was the last time you used a PC with an internal modem, or a floppy disc? I can’t remember, but it has been probably more than a decade for both. Remember the hullabaloo when Apple came out with a laptop without a floppy? Now we have them without any removable storage whatsoever: they are called iPads. Steve Jobs always was ahead of curve.

Basic MS-Dos Commands - BCA Nepal

Anyway, back to DOS. I used to pride myself on knowing my mistress’ every command, every optional parameter. And we had EDLIN, a very primitive command line editor. It wasn’t all that hard – there weren’t more than a dozen different commands. (Of course they are preserved by Wikipedia.) When a new version came out, I studied the new manuals to ferret out tricks and hidden things that would help me slap my end users who would love to do format c:/s and erase their hard drives.

And new versions of DOS were a big deal to our industry, except for DOS 4, which was a total dog. One of my fondest memories of that era was going to the DOS 5 launch party in the early 1990s: Steve Ballmer was doing his hyperkinetic dance and sharing the stage with Dave Brubeck. To make a point of how bad DOS 4 was Brubeck tried to play “Take Five” in 4/4 time, before switching to 5/4 time as it was intended. Those were fun times.

But DOS wasn’t enough for our computers, and in the late 1980’s Microsoft began work on Windows. By 1990, we had Windows v3 that was really the first usable version. By then we also had the Mac OS for several years and graphical OS’s were here to stay. DOS went into decline. It didn’t help that a family feud with DR DOS kept many lawyers engaged over its origins either. As the 1990s wore on, we used DOS less and less until finally Windows 95 sealed its fate: the first version of Windows that didn’t need DOS to boot.

I won’t even get into OS/2, which had a troubled birth coming from both IBM and Microsoft, and has since disappeared. My first book, which was never published, was on OS/2 and was rewritten several times as we lurched from one version to another, never catching on with the business public.

Once PC networks caught on, DOS wasn’t a very good partner. You had 640 kilobytes of memory – yes, KB! — and network drivers stole part of that away for their own needs. Multitasking and graphical windows also made us more productive, and we never looked back. For a great ten minute video tour and trip down memory lane, see this effort by Andrew Tait showing successive upgrades of Windows OS .

But DOS was always my first love, my one and true. I still use the command line to ping and test network connectivity and to list files in a directory. There is something comforting about seeing white text on a mostly black screen.

Yes, we haven’t been in touch in many years, and now when I need a new OS I just bring up a VM and within a few minutes can have whatever I need, without the hassle of CONFIG.SYS or AUTOEXEC.BAT. (Here is a column that I wrote a few years ago about getting Windows NT to work in a VM.) But happy birthday, DOS, and thanks for the memories. It’s been lots of fun, all in all.