Information Technology

Written by

Chris Duckett, APAC Editor

Chris Duckett
APAC Editor

Chris started his journalistic adventure in 2006 as the Editor of Builder AU after originally joining CBS as a programmer. After a Canadian sojourn, he returned in 2011 as the Editor of TechRepublic Australia, and is now the Australian Editor of ZDNet.

Full Bio

At the end of last week, Rapid7 disclosed a nasty bug in Zyxel firewalls that could allow for an unauthenticated remote attacker to execute code as the nobody user. The programming issue was not sanitising input, with two fields passed to a CGI handler being fed into system calls. The impacted models were its VPN and ATP series, and USG 100(W), 200, 500, 700, and Flex 50(W)/USG20(W)-VPN. At the time, Rapid7 said there were 15,000 affected models on the internet that Shodan had found. However, over the weekend, Shadowserver Foundation has boosted that number to over 20,800. “Most popular are USG20-VPN (10K IPs) and USG20W-VPN (5.7K IPs). Most of the CVE-2022-30525 affected models are in the EU – France (4.5K) and Italy (4.4K),” it tweeted. The Foundation also said it had seen exploitation kick off on May 13, and urged users to patch immediately. After Rapid7 reported the vulnerability on April 13, the Taiwanese hardware maker silently released patches on April 28. Rapid7 only realised the release had happened on May 9, and eventually published its blog and Metasploit module alongside the Zyxel notice, and was not happy with the timeline of events. “This patch release is tantamount to releasing details of the vulnerabilities, since attackers and researchers can trivially reverse the patch to learn precise exploitation details, while defenders rarely bother to do this,” Rapid7 discoverer of the bug Jake Baines wrote. “Therefore, we’re releasing this disclosure early in order to assist defenders in detecting exploitation and to help them decide when to apply this fix in their own environments, according to their own risk tolerances. In other words, silent vulnerability patching tends to only help active attackers, and leaves defenders in the dark about the true risk of newly discovered issues.” For its part, Zyxel claimed there was a “miscommunication during the disclosure coordination process” and it “always follows the principles of coordinated disclosure”. At the end of March, Zyxel published an advisory for another CVSS 9.8 vulnerability in its CGI program that could allow an attacker to bypass authentication and run around the device with administrative access. Related Coverage More

Best defense?
sfe-co2 / Getty Images
Some things about it didn’t feel quite right. Other things about it felt very right indeed.

ZDNet Recommends

The best 5G phones

5G is now standard on US networks, and these are the top phones that support it.

So I stared and stared again, wondering whether it was a setup or a skit even.Here was a video emitted on Twitter. It showed three sprightly youths storming a Best Buy. They tried to rip some phones from a display.It really wasn’t going perfectly. Those security cords can be sturdy. Meanwhile, seven Best Buy employees began to line up in the aisles as if they were an NFL defense in an attempt to block the shoplifters from leaving the store.Sadly, the video stopped before viewers could see if any tackles were made or any penalties were called.Millions, though, watched in wonder and wondered.

I was one, of course. So I immediately asked Best Buy whether its policy allowed– or even encouraged — employees to block and, perhaps, tackle.Apple’s policy, for example, is very clear: let them take what they can and don’t intervene. However, at some Apple stores, there’s uniformed security on hand to do the professional intervening.I waited for Best Buy to get back to me. I felt sure it would. I’ve always found its customer service to be quite stellar. However, nothing came. Had the company been caught out of position? Had the matter gone to replay? How could I get some answers?Naturally, I did the obvious. I showed the video to a Best Buy employee — oddly, he hadn’t yet seen it — and asked him whether, perhaps, he’d had special NFL-type training as part of his store induction.I asked in a relatively serious manner, you understand. In such shoplifting situations, violence could easily ensue. This Best Buy employee — let’s call him Freddy — watched the video twice. Finally, he said: “Nooooo. That’s not allowed.””So you’re specifically told not to engage with shoplifters?” I asked.”Correct,” Freddy said. “There’s no way I’d even want to. What’s the point?”Many retailers will fire employees if they attempt to capture a shoplifter. Home Depot, for example, once fired four employees who thought they were doing the retailer a favor by chasing after a shoplifter.Freddy explained that it’s not as if the products belong to him but to a large corporation. But then he stopped to consider something.”If I did try to stop a shoplifter, I wonder what the legal situation would be,” he said. What if, he mused, he tackled a shoplifter and injured them? Would he then be liable? Would the shoplifter sue? (This is America. Of course, they would.)I’ve not seen any Best Buy post uniformed security outside its stores, but the company does employ them at certain locations. Best Buy’s CEO, Corie Barry, sees shoplifting as a big problem. Last November, she told CNBC: “When we talk about why there are so many people looking for other jobs or switching careers, this… play[s] into my concerns for our people because, again, priority one is just human safety.”She specifically referenced San Francisco — and California in general.As I write, it’s unknown what did — or may — happen to the Best Buy NFL-style defenders. It’s hard to imagine this was a spontaneous action. It’s easier to imagine that they’d prepared, at least a little.I wonder what happened to the shoplifters too. The phones they ripped out are instantly useless. More

Written by

Eileen Yu, Contributor

Eileen Yu
Contributor

Eileen Yu began covering the IT industry when Asynchronous Transfer Mode was still hip and e-commerce was the new buzzword. Currently an independent business technology journalist and content specialist based in Singapore, she has over 20 years of industry experience with various publications including ZDNet, IDG, and Singapore Press Holdings.

Full Bio

Singapore has launched a rating scheme that assesses e-commerce marketplaces based on their anti-scam measures. Its technical guidelines for online transactions also have been updated to offer more details on safeguarding against scams.The E-commerce Marketplace Transaction Safety Ratings (TSR) aimed to evaluate the extent to which these platforms had implemented anti-scam measures that ensured, amongst others, user authenticity, transaction safety, and availability of loss remediation channels for consumers. For instance, e-commerce marketplaces would be assessed on whether they had measures in place to verify sellers’ identity and were continuously monitoring for fraudulent seller behaviour. The platforms also would be rated against the use of secure payment tools for transactions as well as the availability of dispute reporting and resolution mechanisms.

The information served to alert users on the safety of transacting with these online sites, said the Ministry of Home Affairs and Singapore Standards Council in a joint statement Saturday. The ratings covered “major e-commerce marketplaces” that facilitated transactions between multiple sellers and buyers, with “significant” local reach or a significant number of reported e-commerce scams. The lowest rating clocks at one tick, while the scale tips at four ticks. E-commerce marketplaces with all critical anti-scam measures in place were awarded the highest four-ticks rating, according to the ministry. TSR ratings are reviewed every year.  The current list has given Facebook Marketplace the lowest rating of one tick, while Carousell has two ticks, Shopee has three, and Qoo10 has four ticks alongside Amazon and Lazada.To further enhance anti-scam protection, the national standard for e-commerce transactions also have been updated to include additional guidelines for online retailers and marketplaces. The latest Technical Reference 76, which was first released in June 2020, encompassed best practices to secure different areas of online transactions, spanning pre-, during- and post-purchase activities, customer support, and merchant verification. E-marketplaces, for example, should look at implementing pre-emptive safeguards against fraudulent merchants on their platforms, such as activating early warning mechanisms when non-verified devices were used to access the account. Merchants deemed to be of fraud risk also should be blacklisted on the marketplace, restricting their activities on the platform or raising the customer’s awareness of the risks involved.”The [TR76] intent is to better enable merchant authenticity, improve transaction security, and aid enforcement against e-commerce scams,” said Ministry of Home Affairs and Singapore Standards Council, adding that the additional guidelines were part of the safety features rated in the TSR. “Generally, e-commerce marketplaces that adopt TR76 guidelines would score better on the TSR.”Singapore in the last couple of years has intensified its efforts in improving underlying infrastructures that it believes will pave the way for the country to become a global and regional e-commerce hub. The country’s “five-pronged” strategy to do so includes building out the local 5G networks, supply chain capabilities, and payment platforms. The Monetary Authority of Singapore (MAS) in February said it was working on a liability framework that detailed how losses from online scams would be shared amongst key parties in the ecosystem, stressing that victims of such scams should not assume they would be able to recover their losses. This framework would operate on the basis that all parties had responsibilities to be vigilant and take precautions against scams, MAS said. RELATED COVERAGE More

Securing the open-source software supply chain is a huge deal. Last year, the Biden administration issued an executive order to improve software supply chain security. This came after the Colonial Pipeline ransomware attack shut down gas and oil deliveries throughout the southeast and the SolarWinds software supply chain attack. Securing software became a top priority. In response, The Open Source Security Foundation (OpenSSF) and Linux Foundation rose to this security challenge. Now, they’re calling for $150 million in funding over two years to fix ten major open-source security problems.

Open Source

They’ll need every penny of it and more.The government will not be paying the freight for these changes. $30 million has already been pledged by Amazon, Ericsson, Google, Intel, Microsoft, and VMWare. More is already on the way. Amazon Web Services (AWS) has already pledged an additional $10 million. At the White House press conference, OpenSSF general manager Brian Behlendorf said, “I want to be clear: We’re not here to fundraise from the government. We did not anticipate needing to go directly to the government to get funding for anyone to be successful.”Here are the ten goals the open-source industry is committed to meeting.Security Education: Deliver baseline secure software development education and certification to all.Risk Assessment: Establish a public, vendor-neutral, objective-metrics-based risk assessment dashboard for the top 10,000 (or more) OSS components.Digital Signatures: Accelerate the adoption of digital signatures on software releases.Memory Safety: Eliminate root causes of many vulnerabilities through the replacement of non-memory-safe languages.Incident Response: Establish the OpenSSF Open Source Security Incident Response Team, security experts who can step in to assist open source projects during critical times when responding to a vulnerability.Better Scanning: Accelerate the discovery of new vulnerabilities by maintainers and experts through advanced security tools and expert guidance.Code Audits: Conduct third-party code reviews (and any necessary remediation work) of up to 200 of the most-critical OSS components once per year.Data Sharing: Coordinate industry-wide data sharing to improve the research that helps determine the most critical OSS components.Software Bill of Materials (SBOMs): Everywhere Improve SBOM tooling and training to drive adoption.Improved Supply Chains: Enhance the 10 most critical open-source software build systems, package managers, and distribution systems with better supply chain security tools and best practices.I’ll go into more detail about those in later stories, but even at a glance, this is a massive undertaking. For instance, C, which is core to the Linux kernel, the most important of all open-source projects, has many vulnerabilities within it. While the memory-safe Rust language is now being used in Linux, it’s years, decades away, from replacing C in Linux’s over 27.8 million lines of code. Indeed, I doubt we’ll ever see all of Linux’s C code replaced by Rust. We’re already close to solving some of the others. The open-source security company Chainguard is calling on the software industry to standardize on Sigstore. Sigstore enables developers to securely sign software artifacts such as release files, container images, binaries, bills of material manifests. and more. This Linux Foundation project is backed by Google, Red Hat, and Purdue University.Sigstore has several great features. These include:Sigstore’s keyless signing gives a great developer experience and removes the need for painful key management.Sigstore’s public transparency log (Rekor) and APIs mean Kubernetes consumers may easily verify signed artifacts.Sigstore’s use of standards, such as support for any Open Container Initiative (OCI) artifact (including containers, Helm Charts, configuration files, and policy bundles) and OpenID Connect (OIDC), means it integrates seamlessly with other tools and services.The active, open-source, vendor-neutral Sigstore community gives confidence that the project will be rapidly adopted and become a de-facto industry standard.Indeed, Kubernetes has already adopted Sigstore. In brief, it makes it simple to adopt a secure digital signature for your code. Then, the programmers who use your code can be sure it really is the code they want and can trust.This is essential. As Stephen Chin, software chain security company JFrog VP of Developer Relations, said, “While open source has always been seen as a seed for modernization, the recent rise of software supply chain attacks has demonstrated we need a more hardened process for validating open-source repositories.”Of course, there will always be bugs. As Behlendorf said, “Software will never be perfect. The only software that doesn’t have any bugs is software with no users.”Related Stories: More

An hacking group which conducts cyber espionage campaigns and ransomware attacks is targeting organisations in Europe and the United States. Cybersecurity researchers at Secureworks have detailed a string of cyber attacks involving ransomware and data theft which took place in early 2022 to an Iranian hacking group they refer to as Cobalt Mirage – also known as APT35, Charming Kitten, Phosphorus and TA453 by other research groups. Among the attacks is an incident targeting a US local government network in March 2022, which Secureworks researchers have attributed to Cobalt Mirage due to hallmarks of previously uncovered attacks by the group.  These include exploiting the ProxyShell vulnerabilities to deploy Fast Reverse Proxy client (FRPC) and enable remote access to vulnerable systems, along with use of infrastructure that matches patterns associated with the threat group. While the initial means of compromise in this attack is still unclear, researchers note how the attackers likely exploited unpatched Log4j vulnerabilities despite a patch being available. There’s evidence that this initial exploitation may have occurred as early as January 2022. Most of the intrusion activity spanned a four-day period in March, with the key aim of the activity based around scanning the network and stealing data – researchers note that this is strange, as like other attacks detected during the period, the targets had no strategic or political value to Iran. SEE: A winning strategy for cybersecurity (ZDNet special report)After the March 2022 intrusion was detected and disrupted, no further malicious activity was observed. Researchers suggest that the main motivation behind this attack, and others is financial gain, but it’s unclear how exactly the attackers would look to profit from it. “While the threat actors appear to have had a reasonable level of success gaining initial access to a wide range of targets, their ability to capitalize on that access for financial gain or intelligence collection appears limited,” Secureworks Counter Threat Unit (CTU) researchers wrote in a blog post. No ransomware was deployed in the attack against the undisclosed US local government victim, but researchers note that Cobalt Mirage does engage in ransomware attacks – as another victim discovered in January described as a ‘a U.S. philanthropic organization’. According to Secureworks researchers who investigated the incident, attackers used ProxyShell and Microsoft Exhange vulnerabilities to move around the network and remotely gain access to accounts, before eventually triggering a BitLocker ransomware attack. Unusually, the ransom note was sent to a printer on the network and printed out on paper, detailing an email address and contact details. While Cobalt Mirage has links to state-backed hacking operations, in this case, the ransomware is being deployed as a purely financially motivated attack. Ransomware ransom notes are more typically left either on screens or on servers.”The threat actors completed the attack with an unusual tactic of sending a ransom note to a local printer. The note includes a contact email address and Telegram account to discuss decryption and recovery. This approach suggests a small operation that relies on manual processes to map victims to the encryption keys used to lock their data,” the security researchers said. In both incidents detailed by researchers, attackers were able to gain access to networks by exploiting unpatched critical cybersecurity vulnerabilities. In order to protect networks against cyber attacks, it’s recommended that security patches are applied as quickly as possible in order to prevent potential intruders exploiting known vulnerabilities. Researchers also recommend implementing multi-factor authentication, and monitoring for unauthorised or suspicious use of tools and file-sharing services  which could indicate attackers are in the network. MORE ON CYBERSECURITY More

 On modern systems with solid-state drives, you can often find a management utility that includes a Secure Erase command.
Getty Images
Welcome to this week’s installment of Ask ZDNet, where we answer the questions that make Dear Abby’s eyes glaze over. In the mailbag this week: What’s the best way to securely erase your PC before selling it or giving it away? How can you fix your weak passwords easily? And why is it so hard to find a laptop with a large display and a touchscreen? If you’ve got a question about any of the topics ZDNet covers, one of our team of editors and contributors probably has an answer. We’ll find an outside expert who can steer you in the right direction if they don’t. Questions can cover just about any remotely related topic to work and technology, including PCs and Macs, mobile devices, security and privacy, social media, home office gear, consumer electronics, business etiquette, financial advice… well, you get the idea. Send your questions to ask@zdnet.com. Due to the volume of submissions, we can’t guarantee a personal reply, but we do promise to read every letter and respond right here to the ones that we think our readers will care about. Ask away. 

What’s the best way to permanently delete all the personal files from my laptop before I give it away?

I am giving away my old Windows laptop to a friend. Before I do that, I want to make sure my personal files are securely erased and completely unrecoverable. Do I need special software for that?

When you’re getting a PC ready for reuse, the best way to begin is to boot from Windows installation media, remove all existing disk partitions, and then perform a clean install. That option removes any existing personal files, but it doesn’t wipe the disk clean. As a result, it’s possible that someone with advanced technical skills could use forensic tools or data recovery software to access some of the deleted information.

On modern systems with solid-state drives, you can often find a management utility that includes a Secure Erase command. For Samsung SSDs, use the Samsung Magician program. For Intel SSDs, download and install the Intel Memory and Storage Tool. SSDs from Crucial use the Crucial Storage Executive utility. Microsoft Surface devices support a custom tool called the Microsoft Surface Data Eraser.You can also use Windows’ built-in encryption tools to ensure that the entire system drive, including unused disk space, is encrypted before performing a clean install. That extra step requires some additional time, but it ensures that any data recovered from anywhere on the drive will be unreadable. And you don’t need third-party software to get the job done.Your system drive is fully encrypted by default if you’ve signed in to Windows with a Microsoft account on a modern device that supports BitLocker Device Encryption (BDE). (To confirm that your device supports BDE, run the System Information utility (Msinfo32.exe) as an administrator and check the Device Encryption Support entry at the bottom of the System Summary page.On a system running Windows 10 Pro or Windows 11 Pro, you can use the Manage BitLocker utility (type BitLocker in the search box to find it) to encrypt the system drive and any data drives. Be sure to choose the option to encrypt the entire drive and not just the space that currently contains data.If Device Encryption isn’t available, open a command prompt using the Run As Administrator option and enter this command:Cipher /W:C:That command “zeroes out” unused disk space, overwriting it so that it can’t be recovered. This process can take a long time, so consider letting it run overnight while you concentrate on more important tasks.Also: The best encryption software: Protect your data

My password manager says some of my passwords are weak. Should I be worried?

I recently started using a password manager, and when I sign in to some sites the program tells me my password is weak. What do I need to do to replace those weak passwords with strong ones?

If you’ve recently started using a password manager, congratulations! That’s a major step on the road to being more secure. You’re undoubtedly dealing with a collection of credentials you created yourself over the years during this transition. And because human beings are notoriously bad at creating truly random strings of text, those passwords are probably weak, which means they can be easily guessed or are vulnerable to a brute-force attack.

A weak password is typically too short, is made up of words that can be found in a dictionary, and/or contains all or part of the account name. Even if you did manage to create a truly random, hard-to-guess password, your password manager will flag it if it determines you’ve used it at multiple sites.The good news is that your password manager undoubtedly contains a password generator, which you can use to replace those old, weak, insecure passwords. Unfortunately, the process of changing your old passwords is labor-intensive. For each service, you’ll need to find the page where you change your password; use the password generator to create a new, random, unique password and then update the saved entry.As a best practice, you should do this as soon as possible for high-value sites like banks, credit card portals, and email and social media accounts. After completing each password change, I recommend that you immediately sign out of the service and sign in again, using your freshly saved password, to confirm that the new password was properly stored.

Where are all the touchscreen PCs?

I’ve been shopping for a new laptop with a larger display, at least 16 inches. The extra clunkiness doesn’t bother me as my mobile needs are pretty limited and I’m not a big fan of having an external display. But I’ve been surprised by how many Windows laptops with larger displays don’t come with a touchscreen. It is 2022, right? Am I just looking in the wrong place?

These days, most mainstream laptops have screens that are 13 or 14 inches in size, measured diagonally. That form factor is the sweet spot for general business use, typically small enough and light enough to be truly portable. At that size, a touchscreen comes in handy occasionally, and it’s usually not an expensive upgrade.

As you’ve discovered, 16- and 17-inch laptops are not so portable and typically command a premium price. Dell’s new XPS 17 laptop, for example, weighs 4.87lbs with a non-touchscreen and bulks up to a hefty 5.34lbs (with a $300 surcharge) if you specify a touchscreen. And this model is considered remarkably light for the category. (Your shoulder may beg to differ.) These devices are generally designed for graphics professionals who use them as desktop replacements and occasionally need to do high-end graphics work on the road.Given their size and the fact that most graphics editing tasks require a mouse, a touchscreen on a laptop that large is pretty much a waste of battery power and money. For your use case, I suggest looking at a laptop with a 15-inch screen, like the Dell XPS 15. And if you’re going to use it as a desktop replacement, connected to a docking station with a keyboard and mouse most of the time, skip the touchscreen and spend the money; you’ll save on a discrete GPU.Also: The best 2-in-1 laptops: Top flexible, hybrid, and convertible notebooksSend your questions to ask@zdnet.com. Due to the volume of submissions, we can’t guarantee a personal reply, but we do promise to read every letter and respond right here to the ones that we think our readers will care about. Be sure to include a working email address in case we have follow-up questions. We promise not to use it for any other purpose.  

ZDNet Recommends

  More

 On modern systems with solid-state drives, you can often find a management utility that includes a Secure Erase command.
Getty Images
Welcome to this week’s installment of Ask ZDNet, where we answer the questions that make Dear Abby’s eyes glaze over. In the mailbag this week: What’s the best way to securely erase your PC before selling it or giving it away? How can you fix your weak passwords easily? And why is it so hard to find a laptop with a large display and a touchscreen? If you’ve got a question about any of the topics ZDNet covers, one of our team of editors and contributors probably has an answer. We’ll find an outside expert who can steer you in the right direction if they don’t. Questions can cover just about any remotely related topic to work and technology, including PCs and Macs, mobile devices, security and privacy, social media, home office gear, consumer electronics, business etiquette, financial advice… well, you get the idea. Send your questions to ask@zdnet.com. Due to the volume of submissions, we can’t guarantee a personal reply, but we do promise to read every letter and respond right here to the ones that we think our readers will care about. Ask away. 

What’s the best way to permanently delete all the personal files from my laptop before I give it away?

I am giving away my old Windows laptop to a friend. Before I do that, I want to make sure my personal files are securely erased and completely unrecoverable. Do I need special software for that?

When you’re getting a PC ready for reuse, the best way to begin is to boot from Windows installation media, remove all existing disk partitions, and then perform a clean install. That option removes any existing personal files, but it doesn’t wipe the disk clean. As a result, it’s possible that someone with advanced technical skills could use forensic tools or data recovery software to access some of the deleted information.

On modern systems with solid-state drives, you can often find a management utility that includes a Secure Erase command. For Samsung SSDs, use the Samsung Magician program. For Intel SSDs, download and install the Intel Memory and Storage Tool. SSDs from Crucial use the Crucial Storage Executive utility. Microsoft Surface devices support a custom tool called the Microsoft Surface Data Eraser.You can also use Windows’ built-in encryption tools to ensure that the entire system drive, including unused disk space, is encrypted before performing a clean install. That extra step requires some additional time, but it ensures that any data recovered from anywhere on the drive will be unreadable. And you don’t need third-party software to get the job done.Your system drive is fully encrypted by default if you’ve signed in to Windows with a Microsoft account on a modern device that supports BitLocker Device Encryption (BDE). To confirm that your device supports BDE, run the System Information utility (Msinfo32.exe) as an administrator and check the Device Encryption Support entry at the bottom of the System Summary page.On a system running Windows 10 Pro or Windows 11 Pro, you can use the Manage BitLocker utility (type BitLocker in the search box to find it) to encrypt the system drive and any data drives. Be sure to choose the option to encrypt the entire drive and not just the space that currently contains data.If Device Encryption isn’t available, open a command prompt using the Run As Administrator option and enter this command:Cipher /W:C:That command “zeroes out” unused disk space, overwriting it so that it can’t be recovered. This process can take a long time, so consider letting it run overnight while you concentrate on more important tasks.Also: The best encryption software: Protect your data

My password manager says some of my passwords are weak. Should I be worried?

I recently started using a password manager, and when I sign in to some sites the program tells me my password is weak. What do I need to do to replace those weak passwords with strong ones?

If you’ve recently started using a password manager, congratulations! That’s a major step on the road to being more secure. You’re undoubtedly dealing with a collection of credentials you created yourself over the years during this transition. And because human beings are notoriously bad at creating truly random strings of text, those passwords are probably weak, which means they can be easily guessed or are vulnerable to a brute-force attack.

A weak password is typically too short, is made up of words that can be found in a dictionary, and/or contains all or part of the account name. Even if you did manage to create a truly random, hard-to-guess password, your password manager will flag it if it determines you’ve used it at multiple sites.The good news is that your password manager undoubtedly contains a password generator, which you can use to replace those old, weak, insecure passwords. Unfortunately, the process of changing your old passwords is labor-intensive. For each service, you’ll need to find the page where you change your password; use the password generator to create a new, random, unique password and then update the saved entry.As a best practice, you should do this as soon as possible for high-value sites like banks, credit card portals, and email and social media accounts. After completing each password change, I recommend that you immediately sign out of the service and sign in again, using your freshly saved password, to confirm that the new password was properly stored.

Where are all the touchscreen PCs?

I’ve been shopping for a new laptop with a larger display, at least 16 inches. The extra clunkiness doesn’t bother me as my mobile needs are pretty limited and I’m not a big fan of having an external display. But I’ve been surprised by how many Windows laptops with larger displays don’t come with a touchscreen. It is 2022, right? Am I just looking in the wrong place?

These days, most mainstream laptops have screens that are 13 or 14 inches in size, measured diagonally. That form factor is the sweet spot for general business use, typically small enough and light enough to be truly portable. At that size, a touchscreen comes in handy occasionally, and it’s usually not an expensive upgrade.

As you’ve discovered, 16- and 17-inch laptops are not so portable and typically command a premium price. Dell’s new XPS 17 laptop, for example, weighs 4.87 pounds with a non-touchscreen and bulks up to a hefty 5.34 pounds (with a $300 surcharge) if you specify a touchscreen. And this model is considered remarkably light for the category. (Your shoulder may beg to differ.) These devices are generally designed for graphics professionals who use them as desktop replacements and occasionally need to do high-end graphics work on the road.Given their size and the fact that most graphics editing tasks require a mouse, a touchscreen on a laptop that large is pretty much a waste of battery power and money. For your use case, I suggest looking at a laptop with a 15-inch screen, like the Dell XPS 15. And if you’re going to use it as a desktop replacement, connected to a docking station with a keyboard and mouse most of the time, skip the touchscreen; choose a less expensive non-touch-enabled display and invest the savings in a discrete GPU.Also: The best 2-in-1 laptops: Top flexible, hybrid, and convertible notebooksSend your questions to ask@zdnet.com. Due to the volume of submissions, we can’t guarantee a personal reply, but we do promise to read every letter and respond right here to the ones that we think our readers will care about. Be sure to include a working email address in case we have follow-up questions. We promise not to use it for any other purpose.  

ZDNet Recommends

  More

Boardrooms have a reputation for not paying much attention to cybersecurity, but it could be that executives are finally keen to take more interest in securing the systems and networks their businesses rely on. Senior figures from American, British and Australian cybersecurity agencies have said that business execs are now more aware of cyber threats and are actively engaging with their chief information security officer (CISO) and information security teams. 

Abigail Bradshaw, head of the Australian Cyber Security Centre (ACSC), said that, in a “massive leap in trust,” many organisations are actively seeking out advice to help inform boardrooms about cybersecurity issues.SEE: A winning strategy for cybersecurity (ZDNet special report) “Today boards say, ‘Can you come and brief our board, and can you stay while the CISO’s briefing the board? And can you please give us a view about the quality of our controls and our estimation of risk?’, which is hugely transparent,” she said, speaking at the UK National Cyber Security Centre’s (NCSC) Cyber UK conference in Newport, Wales  “I see that as well, it feels as if it’s really maturing,” said Lindy Cameron, CEO of the NCSC. “We’ve been trying really hard over the last few months to get organisations to step up but not panic, do the things we’ve asked them to for a long time and take it more seriously”. The NCSC regularly issues advice to organisations on how to improve and manage cybersecurity issues, ranging from ransomware threats to potential nation state-backed cyberattacks – and Cameron said she’s seen a more hands-on approach to cybersecurity from business leaders in recent months.”I’ve seen chief execs really asking their CISOs the right questions, rather than leaving them to it because they don’t have to understand complex technology. It does feel like a much more engaging strategic conversation,” she said. But there can still be a disconnect between knowing what needs to happen, then actually budgeting for and implementing a cybersecurity strategy. “I think everybody in this room knows what we need to do to do the basics of cybersecurity. And often the challenge is the culture and the resources; the will to say, ‘This is the thing that we have to do and we’re going to endure the pain to get there’,” said Rob Joyce, director of cybersecurity at the National Security Agency (NSA). He pointed to multi-factor authentication (MFA), something which is generally regarded as a key step that businesses can take to boost cybersecurity, providing an extra barrier to hackers trying to use phished, leaked or stolen usernames and passwords. However, rolling MFA out to all users of a network can be a challenge.  “We have a long journey ahead on multi-factor authentication, there’s nobody who thinks that’s a bad idea – but it’s a real investment, a real pain to implement it,” said Joyce. Nonetheless, the NSA director believes progress is being made, especially after the White House signed an executive order around cybersecurity for critical infrastructure and has committed to a zero-trust security model for federal agencies.SEE: Cloud computing security: New guidance aims to keep your data safe from cyberattacks and breachesWhile these proposals only relate directly to critical infrastructure and government respectively, following the cybersecurity strategies could be useful to many organisations in other sectors outside of government and industry.”The narrative has shifted at a political level, at the board level, at the industry level, who are now getting together and saying, ‘We know where we must go, let’s resource everyone to get there’,” said Joyce. And while most businesses will be expected to take control of implementing and updating a cybersecurity strategy themselves, governments and cybersecurity agencies are there to provide advice and guidance – and that’s something that the ACSC’s Bradshaw hopes that companies continue to take advantage of during their cybersecurity journeys. “What they’re looking for is evidence of an ongoing relationship and collaboration between my agency and their CISO and senior execs. That is something I’m extremely grateful for and I think bodes well for the evolution that’s necessary over the next decade,” she said. MORE ON CYBERSECURITY More