Page 17 of 101

10 steps to smarter Google account security

November 28, 2024 /

There are important accounts to secure, and then there are important accounts to secure. Your Google account falls into that second category, maybe even with a couple of asterisks and some neon orange highlighting added in for good measure.

I mean, really: When you stop and think about how much stuff is associated with that single sign-in — your email, your documents, your photos, your files, your search history, maybe even your contacts, text messages, and location history, if you use Android — saying it’s a “sensitive account” seems like an understatement. Whether you’re using Google for business, personal purposes, or some combination of the two, you want to do everything you possibly can to keep all of that information locked down and completely under your control.

And guess what? Having a password that you hastily set seven years ago isn’t enough. With something as priceless as your personal data, that single key is only the start of a smart security setup. And even it might be due for an upgrade.

Take 10 minutes to go through these steps, then rest easy knowing your Google account is as guarded as can be.

Part I: Reinforce your front door

Step 1: Check up on your Google account password

We’ll start with something simple but supremely important — that aforementioned Google account password. Consider the following questions:

  • Is your Google password based on your name, the name of your partner or child, your birthday, your street address, or anything else someone could easily figure out by Googling you?
  • Does your Google password revolve around a common word or easily guessable pattern?
  • Is your Google password short — less than eight characters, at a minimum?
  • Do you use your Google password (or any variation of it) to sign into any other app, website, or service?

If the answer to any of those questions is yes, first, bop yourself firmly on the nose. Then use this link to go change your password immediately — preferably to something long, complex, and not involving any easily discoverable personal info, any common words or patterns, or anything you use anywhere else.

(And note: This is also where a reliable password manager — whether the basic Google Password Manager or a more fully featured third-party option — can make all the difference in the world.)

Got it? Good. Next:

Step 2: Give your Google account a second layer of protection

No matter how strong your Google account password is, there’s always still the chance someone could crack it — but you can exponentially reduce the risk of anyone actually getting into your virtual property by enabling two-factor authentication on your account.

With two-factor authentication, you’ll be prompted for a second form of security in addition to your password — ideally something that requires a physical object that’d only ever be in your presence. In its simplest effective form, that could be a prompt or a code generated by your phone. If you want to get really fancy, it could be a button pressed on an actual key you carry (which could be a special USB- or Bluetooth-based dongle or even something built into your phone) — sometimes even called a “passkey,” which is basically just a confusing and overcomplicated way to say the same thing. There’s also an option to have codes sent to you via text message, but that method is relatively easy to hijack and thus not generally advisable to use.

Whatever path you choose, having that second layer in place will make it incredibly difficult for anyone to get into your Google account, even if they do somehow know your password.

setting up two factor authentication for google account

Two-factor authentication makes it significantly more difficult for anyone to get into your Google account.

JR Raphael / IDG

If you don’t have it set up yet, go to Google’s 2-Step Verification page to get started.

Step 3: Make sure you’re prepared to prove your identity

If Google ever detects some sort of suspicious activity on your account, it might require you to verify your identity before it lets you sign in. And if you haven’t looked at your account verification settings in a while (or ever, for that matter), there’s a decent chance the necessary info might be out of date or missing altogether.

Take a minute now to open up Google’s account security site and look in the section labeled “How you sign in to Google.” There, among other things, you should see two options:

  • Recovery phone
  • Recovery email

If the value next to either option is not current and correct, click it and update it immediately.

And with that, we’re ready to move on to our next level of Google account protection.

Part II: Clamp down on connections

Step 4: Review the third-party services with access to your account

When you set up an app that interacts with Google in some way — on your phone, on your computer, or even within a Google service such as Gmail or Docs — that app gets granted a certain level of access to your Google account data.

Depending on the situation, that could mean it’s able to see some of your activity within specific Google services; it could mean it’s able to see everything in your Gmail, Google Calendar, or Google Drive; or it could mean it’s able to see everything across your entire Google account.

It’s all too easy to click through confirmation boxes without giving it careful thought — so look back now and see exactly what apps have access to what types of information. Visit Google’s third-party app access overview and look through the list of connected services. If you see anything there you no longer use or don’t recognize, click its line and then click the button to remove it.

zapier app permissions page for google account

Review your third-party app list and remove any items that no longer need access to your Google account.

JR Raphael / IDG

Allowing apps you know and trust to access your account is perfectly fine, but you want to be sure to revisit the list regularly and keep it as current and concise as possible.

Step 5: Review the devices with access to your account

In addition to apps, you’ve almost certainly signed into your Google account on a variety of physical devices over the past several months (and beyond). And often, once you’ve signed in at the system level, a device remains connected to your account and able to access it — no matter how long it’s been since you’ve actually used the thing.

You can close that loop and take back control by going to Google’s device activity page. If you see any device there that you no longer use or don’t recognize, click the three-dot menu icon within its box and sign it out of your account right then and there.

Step 6: Look over app permissions on your phone

Another important app-related consideration: If you’re using Android, some system-level permissions — such as those connected to your contacts and calendar — can effectively control access to areas of your Google account data, since services such as Google Contacts and Google Calendar sync that data between your phone and the cloud.

Head into the Security & Privacy section of your phone’s system settings and look for the line labeled “Permission manager.” (Depending on your device, you might have to tap a line labeled “Privacy controls” before you see it.) If you can’t find it, try searching your system settings for the phrase permission manager instead.

Once you get there, you can look through each type of permission and see which apps are authorized to access it — and, with a couple more taps, revoke the permission from any apps where that level of access doesn’t seem necessary.

location permission page for todoist app on android

Android makes it easy to review and adjust an app’s permission, if you know where to look.

JR Raphael / IDG

Step 7: Look over extension permissions in your browser

On the desktop, extensions added into Chrome or any other browser have the potential to expand your browser’s capabilities — but they also have the potential to put your privacy at risk.

Extensions could require access to anything from your complete browsing history to your system clipboard. They can often read and change data on sites you’re actively viewing, too — either any and all sites or only specific pertinent URLs, depending on the specific permissions requested.

None of this is necessarily bad, so long as the extension in question is reputable and requesting only the permissions it genuinely requires for the function it provides. But sometimes, even the most well-intending developers can get lazy and go with a broader permission than what their software actually needs. And in such an instance, an extension that does something as simple as enhancing the Gmail interface or allowing you to save articles for later could have access to everything you do in your browser — and the sort of broad data that’s typically kept under lock and key inside your Google account could be shared with external entities for no good reason.

So let’s do a quick little assessment, shall we? If you’re using Chrome, type chrome:extensions into your browser’s address bar. If you’re using another browser, look in its main menu to find the equivalent option for managing extensions or add-ons, as they’re sometimes also called.

Once you’re looking a list of all your installed extensions, click the “Details” or “Options” button for every extension on the page. Peek at the “Permissions” section within each one and then take a close look at the “Site access” section, in particular. Think carefully about the level of access that’s granted there and whether it’s genuinely needed — or whether it’d make sense to bring it down a notch and make it more limited in nature.

With Chrome and other Chrome-based browsers — like Microsoft Edge and Vivaldi — if the extension seems like it really only needs access to a specific site or domain and it’s requesting access to your activity on all sites, click the dropdown menu in that area and change its setting from “On all sites” to “On specific sites” (which lets you provide a specific, limited list of URLs on which the extension will have full visibility).

permissions page for 1password app in chrome browser

Chrome and other Chrome-based browsers make it easy to view and adjust the permissions for any browser extension you’re using.

JR Raphael / IDG

Just remember that many extensions do legitimately need certain levels of access in order to operate — so make these changes cautiously and only after carefully thinking through the potential implications. Worst-case scenario, though, if you bring an extension’s access down and then find it’s no longer working as expected, you can always come back to this same area of your browser’s settings later and change it back.

Firefox, incidentally, doesn’t allow this level of granular permission-granting — so if you find an extension there is accessing more than you’re comfortable with, your only real option is to uninstall it entirely.

Speaking of which…

Step 8: Get rid of any mobile apps and browser extensions you don’t need

While you’re thinking about third-party add-ons for your computer and phone, take a moment to review everything you have installed on both fronts and consider how many of those programs you actually still use. The fewer cracked windows you allow on your Google account, the better — and if you aren’t even using something, there’s no reason to keep it connected.

And with that, we’re ready for our final two parts of account-protecting possibilities.

Part III: Plan for the worst

Step 9: Set up or confirm your virtual Google will

Thinking about worst-case scenarios is never particularly pleasant — I’d much rather be eating crumpets, myself — but just as it’s important to have a plan in place for your physical and financial possessions, creating a virtual will for your Google account will make matters infinitely easier for your loved ones if and when you ever develop a mild case of death.

For company-managed Google Workspace accounts, someone at your organization would be able to take control of your account in the event that you were no longer able to access it. But with an individual Google account, no such system for passing along access exists.

Google has a simple system in place to manage this: Open up the Inactive Account Manager, and you’ll find tools for determining exactly what should happen if your account ever becomes inactive for a certain period of time. You can specify the number of months that must go by without any sign of your presence, along with the email addresses and phone numbers Google should use to contact you for confirmation. And then, you can give Google the email addresses of any people you want to be notified once it’s clear that you’re no longer available.

From there, you can specify exactly what types of information your chosen contacts will be able to access. You’ll even be able to leave a message for those people, if you want, and optionally create a broad autoreply that’ll be sent to anyone who emails you once your inactive period has begun (creepy!).

inactive google account management page

Google’s Inactive Account Manager is like a virtual estate planning tool for all of your account-associated data.

JR Raphael / IDG

Even if you’ve gone through this process before, it’s worth going back in and revisiting your preferences occasionally to confirm the info is all still complete and accurate — not only in the specific contacts you have set to be notified but also in what specific areas of your account those people will be able to access, if this situation ever actually arises.

For that latter piece of the puzzle, be sure to click the pencil-shaped icon next to the email address of each person you have listed. After you confirm their address, that’ll show you a list of account-related areas — everything from Contacts and Calendar to Google Chat, Google Photos, and even your location history (if you’re using a device that contributes to such a collection).

Virtually every time I’ve ever looked at that, I’ve found a handful of newer account-related areas weren’t selected to be shared — presumably because they didn’t exist when I had last reviewed the options. I had to manually check them all to be sure they’d be included in any post-consciousness account sharing.

Part IV: Turn your protection up to the max

Step 10: Think about Google’s Advanced Protection Program

Last but not least is a step that won’t be right for everyone but could be hugely consequential for certain types of Google users. For anyone at a higher risk of a targeted attack, Google offers an elevated form of account security called the Advanced Protection Program.

The program is described as being appropriate for business leaders, IT admins, activists, journalists, and anyone else who’s in the public eye and likely to be sought out by someone looking to do damage. It puts a series of heavy-duty restrictions on your Google account to make it especially difficult for anyone else to gain access — but as a result, it also makes things a bit more difficult for you.

The core part of the Advanced Protection Program is a requirement to have a physical security key the first time you sign into your account on any new device. That means in addition to your password, you’ll need that specific form of two-factor authentication — either an approved key built into your phone or a standalone dongle — in order to access your email, documents, or any other area of your Google account.

As part of the added security, you also won’t be able to connect most third-party apps to your Google account — including those that require access to your Gmail or Google Drive in order to operate. That could create some challenges (such as signing into an Android TV device, curiously enough) and require some compromises (such as no longer being able to use most third-party email clients with Gmail). And if you ever can’t get into your account for any reason, you’ll have to go through an extra-involved, multiday recovery process in order to restore access. You can read more about what the Advanced Protection Program is like to live with in this thoughtful overview.

Ultimately, only you can decide if the added inconveniences are worth the extra assurance. If you want the utmost in security for your Google account, though — and particularly if you’re someone who’s at a higher-than-average risk of being targeted — it’s something well worth considering.

If you do want to make the leap and add this extra layer of intense security onto your Google account, head over to Google’s Advanced Protection Program website to get started. With a personal account, you’ll be able to get yourself up and running in a matter of minutes. With an account that’s part of a paid company Workspace plan, your plan administrator will have to enable Advanced Protection for the organization before you’re able to do it. Once you start the enrollment process, you’ll see pretty quickly if it’s already available for your account or not — and if not, you can contact your company admin to ask about the possibility of allowing it.

And with that, give yourself a pat on the back: Now that these 10 steps are behind you, your Google account security is officially in tiptop shape — and you shouldn’t have to devote an ounce of thought to this area again anytime soon.

Just set yourself a reminder to revisit this page and review the steps within it once a year for good measure. (I’ll continue to update and expand the specific instructions as needed over time.) Do the same with security smarts in other areas — like your Android security settings, if you’re using an Android device of any sort — and then rest easy knowing your most important digital info is as secure as it can possibly be.

This article was originally published in February 2020 and updated in November 2024.

Intel’s $7.9B subsidy deal comes at a high price for the chipmaker

November 28, 2024 /

Intel’s $7.86 billion subsidy agreement with the US government imposes strict conditions on the company’s ability to divest stakes in its chipmaking division if the unit becomes independent.

In a recent securities filing, Intel disclosed that it must maintain at least 50.1% ownership of Intel Foundry if the division is spun off as a privately held entity.

If the unit goes public and Intel is no longer the largest stakeholder, the sale of stakes to any single investor would be limited to 35%.

This follows Intel CEO Pat Gelsinger’s September announcement to spin off the company’s chip production division into an independent subsidiary aimed at securing independent funding and optimizing capital structure.

Earlier this week, the US Commerce Department finalized a $7.86 billion subsidy for Intel, reduced from the $8.5 billion announced in March.

This comes as Intel faces heightened scrutiny over its financial challenges, compounded by intensifying competition from AMD and Nvidia in the AI chip market and recent workforce reductions.

Challenges ahead for Intel

The sale restrictions tied to the subsidy underscore the US intention to reinforce domestic semiconductor production under the CHIPS Act.

“The subsidy definitely comes with strings attached and is designed to ensure accountability for the recipient,” said Neil Shah, VP of research and partner at Counterpoint Research. “In this case, it’s Intel, and if a majority shareholder in the future decides not to comply or pivots to a strategy that doesn’t align with the goals of the US CHIPS Act, it could create significant issues.”

The challenge for Intel is securing consistent capital to sustain and grow its foundry business while keeping pace with rival TSMC’s heavy investments.

With its core businesses in PCs and servers underperforming – once key contributors to funding R&D and fabrication infrastructure – Intel’s ability to remain competitive has come under strain.

“The only way to raise capital is to spin off and secure new investors through an IPO or other means, which would dilute Intel’s stake,” Shah said. “To stay competitive, Intel needs to invest tens of billions of dollars annually. These restrictions could leave Intel stuck unless they manage to renegotiate terms with the US government.”

If Intel fails to remain competitive, customers may shift towards competitors like TSMC. This could lead to enterprises becoming more dependent on infrastructure and devices built with chips primarily produced by TSMC, further strengthening TSMC’s market position.

This shift could drive up chip prices, diminishing the purchasing power of enterprises and their equipment suppliers. It could also negatively impact US efforts to achieve leadership in semiconductor manufacturing.

“While such restrictions could enhance resilience against global supply chain disruptions and strengthen the US semiconductor ecosystem, it might come at the expense of slower scalability,” said Manish Rawat, semiconductor analyst at TechInsights.

Implications for enterprises

For enterprise customers, the restrictions bring both challenges and opportunities, according to Rawat. Intel’s limited access to external investors and potential delays in scaling its foundry operations could raise supply chain reliability concerns during peak demand.

“This could create uncertainties for customers relying on Intel for advanced manufacturing to meet their future technology needs,” Rawat said. “Additionally, concerns may arise over the foundry’s long-term strategic direction. If Intel Foundry’s ownership structure lacks the flexibility to adapt to market conditions, enterprise customers could experience disruptions in semiconductor supply reliability, particularly if Intel struggles to keep up with demand.”

On the other hand, a US-centric Intel Foundry could boost confidence among enterprises prioritizing supply chain security and adherence to “buy American” policies amid escalating geopolitical tensions. “This shift could also strengthen the domestic semiconductor supply chain, providing significant benefits, especially for industries involved in critical defense and national security-related applications,” Rawat added.

Judge won’t alter Google antitrust trial dates to accommodate Trump DOJ’s proposal

November 27, 2024 /

A US federal judge indicated that the trial addressing the Department of Justice’s proposals to curb Google’s dominance in online search will proceed as scheduled in April 2025, even if DOJ officials under President-elect Donald Trump seek to revise the remedies.

The move signals the urgency in resolving the case, which could lead to a historic shake-up of the tech giant’s operations, Reuters reported.

US District Judge Amit Mehta, overseeing the case in Washington, confirmed Tuesday that the trial will proceed as scheduled despite potential changes in DOJ leadership and priorities under President-elect Donald Trump’s administration.

“If there is going to be a re-evaluation of the remedies that are being requested, it needs to be done quickly,” the report said quoting Judge Mehta from a hearing.

The DOJ has proposed sweeping remedies to curb Google’s influence, including a forced divestiture of its Chrome browser and potentially its Android operating system. Both products serve as critical distribution channels for Google Search, a service found to operate as an illegal monopoly in Mehta’s August ruling.

For context, Trump is likely to pursue ongoing lawsuits against Big Tech, several of which originated during his first term. However, his recent remarks expressing skepticism about a potential Google breakup underscore the significant influence he will wield in shaping the direction of these cases.

“If you do that (splitting Google), are you going to destroy the company? What you can do without breaking it up is make sure it’s more fair,” Trump said at an event in Chicago in October.

The Justice Department first filed the antitrust lawsuit against Google in 2020, during former President Donald Trump’s first term. It accused Google of leveraging its dominance in search and advertising markets to stifle competition.

In August 2024, Mehta ruled that Google violated US antitrust laws, setting the stage for the ongoing debate over remedies. The DOJ under President Joe Biden proposed additional measures, including requiring Google to share search data with competitors, limiting investments in rival technologies, and restricting acquisitions of companies in search or query-based AI.

Google’s pushback and trial stakes

Google has sharply criticized the DOJ’s proposals, calling them “staggering” and warning that they could harm American technological leadership. The company argued that measures like forced divestitures and data-sharing mandates could weaken its competitive edge and disrupt the broader digital ecosystem.

“We’ve invested billions of dollars in Chrome and Android. Breaking them would change their business models, raise the cost of devices, and undermine competition with Apple,” Google said in a blog post in October.

The upcoming trial is expected to highlight the role of artificial intelligence in reshaping the online search landscape. Prosecutors plan to call witnesses from major AI players, including OpenAI, Perplexity, Microsoft, and Meta Platforms, to underscore the competitive challenges Google’s practices pose to innovation.

Political dynamics and antitrust implications

President-elect Trump, who expressed skepticism about a Google breakup, has yet to outline his administration’s stance on the DOJ’s proposals. However, Judge Mehta’s decision to maintain the trial timeline suggests limited patience for political recalibrations.

The case represents the most aggressive antitrust action against a tech company since the DOJ’s unsuccessful attempt to break up Microsoft two decades ago. If successful, the remedies could significantly alter the competitive dynamics in online search and advertising markets while setting a precedent for regulating the tech industry.

The trial remains a critical test of the federal government’s ability to rein in Silicon Valley’s most powerful players in an era where technology increasingly shapes global markets.

Nvidia shows off a new genAI model that can create sound and music

November 26, 2024 /

Nvidia on Monday showed off a new generative AI (genAI) model that can be used to create all kinds of sounds and music: Fugatto (which stands for Foundational Generative Audio Transformer Opus 1).

By entering a text prompt, a user can make Fugatto create basically any sound, such as a trumpet barking like a dog. The genAI ​​model can also be used to change the dialect of a singer or turn a piano piece into a song, according to Reuters.

Fugatto has been trained on open source data, and there is currently no official release date. However, the idea is that the ​​model will eventually be used in the production of music, films and games.

The video below from Nvidia highlights some of Fugatto can do.

Will Brazil force Apple to admit App Store defeat?

November 26, 2024 /

Brazil’s antitrust body has joined a chorus of regulators to demand that Apple permit external payment methods in iOS apps. It’s just the latest page in an ongoing story, but might be enough to break this camel’s backbone. 

What this means, at the risk of stating the obvious, is that Apple now faces so much pressure to open up to external payment systems, it could finally make sense for it to bite the bullet and open up across all its territories rather than continue to fight. 

Apple has already been forced to open up in this way — and also to third-party app stores — in the EU, and to let US developers sell in-app content outside the App Store. It now faces similar pressure in the UK. But while it resists each of these moves, there is a cost to the company in legal fees and reputational damage attached to each battle in this conflict — at some point, it might make better business sense to cede the field.

A potential opportunity

While I don’t expect Apple is at all thrilled at how these cookies are crumbling, perhaps there is a way to turn all of this adversity into opportunity. If there’s ever been a time to add features and improvements to the payment systems Apple already provides, this is it.

It might also be time for Apple to take its payments infrastructure to other platforms and markets. Why shouldn’t you be able to pay for Android apps using Apple’s payment systems? Why not offer Apple payments to gamers from within Fortnite? Why not turn payments into products and grab an Apple-sized slice of the wider payments pie?

Customers from inside other ecosystems might be ready to embrace Apple’s rock-solid, highly secure, privacy-first payment system. What I’m saying is that Apple has a unique chance to compete, one from which it can continue to evangelize the advantages of the services (and platforms) it already provides for in-app purchases and everything else.  At the end of the day, the best way to keep people using its payments systems is to convince them that they want to use that system — even if they have a choice of others to use. 

With choice being imposed on the company, the company has an excuse to compete right back at competitors.

Who will lose?

Apple will not be blind to this, but support for external payment systems on its platforms remains very new and is only visible in a small number of markets. Given the potential risks of fraud and worse, it makes sense for Apple (and everyone else) to take a wait-and-see approach to extending this openness to new markets. It is just good practice to monitor what scams, frauds, and other attacks will emerge as third-party services are used on iOS in the EU. It’s not inconceivable that part of Apple’s reluctance to open up more widely yet (other than the money) is a desire to assess the perils and pitfalls of doing so — a trial in which Apple’s European customers are the crash test dummies.

But regulators don’t seem terribly keen to wait and see. Regulators in India, Brazil, UK, US, Japan, South Korea, and elsewhere now seem to agree that Apple must lift restrictions on payment methods for in-app purchases. It’s going to happen in the end.

What price platform integrity?

Even then, another problem Apple faces in that is that each nation could demand slightly different approaches to lifting those restrictions. The problem is that there is a development and infrastructure support cost, not to mention legal expenses, to each of those dictated approaches. What that means is that the less harmonious Apple lets payments on iOS become, the higher the cost of business. 

To avoid weakening the platform with a thousand cuts, it just makes more sense to lift the restrictions internationally, while also putting in place firm safeguards that permit Apple to swiftly remove any payment services identified as fraudulent or lax in security from its platforms. 

Now, I’m on the record arguing that I think there is a very high probability that once payment systems in apps are opened up this way we will see fraud, identity theft, and other forms of financial crime affect against Apple’s so-far highly secure platform. I think that’s inevitable.

Consumers will be damaged, and in the case of those using non-Apple payment services or app stores they cannot expect to get support from Apple. They may have accessed a non-Apple service on an Apple device, but the exchange will be between them and the service, not them and Apple. There will be confusion and broken hearts. This is what will happen.

Managed decline

But Apple can manage the experience and focus on showing the many ways it offers a better and safer system to use. It also means bowing to the inevitable and building something that satisfies regulators enough that they don’t choose to force Apple to build a system that dilutes its own platform. 

So, why has Apple resisted so much? Perhaps because it knows there are other criticisms reaching the anti-trust runway. Perhaps it feels that it makes sense to put up a fight on this particular hill in order to give it time to shore up better defenses on the other hills it currently holds.

All the same, the judgment coming out of Brazil suggests the company is running out of time to prepare for other battles, and now might be time to concede on this particular point. Despite which, if I were in Apple (or a regulator’s) shoes, I’d still try to delay any such move until the first casualties from the European experiment are identified and lessons learned. 

You can follow me on social media! Join me on BlueSky,  LinkedInMastodon, and MeWe

The biggest IT threat? That seemingly innocuous web browser

November 26, 2024 /

For decades, enterprises have allowed their workers to use whatever free browser they wanted to access the most sensitive files possible. CIOs believed that security software in the environment — such as endpoint security apps or supposedly secure web gateways — would deliver any needed protections.

And until 2020, that view was somewhat valid. But when various pandemic-fueled changes hit the workplace, almost everything changed. But as extreme browser exposure became far more dangerous, the shift was so gradual that almost no one in IT noticed any danger. Those changes included massive numbers of new remote sites; skyrocketing shifts away from on-premises tools and apps to the cloud; and far more SaaS deployments. 

The browser issue here actually arises from two distinct problems: virtually no limits on which browser can be used and no protections at the enterprise level that sit atop those browsers. 

The first is the most bizarre. 

Somehow, IT permits any browser to be used in their sensitive environments. Can you imagine that being permitted for anything else? How many CIOs would tell workers they can use whichever VPN app they want, including free consumer-grade VPNs? Would an enterprise CIO be OK with someone in finance ignoring the corporate license for Excel and instead opting to put sensitive payroll details into a freeware spreadsheet found at a gaming site in China? Or maybe an employee could forego a company-paid Zoom account for discussions of that upcoming acquisition and use a freebie service no one’s ever heard of? 

[Related: 10 tips for a secure browsing experience]

IT typically maintains strict controls over all software that touches their privileged areas, but browsers are a security free-for-all?

Let’s delve briefly into the history. When graphical browsers first moved into the enterprise in large numbers (don’t forget that the earliest browsers, such as Cello and Lynx, were pure text) around 1994, the goal was to make it as easy as possible for people to interact with the web. The internet at that point had been around for decades, but the web had only recently become popularized. 

The problem is that as environments became exponentially more complex and access to ultra-sensitive data soared, IT didn’t stop to reconsider ancient browser policies. 

If IT admins were to choose one specific browser to mandate, controls would become light-years easier. They could even require users to access the latest version from IT, allowing for updates to be strictly maintained. Internal web pages could be designed for that browser, making it far more likely to deliver an identical experience for all users. 

I routinely run into secure areas where critical text (such as the “next” button) is offscreen. That means trying three or four browsers until one works. Imagine that problem disappearing simply by mandating one browser for all. 

That kind of corporate mandate brings up a few issues:

  • Desktop vs. mobile. Some enterprises might need to consider standardizing on one browser for desktop and possibly a different browser for mobile. 
  • IT political issues. Some of the browsers with major market share are deeply integrated with one vendor’s environments, such as Google Chrome and Microsoft Edge. Depending on how your environments are integrated with different platforms, this could be an issue. 
  • Compliance. Some of the browser makers are more aggressive at pushing privacy and other data boundaries, especially when generative AI is involved. Standardizing on one of those might lead to corporate compliance issues, especially if you have a substantial presence in Western Europe, Australia or Canada. 
  • Geography. Beyond the compliance issues, there are language and other regional support issues to consider, especially if you have a major presence in Asia. 

That brings us to problem two. Browsers were never designed to be even a little bit secure in the early days — and not much has changed today. That’s why IT needs to insist that something act as a secure layer between your environment and any browser — even your hand-chosen favorite browser. 

Because the needs of every enterprise are different, there’s no one-size-fits-all browser security solution. The browser security layer must play well with your existing systems and your particular compliance needs — colored by geography and verticals — are critical factors.

“The browser is the number one app that everyone is using. The browsers of today are much more powerful than the older versions,” said Dor Zvi, CEO of security firm Red Access. “They allow you to run Javascript, login and tokens and render HTML. The browser today is so powerful that it acts almost like an operating system.”

Zvi argues that there is a reason those browser capabilities are so dangerous. 

“A lot of the attacks today can now happen entirely within the browser. It is happening inside the frame of the browser, which means it is not on the network side and not on the endpoint side. The browser now holds the cookies and tokens for all of your applications,” he said. “Let’s say someone is trying to steal my Okta two-factor authentication. [The attacker] can run it by solely using the browser privileges and no one will ever know about it.”

Another problem with allowing any browser from around the world to access your systems involves browser extensions. In the same way Apple and Google can’t adequately police their apps to detect and remove malicious ones, browser teams can’t verify the legitimacy of extensions. A malicious browser often has unlimited access to everything the browser can do or see. That’s why standardizing on one browser is important; it allows IT to also rein in browser extensions.

It’s a lot to think about — but preferably not right before bed. 

The biggest IT threat? That seemingly innocuous web browser

November 26, 2024 /

For decades, enterprises have allowed their workers to use whatever free browser they wanted to access the most sensitive files possible. CIOs believed that security software in the environment — such as endpoint security apps or supposedly secure web gateways — would deliver any needed protections.

And until 2020, that view was somewhat valid. But when various pandemic-fueled changes hit the workplace, almost everything changed. But as extreme browser exposure became far more dangerous, the shift was so gradual that almost no one in IT noticed any danger. Those changes included massive numbers of new remote sites; skyrocketing shifts away from on-premises tools and apps to the cloud; and far more SaaS deployments. 

The browser issue here actually arises from two distinct problems: virtually no limits on which browser can be used and no protections at the enterprise level that sit atop those browsers. 

The first is the most bizarre. 

Somehow, IT permits any browser to be used in their sensitive environments. Can you imagine that being permitted for anything else? How many CIOs would tell workers they can use whichever VPN app they want, including free consumer-grade VPNs? Would an enterprise CIO be OK with someone in finance ignoring the corporate license for Excel and instead opting to put sensitive payroll details into a freeware spreadsheet found at a gaming site in China? Or maybe an employee could forego a company-paid Zoom account for discussions of that upcoming acquisition and use a freebie service no one’s ever heard of? 

[Related: 10 tips for a secure browsing experience]

IT typically maintains strict controls over all software that touches their privileged areas, but browsers are a security free-for-all?

Let’s delve briefly into the history. When graphical browsers first moved into the enterprise in large numbers (don’t forget that the earliest browsers, such as Cello and Lynx, were pure text) around 1994, the goal was to make it as easy as possible for people to interact with the web. The internet at that point had been around for decades, but the web had only recently become popularized. 

The problem is that as environments became exponentially more complex and access to ultra-sensitive data soared, IT didn’t stop to reconsider ancient browser policies. 

If IT admins were to choose one specific browser to mandate, controls would become light-years easier. They could even require users to access the latest version from IT, allowing for updates to be strictly maintained. Internal web pages could be designed for that browser, making it far more likely to deliver an identical experience for all users. 

I routinely run into secure areas where critical text (such as the “next” button) is offscreen. That means trying three or four browsers until one works. Imagine that problem disappearing simply by mandating one browser for all. 

That kind of corporate mandate brings up a few issues:

  • Desktop vs. mobile. Some enterprises might need to consider standardizing on one browser for desktop and possibly a different browser for mobile. 
  • IT political issues. Some of the browsers with major market share are deeply integrated with one vendor’s environments, such as Google Chrome and Microsoft Edge. Depending on how your environments are integrated with different platforms, this could be an issue. 
  • Compliance. Some of the browser makers are more aggressive at pushing privacy and other data boundaries, especially when generative AI is involved. Standardizing on one of those might lead to corporate compliance issues, especially if you have a substantial presence in Western Europe, Australia or Canada. 
  • Geography. Beyond the compliance issues, there are language and other regional support issues to consider, especially if you have a major presence in Asia. 

That brings us to problem two. Browsers were never designed to be even a little bit secure in the early days — and not much has changed today. That’s why IT needs to insist that something act as a secure layer between your environment and any browser — even your hand-chosen favorite browser. 

Because the needs of every enterprise are different, there’s no one-size-fits-all browser security solution. The browser security layer must play well with your existing systems and your particular compliance needs — colored by geography and verticals — are critical factors.

“The browser is the number one app that everyone is using. The browsers of today are much more powerful than the older versions,” said Dor Zvi, CEO of security firm Red Access. “They allow you to run Javascript, login and tokens and render HTML. The browser today is so powerful that it acts almost like an operating system.”

Zvi argues that there is a reason those browser capabilities are so dangerous. 

“A lot of the attacks today can now happen entirely within the browser. It is happening inside the frame of the browser, which means it is not on the network side and not on the endpoint side. The browser now holds the cookies and tokens for all of your applications,” he said. “Let’s say someone is trying to steal my Okta two-factor authentication. [The attacker] can run it by solely using the browser privileges and no one will ever know about it.”

Another problem with allowing any browser from around the world to access your systems involves browser extensions. In the same way Apple and Google can’t adequately police their apps to detect and remove malicious ones, browser teams can’t verify the legitimacy of extensions. A malicious browser often has unlimited access to everything the browser can do or see. That’s why standardizing on one browser is important; it allows IT to also rein in browser extensions.

It’s a lot to think about — but preferably not right before bed. 

For Microsoft, will Trump’s antitrust and environmental views help or harm?

November 26, 2024 /

I recently wrote about how President-elect Donald J. Trump’s actions on AI might affect Microsoft. This week, I’m focused on what his antitrust regulation and environmental plans — and the biggest wildcard of all, his personal vendettas — could do to the company. 

What Microsoft can expect from antitrust lawsuits

Trump believes that the less regulation on big business, the better. So you would expect him to put an end to antitrust suits against the tech industry. But that’s not necessarily the case.

There’s no doubt that Lina Khan, the head of the US Federal Trade Commission (FTC) who has aggressively pursued antitrust prosecutions against tech, will be let go after Trump’s election. And many of Trump’s advisers, notably venture capitalist Marc Andreessen, would like to see tech antitrust prosecutions to stop. 

However, some advisers close to Trump, including Vice President-elect JD Vance, want the administration to take on Big Tech — mainly because they want to stop Meta and other social media companies from policing against misinformation, white supremacism, public-health health deceptions and election lies.

Microsoft has largely been spared Khan’s prosecutions, even as the Biden administration has targeted Google, Apple, Meta, Amazon, and Apple. The one recent federal antitrust action against Microsoft by the FTC, for buying the gaming giant Activision, didn’t go well for the feds. A judge let the purchase go through, although the FTC has since appealed the case.

That might make you think that Microsoft is in the clear under Trump. But The Washington Post reports the FTC will be investigating Microsoft’s cloud business for anticompetitive practices. In addition, the FTC appeal of the Activision case still stands, so that case could be revived.

Trump could demand that whomever he appoints to head the FTC drop those actions. Odds are, he won’t, thanks to his main tech adviser, entrepreneur Elon Musk. His AI startup, xAI, competes directly with Microsoft, and is now valued at $50 billion after investments this spring from Andreesen and others. Musk also recently amended an antitrust suit he filed against OpenAI, adding Microsoft as a defendant

Don’t be surprised if the FTC under Trump not only follows through on Khan’s investigations of Microsoft, but also files an AI suit against the company, thanks to Musk’s influence.

Trump, Microsoft, and climate change

Trump believes climate change is a hoax. He’s vowed to tear up environmental regulations and attack green energy. His campaign slogan, “Drill, Baby, Drill,” and his close friendship with the oil industry make clear that he’ll do everything he can to increase reliance on fossil fuels and kill clean sources of electricity.  

He was also a booster of nuclear power during his first administration, though he wasn’t quite as enthusiastic about it on the campaign trail. Even so, the stock market price of nuclear-power-related companies jumped the day after his election, and most people expect him to be a nuclear backer.

What does this have to do with Microsoft? Plenty. Microsoft has vowed to make itself carbon-negative by 2030, and Trump’s attack on green energy will make it more difficult for the company to find clean energy sources.

Exacerbating Microsoft’s climate-change challenges is the fact that data centers that power AI require a tremendous amount of electricity. As I’ve noted before, Microsoft might be abandoning its promises to fight climate change because of that. And the company could also pour billions into reviving nuclear energy with a proposed deal to reopen Three Mile Island, the site of the worst nuclear power disaster in US history. 

Given Trump’s views about climate change and his support for AI, he’ll most likely do everything he can to give Microsoft and other AI companies all the electricity they want no matter the effect on the environment. And he’ll also likely let them go full speed ahead with nuclear power. In fact, Microsoft President Brad Smith recently said he expects Trump to cut environmental regulations to provide Microsoft with all the electricity it wants for its AI data centers

Gregory Allen, director of the Wadhwani AI Center at the Center for Strategic and International Studies — he worked on AI at issues the Department of Defense during the Trump and Biden presidencies — agrees. On a call hosted by The Information, he said Trump “can invoke emergency powers and waive a lot of environmental regulations to allow people to build new nuclear and other electrical generation capacity in order to power the big data centers that folks want for these advanced AI models.”

He added that he expects that to happen “pretty early in the Trump Administration.”

Trump’s vendettas and grievances

The president-elect is driven by vendettas and grievances more than he is by policy. And when it comes to tech, he has plenty of them.

In the 2020 election, Meta founder Mark Zuckerberg and his wife started a foundation “to ensure that everyone can vote and every vote can be counted.” Since then, Trump threatened to investigate him and send him to jail if re-elected, saying, “We are watching him closely, and if he does anything illegal this time, he will spend the rest of his life in prison.” 

Zuckerberg got the message, offering accolades, saying after last summer’s assassination attempt, “Seeing Donald Trump get up after getting shot in the face and pump his fist in the air with the American flag is one of the most badass things I’ve ever seen in my life…. On some level as an American, it’s like hard to not get kind of emotional about that spirit and that fight, and I think that that’s why a lot of people like the guy.”

Then there’s Amazon founder and Washington Post owner Jeff Bezos. When Trump was president, he frequently took aim at Amazon and Bezos because the Post published articles that angered Trump. He didn’t just criticize and threaten him; Trump also yanked a multi-billion-dollar cloud contract with the Defense Department from Amazon.

This time around, Bezos is doing Trump’s bidding. He canceled the Post’s planned endorsement of Vice President Kamala Harris even though the newspaper has endorsed candidates for president for decades. After Trump was elected, Bezos praised him, writing on X, “Big congratulations to our 45th and now 47th President on an extraordinary political comeback and decisive victory.”

Those are just two of tech titans who have praised Trump even though he had targeted them. Microsoft CEO Satya Nadella has so far managed to avoid getting on Trump’s bad side. He hasn’t gone out of his way to praise the president-elect, either, offering Trump only a pro forma congratulation after the election.

But with Musk as a Trump adviser, and what will likely be a big focus on AI in the new administration, it’s not clear whether Nadella will be able to stay out of Trump’s crosshairs. What’s also not clear is how Nadella will react if Trump threatens him — and how that might affect Microsoft’s financial future and its sense of itself as a moral company.