“Looking Out on the Morning Rain,” I See More Tumult and Change Coming

by Leave a Comment

All IT providers, from the Systems Administrators at Fortune 500 companies to Managed Services Providers (like me) who help small business owners, have a competing set of objectives. One is to satisfy the technological and business requirements of their clients. The other is to work within the constraints (sometimes edicts) of the vendors they use to provide and build those business solutions.

The most significant “elephant in the room” is inevitably Microsoft. Just when everyone took time over the recent year-end holidays to relax after the massive effort to migrate from Windows 10 to 11, the calendar page flipped to 2026, and the meme associated with the phrase, “objects in mirror are closer than they appear,” took on new meaning.

Microsoft identifies dates well in advance for the end of support (or end of life, EOL). In the coming year, several significant events are scheduled for October. The first is that Office 2021 will reach EOL. This stalwart is the one-time installation software that has been available as a long-term license (rather than subscription). It has been superseded by Office 2024.

And within the Office family, Microsoft has also issued a death knell for Publisher. This product is no longer available in the Office 2024 edition, and Microsoft will remove it from all Office 365 subscriptions (in which it still exists) in October 2026. I hate that decision because I create all of my client-facing documents in Publisher, including this newsletter. There are very few alternatives I need to investigate (and learn), but more on that next month.

Also, in October, Microsoft will end support for Windows 11 version 24H2. I will ensure that all clients running this version of the operating system receive the recently released 25H2 update in late August or early September to maintain support and security (including monthly updates).

The subsequent entry on a longer-term calendar is the January 2027 end-of-life for Windows Server 2016. What I learned from a recent event (Windows Server 2012 went EOL in October 2023) is that many organizations — more than I ever expected — held on to ancient hardware for as long as possible, even if it slowed down their entire operations.

I understand trying to wring the last vestige of usefulness out of a hardware device that initially cost thousands of dollars. But the cost was amortized, and the device was fully paid off long ago. And yet, when it comes time now to replace a Windows Server 2016 with a new server, with the rapidly rising price of memory (RAM), business owners are going to be shocked out of their chaise by the prices of new Windows Servers.

While I do not like churn (of either hardware or software) for its own sake, in most cases, new hardware performs significantly better than older hardware — even if the old hardware has not broken. Similarly, newer software — despite the incessant push to include AI — offers features and benefits for anyone interested in taking advantage of them.

If all you use is a web browser to read your email and go to websites, you can use your phone. But if you have a line-of-business application that is still server-based, you will need new hardware. Dell is pricing its Windows Servers at astronomical prices, and things are going wild!

In a recent Reddit post, another MSP stated that on Wednesday, their Dell representative could not honor a Monday quote for a pre-configured server. He was questioning the community to see if this is “real or Memorex.”

The first response came from someone in the industry, who said, “I quoted [a] customer yesterday about 900 USD per 64GB RAM stick. Today, new pricing came in… 1600 USD per stick. Our quotes are valid for a day, it’s so crazy atm” [atm means “at the moment”].

Can you imagine seeing a nearly 80% price increase in something within one or two days? That is the current — and rather unfortunate — state of the world.

Having said that, I am thrilled that I was able to upgrade more than 95% of my clients’ computers to Windows 11 machines last year. Those who must upgrade this year — due to age or lack of warranty — I’m warning you now, you will pay significantly more.

What Not to Do When You Have a Data Breach

Sax LLP (“Sax”), also known as Sax Advisory Group, disclosed a 2024 data breach in December 2025 that affected its systems. Yes, more than a year and a half after the “unusual network activity” in August 2024, the firm notified almost a quarter of a million individuals that their information was exposed. Compromised information included name, date of birth, Social Security number, driver’s license information, and passport number.

I don’t think anyone affected is feeling very good about this. If I were a victim, I’d be screaming to the heavens about why it took so long between identifying the breach and notifying those affected — especially given the range of information that was exfiltrated. This breach is an awful case where identity theft could run rampant for these victims.

Thanks, and safe computing!

Breaches at Password Manager LastPass Cause Concern

by Leave a Comment

Password managers are programs that let you store an ever-growing list of online credentials in a safe location. These programs remove the need to record this information insecurely, such as by emailing them and writing Post-it Notes.

Many security experts advise clients to use these programs as part of best security practices because they also let you create strong and unique passwords for each online account you have. Additionally, some programs alert you if you duplicate a password across different accounts and can notify you if your password has appeared in a known data breach.

However, if your program’s secure vault is compromised, it potentially puts every one of your online accounts at risk of compromise. This issue drew my attention following last year’s extensive LastPass breach incident.

In 2022, there were multiple breaches at LastPass. In addition to putting the response and actions of LastPass under the spotlight, the incidents have raised questions over the safety of storing multiple login credentials on password managers altogether.

LastPass announced in late August 2022 that “an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account.” This enabled the attacker to take portions of source code and some proprietary LastPass technical information.

After conducting an investigation and forensic review, LastPass said it found no further evidence of activity from the threat actor. The unauthorized access was limited to its development system, which is “physically separated” from its production environment.

At the end of November, they made another announcement that an unauthorized party had gained access to a third-party cloud storage device. This new breach was enabled by the information gained by the attacker during the original August incident.

And a few days before Christmas, the firm informed users that attackers had accessed encrypted customer data (username, password, and notes) and unencrypted data (the website addresses of customers’ online accounts).

Do I believe you should keep your LastPass account following this last episode? No, but the damage has already been done. There is a high likelihood that your account may have been compromised. But if you want to continue to use LastPass, there are three things you must do to continue using the service.

  • First, you must strengthen your master password and ensure it is unique, long, and complex.
  • Second, as an extra security precaution, you should change the passwords for the websites you have stored in the service.
  • Third, you should be on the lookout for targeted phishing attempts in the coming months, with the attackers accessing your unencrypted contact information and websites.

I have reviewed these services over the years and have not found one I have felt entirely comfortable using – and I have not only my accounts to manage but many of my client’s accounts. I hate to say it, but the safest and most secure way of managing your passwords is to use a notebook and write them down.

If you use a document or spreadsheet and your computer is ever compromised, you will lose that information, and bad actors will use it against you.

What is the best way to implement this Luddite approach? Have one page per account, and write the name and website address at the top. Have a one-line entry per password, preferably with the date you first used it. If you must change a password, cross out that line, and write a new one along with the date, you created it.

The more complex we have made our lives by thinking that computers would make things easier for us, the more I think we need to use simple methods to maintain our security.

The Calendar Year has Changed, but Scams Haven’t

by Leave a Comment

In 2017, there was a security breach at the credit reporting firm, Equifax. This breach was significant news at the time, and by 2019 the company agreed to a $425 million settlement of several class action lawsuits. They offered credit monitoring or a cash award of up to $125. At the time, I recommended the former.

In the closing days of December 2022, Equifax began to issue those cash awards. Many people found the amount they received laughable (e.g., most claimed to receive less than $10). However, scammers immediately went on the alert and into action. The website DomainTools.com reported several new domain names, which closely resembled the legitimate one, had been registered in just a few days. The valid website name is equifaxbreachsettlement.com. Fake versions include equifaxbreechsettlement.com, equifaxbreachsettlementbreach.com, and equifaxsettlements.co.

If you get an email notification about payment, do not click on the link in the email. It would be best if you went directly to the legitimate website and manually entered the keycode shown in your email. These instructions also apply if you get a letter in the mail.

Of course, because everyone’s information was made publicly available, scammers know who you are. If you get an email that seems slightly off and want to learn if it is “real,” please forward it to me for verification. Doing so is not an intrusion on my time. I would much rather spend a minute or two to review the contents of an email, than spend several hours — or days — working to restore your stolen identity.

Thanks, and safe computing!

Another Day, Another Data Breach Plus a Settlement

by Leave a Comment

At the end of July 2019, most of you probably heard about a data breach at Capital One. More than 100 million people in the United States and Canada were affected by this event. Thankfully, as of this writing (mid-August), very little of the information was made available to the normal group of bad actors who dwell in the Dark Web. This breach was simply the work of a zealous former Amazon Web Services employee who knew that there was a way to access the data. Pretty freakin’ scary!

To make matters worse, the woman who performed this hack had also obtained information from other organizations. Somehow she made the monumental mistake of publicizing those details. I’m not sure what — or even if — she was thinking. But the fact that someone has the wherewithal to accomplish these feats of what most of us consider the “dark arts” of computing is supremely unsettling.

Why anyone would want to subject themselves to the notoriety of having accomplished this act, when there was no useful purpose, confounds me.

Around the same time, the Federal Trade Commission concluded its work with Equifax and fined them close to $700 million. Almost immediately afterwards, so-called “consumer advocates” started a loud chorus of “Sign up and get your $125 from Equifax!” on news stations and social media.

They did this without telling people the “fine print” of the FTC agreement said there is only $31 million in that particular reward pot. So if just half of the more than 146 million affected individuals filed a claim, each one would end up with about 42 cents. That is sheer stupidity!

The best approach for dealing with this debacle is to sign up for the free credit monitoring that is being offered. It is supposed to last for 10 years. Do that here: https://www.equifaxbreachsettlement.com/file-a-claim.

Even though other forms of free monitoring are available, you usually only get one year. It is in your best interest — given the extent of the potential damage caused by the Equifax breach — to take the longest possible term of protection available.