For the past month, I have been messing around with an Ecobee “smart” thermostat for my condo’s heat pump. The reason for the quotes will become clear as you follow along in my journey.

I live in a high-rise condo and it was time for the regular servicing of our heat pump, if by regular you mean a spousal request that I should finally get the AC tech out to tend to it. The tech came, said everything was looking good but that you might want to get a new thermostat, for reasons that I don’t recall now. That provided enough motivation for me to start down my Ecobee journey, which is the brand that the tech recommended.

My electric utility was offering half off if I bought it through them. They also had free Nest thermostats, which my tech said I should steer clear of. Given that they were free I figured that something was wrong with them. So I got the mid-priced model and it arrived a few days later. It did take three phone calls to find the webpage to order the thing, let’s just put that there in terms of pain points.

Now, I have to say right up front that I am not a handy guy. Generally, I know my limitations. I was going to give the Ecobee a try, until I saw that I had to deal with putting a bunch of tiny wires in the right places. (You can see what I mean in the photo above. The putty around the edges is to block out airflows from behind the wall, which was suggested by the hot line folks.) I put in a call to my AC repair folks, who happily charged me more than I paid for the device to come install it with tech #2 (a different guy from the first one). Some drilling was involved. I made the right choice not to fly solo on this install.

I was impressed with the level of support from Ecobee: their smartphone app will take you step by step through the initial installation and also help troubleshoot any problems. There is also a phone hotline that is answered promptly and by native English speakers who have tremendous patience to deal with your issues, and I had plenty. One concerned the fact that the temperature reported by the thermostat was off by four degrees with a thermometer that we were using to verify that it was working. After several calls to the hot line, they told me that I could adjust the temperature with a “fudge factor” (that wasn’t the term they used but that is what it was) so they could match.

But we also had another problem, which the kind folks at Ecobee put the blame squarely on my heat pump. It turns out the water drain from the unit would clog up, but only after the unit would operate for an hour. Another visit from the AC tech, at least this one was free where tech #2 (the same guy who installed the thermostat) found the problem.

So I think we finally have all systems go. One issue that still remains is that the Ecobee has three different ways to control its operation: a touch screen on its front panel, a web page or via its smartphone app. All three have slightly to majorly different user interfaces. Some things are quickly accessed with one or the other interface, which doesn’t make it spousal friendly. But one nice thing is that you can control it when you aren’t home, which is helpful in debugging problems and also when you are on vacation and want the home cooled or heated to your requirements before you walk in the door.

Do I regret buying the Ecobee? No. I regret that it takes an IT guy 10 phone calls and an outlay of cash to get professional help to get it operational. Hence why I put the “smart” in quotes: maybe if it was used by a “smarter” home owner I would feel differently. Now if only I could get my “smart” TV to work the way I want it to.

Most of you know by now the meaning and importance of MFA, having multiple pathways to authenticate yourself for your various logins. But here is a story that is somewhat chilling: thanks to the NYC subway authority MTA, someone who knows your credit card number could track your movements about the system, thanks to their implementation of zero factor authentication.

Before Joe Cox, the business journalist who now writes for 404media (I know, miserable branding IMHO), wrote a story about this, you could bring up a page on the MTA’s website, enter the card number and you could see a week’s history of the station entry and exit times for each station you swiped your contactless fare card (or Apple or G payments on your phone). Well, you used to be able to do this, until Cox’s story ran exposing this vulnerability. Then the MTA wisely took this down a day after the story ran, saying they were evaluating the “feature.” Well, it is a feature for your estranged spouse (or someone who is looking to do you harm) to track your movements and establish a pattern of life. For the vast majority of us, it is a major-league problem and privacy disaster. Credit card numbers are remarkably easy to obtain.

Now, I call this somewhat ironically zero factor authentication, although sadly many security vendors are now using this term to refer to ways to authenticate your account without using passwords, which technically it is. But There Is No Authentication Involved Here Folks.

Contactless cards — and the phone-based payment apps — are a big convenience. You don’t have to touch any public turnstiles or fumble with putting your card inside those pesky slot readers upside down and backwards. But the MTA went overboard and for some reason was completely brain-dead when they turned this “feature” on.

If you believe the 2020 elections experienced massive fraud, or that electronic voting machines were running some software from space, then please skip this post. If you believe otherwise, then I would urge you to read my thoughts.

I was party to a massive elections fraud back in the 1970s, when I lived and worked for the city of Albany NY. Albany at the time (and still today!) was under the grip of a powerful Democratic machine, and as a city employee I was told as election day approached that I will vote, and that I will vote the Democratic party line. If I didn’t show up, or if I strayed into supporting GOP candidates, I would lose my job. Whether or not everyone’s votes were being monitored, I wasn’t going to risk it, especially as this was my first job out of college. I can’t prove anything, and my recollection might be fuzzy, but there was no denying that the city spent decades in the iron grip of this political machine.

I am telling you this because I have spent a lot of time researching voting fraud over the past several years, and can tell you that our elections have come a long way since my Albany days. I based this on first-hand knowledge, having spoken to IT managers at state offices, election researchers, and others who are in the know. Let me first present a few links for you to establish some bona fides.

First up is Alex Halderman’s analysis of the 2020 voting irregularities in Antrim County, Mich. This was the scene of numerous recounts — five of them — and the source of a lot of conspiracy theories. If you read Alex’s paper, you will see that many of these theories were easily explained by more obvious error sources, namely humans. I have met Alex in person and interviewed him on this topic and he is a very sharp guy.  His paper concludes: there is “strong empirical evidence that there are no significant errors in Antrim’s final presidential results, including due to any scanning mishap.”

Copies of the voting machine software eventually found their way to Mike Lindell and his bogus “CyberSecurity Summit” that he held in South Dakota in the summer of 2021. One of the attendees at that conference was a long-time colleague Bill Alderson. He was interested in getting the promised reward of $5M to prove voting irregularities. You can watch Bill’s interview with local TV news where he unequivocally states that the data claimed by Lindell was a nothing burger (he had more colorful language when I spoke to him this week). In other words, there was no fraud, no evidence, nada. Bill never got a dime for his troubles, BTW.

There was several other county voting offices who were invaded by so-called security analysts looking for fraud. But they ended up doing their own fraud — and are now being charged for this by various legal efforts. These folks obtained copies of similar machine software and vote tally data cards. One of these locales was Coffee County, Geo. The AP ran this story about what happened last September and there was plenty of video footage, along with the data cards shown in the photo below that were given to these analysts. (Here is an excellent analysis from Lawfare too.)

As the 2020  election was happening, I was part of the CISA press group who was on the phone interviewing various officials on November 3rd. Granted, CISA had their own horn to toot, but from the evidence that I saw, the election happened without any major troubles. Yes, Chris Krebs lost his job shortly thereafter, which should tell you something about his integrity.

One lie that I hear often is the manipulation of mail-in ballots was done in a such way to swing the vote totals. Here is another data point: Colorado has been running universal mail-in ballots (meaning every registered voter gets one by mail, whether they want to use it or not is up to them). For years they have running fair and accurate elections. Neither major party had a problem with that, until the more recent elections. Here is a link to their info page, just to give you an idea of what they do. (Many states have had pre-Covid universal mail-in operations, BTW.)

Now, I warned you  — here comes the hard part for me to write about. We are approaching a very dangerous time in our country. There are many people who believe this massive voting fraud happened, despite various genuine IT consultants’ evidence to the contrary. I am not here to try to convince them of the error of their ways.

But let’s talk about something that I find even more distressing. Please check out this recent Politico post on what happened last week at the Vegas BlackHat conference. To provide some context, each year this hacking event features various “villages” where a bunch of attendees come to try to break stuff, in this particular case voting machines. (I wrote about the 2020 election village DEFCON event for Avast here.) Given the state of our society right now, this year they put on some extra physical security for the event. And if you believe Politico’s reporting is accurate, it is very chilling to see.

By now many of us have heard about how elections officials have been threatened both at home and at their offices. According to a March 2022 study from NYU’s Brennan Center for Justice, one in six election workers have experienced threats because of their job, and 77% said those threats had increased in recent years. Many have quit the field entirely.

That is bad enough, but now these threats have blossomed beyond the folks running the elections to include digital security researchers that are looking into election and voting-related matters. And I am thinking about my early Albany experience. Yes, we have issues with vote counting and certainly there is plenty of mistakes made over the years. But to annoy and threaten the people who in many cases volunteer their time and do their civic duty and claim they have evil intent, just because the election didn’t go your way is a horse of a different color.

Where do we go from here? I don’t know. But thanks for reading this far.

Small businesses have so much trouble with their IT support, especially if they are really small, have been around for a long time, and have owners that have just enough knowledge to know that they can do better. This was brought home to me with a nearly hour-long call with a friend of mine whom I will call Bob. Bob has four full time staff and several part timers, and has been in business for decades. We go back to the 1990s and have remained in touch, and he has called me for help on numerous times over the years.

I don’t mind being his IT support guru, and hey, I get to write this column as a result to share his pain with you. Let’s dive in.

Bob has several problems that he revealed by peeling layer by layer during our conversation. First was an aging Mac, and by aging I mean of late 2015 vintage. It is too old to run the current MacOS, a situation that I am all too painfully aware of myself. More on that in a moment. Then he needs a new printer. And what about his website? That has been down for some time, thanks to a variety of things.

And for DNS nameservers he is still using a friend from the dawn of the internet who has his own business to run — and the friend sometimes forgets that Bob’s email depends on him when he upgrades his servers, which will happen from time to time over many years. Bob is fearful about making any changes without understanding what he is doing. Oh, and by the by, his emails are getting blocked because he hasn’t set up DMARC/SPF et al. properly. And by properly, I mean he hasn’t set any of this up at all. And could his issues be due to a bad DNS entry somewhere? Perhaps.

Bob is typical of many small business people. They aren’t computer experts, even though Bob certainly knows his way around the tools mentioned above. But Bob has several things working against him:

1. As he reminded me, I once told him his problem is that he takes really good care of his gear, but then hoards it way beyond the sell-by date. I am alot like him in that regard: last year I bought a Mac Studio that replaced a ten-year old Mac Mini. But the longer out you go with your gear, the harder it is to replace it. It took me months agonizing about this decision, so long that I missed several product review opportunities because I couldn’t run modern applications. Bob just wants to get his work done, he isn’t using anything special. Just old.
2. He likes the all-in-one iMacs. I don’t: if you have to upgrade, you have to toss the whole unit out. Much better to have a separate monitor, and to have a system that you can add parts to it as needed. He does max out on memory when he buys his gear, which is a good strategy. But that 2015 vintage is time for the donation bin.
3. He has multiple suppliers for his online presence. Having one ISP as his registrar, another one for his email, another for his website, and probably a few others for bits and bobs isn’t a good situation. I have two major ISPs: one for my registrar (GoDaddy) and Pair.com for my content (email lists, website). Make that three ISPs: I also use Google Workspace for my regular email functions. See how hard it is to keep track? As for Bob, his friend from the dawn of the ‘net is now ghosting him, and he doesn’t know what to do.
4. He set a lot of this up years ago, back when things were simpler. That means his security exposure is a lot greater. Take the DMARC/SPF issue. It took me about six months and lots of help (in my case from Valimail) to get this working properly. Bob is frozen in indecision about how to even start on this particular project.
5. He likes to have vendors that he can call up on the phone and talk him through things. I do too — that got me into trouble when my ISP died from Covid. He was a one-man operation, but once he was gone there wasn’t anything there. The trick is finding a company that prides themselves on good phone support. I am happy to report that Pair does a terrific job in this regard.

Bob will eventually figure this stuff out, get the right gear, and bring his operation at least into the 2020s. But all of this takes time away from doing productive work that generates income for his business. And that is the rub that many smaller businesses have to deal with: they aren’t IT specialists, and they don’t want to be. I don’t have that excuse: I have to play an IT guy on TV, or at least on the internet, every day.