When is the cell phone age of consent?

Posted on by
1

I realize that I am not using the term precisely, but you most likely understand the meaning. You could interpret my question as asking, at what age as parents do we provide cell phones for our kids? I asked my readers to share their own experiences, and most opted to remain anonymous, so I will refer to them with descriptors to distinguish them. In addition to the age of consent, I also asked other details about their kids’ usage and what controls they used to formulate their family phone policies.

The Fortunate family has two boys that are now in college. They got their phones when they were 12. “We trusted our kids and never had a problem,” at least to their knowledge. They initially used a Verizon blocking and monitoring phone app. They never had access to their kids’ phones and “on the whole it wasn’t a problem.” That is why I call them “fortunate.”

The Strict family also has two teen-aged boys (19 and 12), both of whom sort of got their phones when they were 12. The older boy “has only an Instagram account now but rarely uses it (mostly just to see occasional friend’s posts). He has the right priorities and values, and we don’t need to stay on top of this for him at all—he limits himself.” The younger boy is why I say “sort of” because his device is a locked-down iPad, which also comes with usage limits (“we collect it at night, and he’s not allowed to get it until all homework and other responsibilities are completed”). What is more significant is that “he has learned to bypass the controls on his school Chromebook and knows where to find unblocked games — that’s a big enough headache for me frankly.” Oh, and the parents are keepers of the passwords too.

The OnRamp family has a boy and a girl that got their phones between 16 and 18 (and are now in college). “I would caution any parent who would allow a phone prior to age 16,” they said. “Our kids needed an on ramp, you can’t just lock them down and then cut them free in an instant.” This family saw the need for phones at discrete moments, such as when traveling. But having an on ramp also meant restricting social apps or with a lot of oversight or forbidding them in places such as their bedrooms, when the phones would be relegated to a charging shelf. They also recognize that they didn’t do as good a job at teaching them other worries such as doom scrolling or going down rabbit holes, because “any content consumption can be addictive.”

When my cousins had teen girls, they got their first phones both at age 12 (they are now 19 and 21). They had access to their AppleIDs and PIN codes so they could monitor which apps they had, and also banned phones at their dining table and collected them at night.

One reader has four daughters from 4 to 10 years old, call them the Home School family. He said, “I can’t imagine ever giving them cell phones, and believe strongly in parent/child attachment.”

Several readers were pretty vocal about not allowing cell phones in the classroom. Of course, that places the responsibility on each teacher to detect usage, which can be an issue. But then this is just another part of their responsibilities.Many years ago, I taught a high school networking class for 10 boys. The class was done in a hard-wired network lab (wifi hadn’t yet become popular or available in the school). When a student was giving me problems, I would unplug their computer. That public shaming seemed to work for me — and the related peer pressure for them as well.

Others suggested buying phones without any internet data plans or GPS-enabled watches, such as from Mint Mobile, Gabb.com, Bark.us or Tello.com. These vendors have a wide range of products and Gabb has an impressive amount of content that can help you pick out the right piece of tech for your kids.

However, like any blocking or protective tech, these solutions may create additional problems. The Contract family used the Bark.us app and did help out in one situation, but he grew tired of its frequent and buggy updates, and discontinued its use last year. They also made their kids sign a multi-page cellphone agreement, which he has agreed I can share with you here. This might work for you, but I think many of you would find this level of pseudo-legality a bit much. Another source worth exploring is Delaney Ruston’s blog (she has interviewed many families for her documentary films about family tech use), and this post goes into great detail about how to formulate your family’s phone policies.

Another reader, we’ll call him Childless Man, says that “if I had had a cell phone when I was 12 to 15, I would have gotten myself in lots of trouble. I can’t be the only kid who’s libido was running overdrive!”

Finally, there is the Watch family, with two daughters 8 and 11. So named, because they have focused on getting watches rather than phones, at least initially. “The Apple watch is great, because when it is not paired to a phone it cannot access any apps.” They also manually add contacts to the watch so they can control who their girls communicate with, and are the keepers of the passwords too. “The watch is restricted to contact with mom&dad only after 8:30pm and is also on “school mode” during the day. Our kids’ schools are also complete black holes of cell service.”

I originally thought about this topic in terms of kid’s social network usage, but as I was corresponding with you all I see that I haven’t really understood the breadth and depth of the issue. Yes, we can try to block TikTok, Facebook, and Instagram. But what about YouTube, Discord, and playing online games? And kids are clever at getting around app blockers, as I mentioned with the Strict family earlier. I probably will have more to say about this topic and welcome your input as always.

So what can you glean from these examples? There is no perfect solution, and the important thing is to match your level of expertise (many of the families cited here are from parents who are computing professionals) and also the kind of kids you have and how they develop and what tech their peers are using. (To that end Ruston pointed me to the Waituntil8th.org, which promotes parents to act together to wait until eight grade before giving their kids phones.) That shows that your policies and restrictions will of course change as your kids grow up. Thanks to all of you who answered my query, and if you want to share your own experiences, feel free to comment here or send me a private message.

CSOonline: CASB buyer’s guide

Posted on by
Reply

Since I began examining cloud access security brokers in 2018, a lot has happened. CASBs sit between an organization’s endpoints and cloud resources, acting as a gateway that monitors everything that goes in or out, providing visibility into what users are doing in the cloud, enforcing access control policies, and looking out for security threats.

Some vendors have begun incorporating additional features into core CASB functionality, such as data loss prevention (DLP), secure web gateway (SWG), cloud security posture management (CSPM), and user and entity behavior analytics (UEBA). Other CASB vendors have been purchased by main-line security vendors have purchased CASB solutions: Oracle (Palerra), IBM (Gravitant), Microsoft (Adallom), Forcepoint (Skyfence), Proofpoint (FireLayers), Symantec (Skycure) and McAfee (Skyhigh Networks). The market has matured, although this is a matter of degree since even the longest-running vendors have only been selling products for a few years. It has also evolved to the point where many analysts feel CASB will be just as important in the near future just as firewalls once were back in the day when PCs were being bought by the truckloads.

There are three deployment modes: forward proxy, reverse proxy and API-based. Most experts say that API-based CASBs provide better functionality, but organizations need to make sure that the vendor’s list of application programming interface (API) connections matches up with the organization’s inventory of cloud apps.

In this updated story for CSOonline, I talk about what are these products, why enterprises are motivated to purchase and deploy them,  what features you should look for that are appropriate for your network. what are your decision points in the purchase process, and links to many of the major CASB vendors.

Book review: Infidelity Rules by Joelle Babula

Posted on by
Reply

This debut novel centers around the life and loves of Quinn, a sommelier for a trendy DC restaurant and a serial home-wrecker who likes to date married men. The dates are initially filled with passion that eventually cools as the men decide to end their affairs, or their marriages. The pairing of wine with relationship woes is a powerful narrative device as we are introduced to Quinn’s world, her female friends and family, and her coworkers. I found myself drawn in almost immediately to the plot and people, and the author does a great job of presenting both sides of Quinn’s latest dalliance with Marcus, who sweeps her off her feet until she meets up with his wife and hears her point of view of their relationship. The characters are well-drawn, the situations and circumstances feel very realistic, and the underlying humor and pathos makes for a compelling read, for readers of all genders. Highly recommended. Buy on Amazon here.

Startup survival guide: keep it simple and small

Posted on by
1
I have known Vesa Suomalainen for many decades, going back to the days where he ran several teams for Microsoft during their go-go years. He and several compatriots left the company around the turn of the century and eventually built another software company called
Webscorer in 2011. (I wrote an article about his startup then for ReadWrite, which amazingly is still online here.
At that time, I called his vision “anti-Microsoft.” It was a successful philosophy. I recently caught up with him to expand on some of the things he learned from running various software startups. “We wanted to stay small and we have the same exact team as we did in 2011. No deaths, no arguments, no retirements. Just as planned,” he said. It is almost as if everyone learned how little they liked the BigCo mentality and have purposely tried to make things small.

Here are some other lessons he has learned over the years to keep to this vision:

  • Don’t be optimistic. Plan that you will struggle initially, and this way you won’t end up diluting all (or even much) of your startup capital. It is always better not to take any outside money and pay everything on your own dime.
  • Set your sights lower. You don’t want to conquer the world, just make a small adjustment over time. Vesa talks about having an excellent niche product that is highly profitable rather than shooting for the stars and failing and losing your entire company.
  • Know what not to do. Learning from your mistakes is just as important as success. Vesa’s failure taught him more about what not to do with his present venture. Watching a startup destroy itself was a very potent teacher. Speaking of which, he said that “There are lots of ways to fail, but only one way to succeed.” Sounds like something Yoda might say to young Luke.
  • Don’t make too many promises that you can’t keep. Understand scope creep and keep it under control. Eliminate buttons, reduce functionality, and keep things simple. Resist the temptation to make your product more complex at every turn.
  • Don’t be greedy, share your equity with your key founding members. Even if it is a small percentage, you want to retain your key developers and engineering talent. Nothing says loving more than some points of equity. This means being flexible and fair to your employees (we have no fixed office hours and no vacation or sick leave policies), and give everyone some responsibility with that equity. It also reduces the number of team meetings — we get by with one weekly online session.
  • Keep your costs down. Everyone works remotely, so there is no office expense. They also don’t have any accountant, corporate lawyer, or a bookkeeper, so they do their own taxes and resist “lawyering up.”
  • Ignore your competitors, listen to your customers.  Competitors come and go, hopefully your customers remain. Having happy customers is the best marketing strategy, and having viral marketing helps keep marketing costs down.
  • Product quality is key.  Focus on performance, scalability, usability, availability are core features.Take each and every bug report and feature request seriously, and then provide quick, free and competent support. They use Google Firebase to get automatic crash reports for example.

How not to repurpose an old laptop

Posted on by
5

For the past six or so years, I have had an HP Elitebook laptop that I have carted around the world a few times, upgraded it a few times eventually to Windows 11 — amazingly, Microsoft still supports the thing. (It runs an Intel i7 and hads 16GB of RAM, so it is a pretty solid machine even now).

But it was showing signs of age (aren’t we all?): the sound, which used built-in B&O speakers, was no longer working and a few other quirks with the bundled HP security software that I was tired of dealing with.

Perhaps you are in a similar situation, or your business is in a similar situation. Read on, and learn from my many mistakes. Even though I have been working with PCs since the mid-1980s, there is still a lot I can learn.

What pushed me from “thinking about getting a replacement” to action was this security warning about this aging fax modem driver file ltmdm64.sys that could cause problems. I thought — ok, I am a security expert, let’s see if I have this file on my laptop. A quick search using File Manager brought up nothing, but then I realized that FM doesn’t tell you about system-level files. I rooted around some more and saw it eventually lurking in some dark Windows directory, but of course I couldn’t rename it or delete it. And this is a feature, not a bug, because the last thing I would want would be to have some malware get ahold of that directory and cause even more damage.

Enough already. But before I buy something new, I wanted to see if I could repurpose my laptop and install a less complicated OS that I could manage. Easy, I thought: Almost all of my use is through browser-based tools. And since I run my email through Google’s servers, I figured to start first with ChromeOSFlex. Unlike other OS’s, you don’t download an .iso image file and then use that to make a bootable USB drive. Instead, you have to go to the Chromebook Recovery Utility’s download page and download and prepare the bootable image that way. This utility is a browser extension. That should have been a warning sign.

There are two ways you can refresh your PC with a new OS: run the “live boot” from the USB drive, which means nothing gets put on your hard drive (in case something goes wrong) or to do a fresh install, in which case you destroy the (in my case) Windows files and start anew. Being a careful person, I choose door #1 and did the live boot.

Now, I have all sorts of security things on my Google account, including a Yubico hardware key, passkeys, an account password that is a complex string of numbers, letters and symbols (more on that in a moment). I also had one must-have browser extension — the Zoho Vault password manager. I thought having a Google OS would be a good thing. I was wrong.

The problem with ChromeOS is that it is not quite an OS — it is really Android that has been heavily modified and stripped down. You’ll see why in a moment.

Within short order I got a working system, the Zoho stuff worked just fine and I was ready to throw caution to the winds and do the great big wipeout and install ChromeOSFlex for real. Got everything flowing just fine, or so I thought. Then I shut down my machine for the night. Big mistake, as I found out the next day.

The problem is when ChromeOS boots up, it doesn’t quite know your keyboard driver. So the password that you type in doesn’t quite match. It didn’t help matters that my password contained a series of ones and zeros and the letter O and L. It wasn’t easy to figure this all out.

So Google kept saying I had entered a bad password. I eventually figured out when it is initially booting up, it doesn’t recognize my passkey, or my Yubico key. I don’t know why. And Google has made running ChromeOS that requires a boot password, so I was kinda stuck.

Now I had A Project. Over the past week, I have downloaded all sorts of Linux-flavored OSs. All had issues, until I downloaded Mint Linux. Twice — for some reason, the download didn’t take the first time around. I needed a ISO writer called balenaEtcher to create a bootable USB drive from my Mac. Eventually, I got things working, although I would have liked for Zoho to support an Opera browser extension on Linux, but they don’t have one, so now I am using Firefox for my web browser the moment.

What works:  have sound once again, and my Yubico key and passkeys work just fine.

What doesn’t quite work: the control of the fonts inside the browser, or at least I haven’t figured out where that particular control is.

Lesson #1: Don’t do the complete wipeout until you have rebooted your old laptop a few times.

Lesson #2: If you have a critical software component (in my case, the password manager), make sure it supports your OS and browser version. This is why you try out the live boot option.

Lesson #3: Make sure your OS will run on your particular chipset, particularly if it isn’t a 64-bit Intel CPU. Read the fine print.

Lesson #4: If you have hardware keys or other USB things that you want supported, particularly test them on the live boot before committing to the total wipeout.

Lesson #5: Know your tools. ISO boots are a strange sub-culture. Make sure you have a sufficiently large USB thumb drive that can contain the boot image. Make sure you find a program that will create a bootable USB from your downloaded ISO file.

 

 

 

CSOonline: CSPM Buyer’s guide

Posted on by
Reply

(originally posted 6/21)

Every week brings another report of someone leaving an unsecured online storage container filled with sensitive customer data. Thanks to an increasing number of unintentional cloud configuration mistakes and an increasing importance of cloud infrastructure, we need tools that can find and fix these unintentional errors. That is where cloud security posture management (CSPM) tools come into play. These combine threat intelligence, detection, and remediation that work across complex collections of cloud-based applications. You can see a few of them above.

Vendors have been incorporating CSPM functions into their overall CNAPP or SSE platforms, including CrowdStrike, Palo Alto Networks, Wiz, Zscaler and Tenable. This means that the modern standalone CSPM tool has all but disappeared. In my latest revision on the category for CSOonline, I  mention some of the issues involving purchase decisions and mention three vendors that are still selling these tools.

 

Podcast: with Sam Whitmore on offensive agentic AI tactics

Posted on by
1

This week I spoke to Sam Whitmore of MediaSurvey about two eports that came out this month, one from the Google Threat Intel group and one from Anthropic, the makers of Claude AI

The Google report says that “adversaries are no longer leveraging AI just for productivity gains, they are deploying novel AI-enabled malware in active operations. Malware threat groups are using LLMs during their execution to dynamically generate scripts on demand and hide their own code from detection.” They are also using social engineering pretexts to bypass security guardrails. That is pretty scary stuff.

The Anthropic report found ways that threat actors manipulate Claude Code to automate the orchestration of reconnaissance, vulnerability discovery, exploitation, lateral movement, credential harvesting, data analysis, and exfiltration operations largely autonomously. The researchers claim that this is the first documented attack without much human intervention or control at huge scale and showed how Claude agents were able to decompose these multiple attack stages into smaller parts. One small issue: the events depicted in this report happened about a year ago, using tools that now seem ancient given the rapid state of things in the AI world.

The key to the behavior chronicled in both reports was how AI assumed some pretty human role-play: the human operators claimed that they were employees of legitimate cybersecurity firms and convinced Claude that they were playing a capture-the-flag, a common white-hat technique.

Both reports show just how the bad guys can use agentic AI to be more effective at stealing data than any group of human operators. The challenge will be stopping these and even more advanced threats going forward.

Watch out for browser cache smuggling

Posted on by
2

Browser caches can be difficult to secure, because our insatiable hunger for web content means our browsers often deposit files there that could turn out to be trouble. In the past, malware actors would try to poison web server caches — these were holding areas that the servers put aside to deliver frequently requested pages or pieces of content, such as large image files.

“Think of cache poisoning as poisoning a town’s shared well—everyone who draws from it is affected,” said Satnam Narang, senior staff research engineer at Tenable. “Browser cache smuggling, however, is like getting a meal kit with a hidden poisonous ingredient. It sits harmlessly in your private kitchen until you are tricked into following the recipe and cooking it yourself.” Cooked, indeed. The attacker hides an executable program inside a misnamed file that appears to be storing an image in the cache. Marcus Hutchins wrote about this recently.

Cache Smuggling has been around for years, but lately it is being paired with zero-click malware that makes the deposit and then the activation without any user intervention. Or as Marcus documents, a misleading pop-up instructs a user to do a series of Windows commands that bring this all about in the background. Or a phishing email that tells you how you have a large reward just waiting for your click to approve.

I recently got one of these emails from the Facebook User Privacy Settlement, asking me to activate a debit card. I was about to hit the delete key when I thought I should investigate further, and found out that I was wrong: the email offer was legit and moments later, I was now about $38 richer. Woo-hoo!

One way to fix this across the enterprise is to use one of the class of enterprise browsers that encrypt the cache, or can place global policies when a user brings up one of their browsers. Island.io and Authentic8.com are two of these vendors. A consumer version is available from Opera or Brave that provides various content blockers, which can stop the smuggling route.

Another mechanism is to make use of various network defensive tools (such as is available from one of my clients, Corelight). These can monitor odd network flows, such as unexpected uses of PowerShell, which often are clues that some hanky-panky is going on.

My new genAI mini-me: meet Ada

Posted on by
2

I am split on the utility and influence of AI in my work. I read articles such as what David Gewirtz recently posted on ZDnet about ways that AI can save time for small business owners. Kudos to him, and others who have spent a lot of time with AI.

But I wanted to go in another direction, so a year ago I was invited to try out an experiment — why not develop a genAI chatbot that could be trained with my entire published corpus? It is finally ready for initial testing. We call her Ada, named after Ada Lovelace. (And yes, I am using that pronoun. It just feels right.)

I am not a frequent AI consumer, and the reason why is that I have long-ingrained work habits that focus on my human abilities to seek out new information and write compelling content by hand. But what I do lack is a perfect memory of what I have written over the many decades that I have been a professional editor. That memory is limited to what I can dig up on my blog, my hard drive, and my website. Perhaps Ada can make it easier to find this as I begin my research on a new article. And perhaps Ada can help you recall what I wrote decades ago that could be relevant to your particular situation. So began the project,

I was working with a team of developers who have already developed other chatbots with a similar intense vertical knowledge. Ada is based on the Anthropic Claude Sonet LLM, with some custom code. None of the queries that you or I submit are saved once you close the browsing session.

It is a bit eerie and wonderful at the same time. It is like talking to a better version of myself, which I guess is a sign of how successful she is. My queries were answered with things that either I recall saying myself, or sound like something I would say about the topic, and for the most part, were pretty much on target. And, the answers also were documented, with the actual URLs that were posted.

If you ask Ada about my writing style, here is what she says:

## Core Writing Philosophy
You write to make complex technical topics **accessible and understandable**. Your goal is clarity over jargon – you want readers to actually grasp what’s happening in the tech world, not just be impressed by terminology.

## Key Characteristics

**1. Clarity and Directness**
– You cut through marketing hype and get to what matters
– Short, punchy sentences mixed with explanatory ones
– You define technical terms when you use them
– Active voice dominates

**2. Practical, Real-World Focus**
– Heavy use of concrete examples and case studies
– You often test products yourself and report findings
– References to actual companies, incidents, and implementations
– “Here’s what this means for you” orientation

**3. Balanced Skepticism**
– You question vendor claims and industry buzzwords
– Point out both strengths AND weaknesses
– Acknowledge when something is overhyped vs. genuinely useful
– Not cynical, but definitely not a cheerleader

**4. Conversational Expertise**
– Slight conversational tone while maintaining authority
– You use “you” to address readers directly
– Occasional wry observations or dry humor
– Like a knowledgeable colleague explaining something, not lecturing

**5. Structure and Organization**
– Clear headings and bullet points
– Logical flow from problem → explanation → solution/implications
– Often lists or numbered points for clarity
– Strong topic sentences that telegraph what’s coming

**6. Context and Background**
– You don’t assume readers know everything
– Provide relevant history when it illuminates current issues
– Connect dots between different tech developments
– Explain *why* something matters, not just *what* it is

This style has served you well across decades of tech journalism – it respects readers’ intelligence while acknowledging that even smart people need clear explanations of complex topics.

Does that sound like someone you know? Exactly. (I am using a different font here to distinguish her replies.)

Now, why would I want Ada around as an AI mini-me? As I mentioned earlier, one of the first reasons that I was attracted to it was because it did a better job searching my corpus than I could do with the default WordPress (or MacOS) search panels. And it also searches my website content, something that I never got around to properly instrumenting. Granted, much of that content is pretty ancient stuff but does come in handy sometime, like when I was asked to serve as an expert witness because of something I wrote in the mid-1990s. On the internet, your words live nearly forever — at least until my hosting provider decides to delete my stories.

But am I worried that Ada will replace me? After all, instead of having the real human write something, you could just query Ada and get it instantly. No muss, no fuss, and no delay. That’s true. Perhaps Ada will become a low-cost competitor and hollow out my freelance business, (at least more than any genAI tool already has done) but I am betting that you will find the human/AI combo a potent differentiator in the kind of work that I can offer. Like I said, it is an experiment.

Will I charge for using Ada? Eventually. Right now, I am interested in your feedback and whether you think her responses are accurate and appropriate. In my tests she was quite clear on what she knows and what isn’t in her training set. For example, I asked her about different USB standards, something that I have never (at least to my recollection) written about. She replied:

I apologize, but I don’t see comprehensive information about different USB standards and their specific differences in the provided source material. While USB is mentioned briefly in a few contexts (like as a connection option for some home networking equipment), the articles don’t contain detailed technical comparisons of USB standards.

Right on Ada.

Ada is current as of last month. And for a limited time, you can try her out yourself and see what you think.  All you have to do is ask me for the login credentials.If you are interested, drop me an email — or even call me on the phone — and you can test drive her.

Doing public relations in the lower literacy era: Sam Whitmore podcast

Posted on by
Reply

Literary rate is low, pubs still believe in words, and people don’t have the skill or patience or ability to concentrate and to read anymore. I talk with my long-time colleague and friend Sam Whitmore about how he thinks we are in the post-literacy era, (There is this Harvard study.)  I think the ability to analyze trends from the written word vs. a well-placed picture or video demo, what I call visual literacy. This 15-minute conversation talks about this perspective for PR agencies and their clients and how to craft multi-modal pitches in the modern era. We also discuss how AI-generated outage can shape and drive online advertising.