New substack that's worth your time

Randal emails to point out that he's started a Substack.  It's pretty interesting.  Here's an example about trade unions:

For the longest time much of the media has fed us the idea that “union = overpaid/lazy/bad”. Now we should all have the following ingrained in our skulls by now, “the media lies”.

Proceeding from that “law” (it really should be a scientific law at this point) we can deduce that the media is lying about unions. The real question to ask ourselves is, “why?”

Like I said, pretty interesting.

 

Someone at Netflix is getting fired

So their live streaming of the Mike Tyson fight last night was an unmitigated disaster.  But come on - you'd think that Netflix IT would understand how to spin up capacity to meet demand.  Maybe their replacements will.

For those who like the Sweet Science (or who used to), this is a fascinating episode from Hard Core History about how boxing has changed over time, mostly for the worse.  Dan Carlin interviews Mike Silver, author of The Arc of Boxing which is a terrific read.  I'm in general agreement with both the podcast and the book, although have to admit that I quite enjoyed the Barrios/Ramos bout last night.  It had a very Friday Night Fights feel to it.

Censorship: Action, Reaction

So Youtube hates guns and is trying to demonitize shooting channels.  So one of the channels decided to follow the rules, with hilarious results.

Kaiser Permanente shares user data with Google, Microsoft, and others

Well, well, well:

Millions of Kaiser Permanente patients' data was likely handed over to Google, Microsoft Bing, X/Twitter, and other third-parties, according to the American healthcare giant.

Kaiser told The Register it has started notifying 13.4 million current and former members and patients that "certain online technologies, previously installed on its websites and mobile applications, may have transmitted personal information to third-party vendors," when customers used its websites and mobile applications.

Kaiser has since removed that tech from its websites and apps, and said it is not aware of "any misuse of any member's or patient's personal information."

Yeah, I'll bet.

If you get Kaiser Permanente insurance at work, you might want to ask your HR department for an assessment of whether your data was included in this data sharing scheme.  It's hard to see how at the minimum HIPAA-adjacent data was not shared here.

 

Ring doorbell company fined millions of dollars for privacy violations

Well knock me over with a feather:

The FTC today announced it would be sending refunds totaling $5.6 million to Ring customers, paid from the Amazon subsidiary's coffers.

The windfall stems from allegations made by the US watchdog that folks could have been, and were, spied upon by cybercriminals and rogue Ring workers via their Ring home security cameras.

The regulator last year accused Ring of sloppy privacy protections that allowed the aforementioned spying to occur or potentially occur.

...
 

In the most egregious case, one employee went out of his way to view "thousands of video recordings belonging to at least 81 unique female users," according to the FTC. A coworker reported this behavior to her supervisor, who it's alleged initially said this snooping wasn't that strange until he realized the rogue employee was only reviewing videos of "pretty girls."

The fines work out to $50 per effected Ring customer.  Don't spend it all in one place.

Security is hard, vol CCLVI

Act the first: Web Security organization suffers data breach:

A misconfigured MediaWiki web server allowed digital snoops to access members' resumes containing their personal details at the Open Web Application Security Project (OWASP) Foundation.

...

"If you were an OWASP member from 2006 to around 2014 and provided your resume as part of joining OWASP, we advise assuming your resume was part of this breach," OWASP said in a Good Friday notification posted on its website.


"We recognize the significance of this breach, especially considering the OWASP Foundation's emphasis on cybersecurity," it added.

Yup.  This shows just how hard security is - OWASP is full to the brim with folks who (a) understand the importance of security, (b) know how to implement security (well, most of the time), and (c) have a lot of reputation at stake.  That reputation took a hit here.

Act the second: OPSEC is a bitch, even for secret squirrels:

Protecting your privacy online is hard. So hard, in fact, that even a top Israeli spy who managed to stay incognito for 20 years has found himself exposed after one basic error.

The spy is named Yossi Sariel allegedly heads Israel's Unit 8200 – a team of crack infosec experts comparable to the USA’s National Security Agency or the UK’s Government Communications Headquarters. Now he's been confirmed as the author of a 2021 book titled "The Human Machine Team" about the intelligence benefits of pairing human agents with advanced AI.

Sariel – who wrote the book under the oh-so-anonymous pen name “Brigadier General YS” – made a crucial mistake after an investigation by The Guardian which found an electronic copy of Sariel's book available on Amazon "included an anonymous email that can easily be traced to Sariel's name and Google account.”
...

Being outed after more than 20 years of anonymity isn't optimal for someone who's supposed to be a top spy

Yup.  And while it's tempting to roll your eyes and chorus Top. Men., remember that this is how they nabbed Ross Ulricht, a.k.a. The Dread Pirate Roberts from The Silk Road.

Yeah, OPSEC is a stone cold bitch of a problem.  You have to be right 100% of the time, and dropping that to 99.99% means that you lose.

Youtube Shadowbans Climate: The Movie

The Feral Irishman emails to saw that my post about the climate movie looked weird from his Windows computer.  He could watch the movie but there was nothing displayed about Youtube.  Everything looked normal from Safari on his iPhone.

Well, it turns out that Youtube has shadowbanned the film.  This almost certainly made the post look wonky.  If they disappear it I will update the embed to Rumble or something.

You know that you're over the target when you're taking flak.

On Google's untrustworthiness

Lots of folks are posting about the Google AI fiasco, and how it shows that you can't trust Google's search results. 

Um, we've known this for over a decade.  Their political ideology has been on display, right out in the open for a very long time.

Law Enforcement takes down major ransomware site

This operation is pretty impressive:

Notorious ransomware gang LockBit's website has been taken over by law enforcement authorities, who claim they have disrupted the group's operations and will soon reveal the extent of an operation against the group.

...

But Europol has reportedly taken credit for shutting down LockBit, so perhaps Operation Cronos really has disrupted the gang’s operations.

If that's the case, this action will be welcome. LockBit is prolific and vicious: we've reported it attacking a children's hospital, Infosys, sandwich chain Subway, and many other attacks.

Reportedly there have been multiple arrests, data has been found that is expected to lead to more arrests, and multiple crypto currency accounts have been seized.  Eleven countries worked together on this which is also impressive.

We will see how much impact this has but Lockbit is one of the biggest ransomware schemes out there.  

And this isn't the only one of these takedowns in the last couple of months.  Well done.

 

Security is hard

This is bad.  Really bad: 

A single packet can exhaust the processing capacity of a vulnerable DNS server, effectively disabling the machine, by exploiting a 20-plus-year-old design flaw in the DNSSEC specification.

That would make it trivial to take down a DNSSEC-validating DNS resolver that has yet to be patched, upsetting all the clients relying on that service and make it seem as though websites and apps were offline.

The academics who found this flaw – associated with the German National Research Center for Applied Cybersecurity (ATHENE) in Darmstadt – claimed DNS server software makers briefed about the vulnerability described it as "the worst attack on DNS ever discovered."

What's bad is that you don't get more mission critical than DNS - Domain Name Service, the service that translates names (like borepatch.blogspot.com) into Internet addresses (like 192.1.7.200).  No DNS, no Internet.

If you run a DNS or DNSSEC server look at this ASAP.

Introducing The Queen Of The World

Michael left a comment to last night's post where I was off to sack Rome and TQOTW was a mermaid:

Show us your ugly mug but keep the mermaid for yourself?

Sigh, so uncivilized. LOL

Touche, Michael.  So with her permission, here she is as the Queen of the World:

And here is the mermaid:

Man, this web site has made us waste a lot of time on a Sunday morning.

What to do about Quantum Computing?

There's a good (if geeky) read from the UK National Cyber Security Centre on how to prepare your organization for Quantum Computing.  From the article:

Quantum computers use properties of quantum mechanics to compute in a fundamentally different way from today's digital, 'classical', computers. They are, theoretically, capable of performing certain computations that would not be feasible for classical computers. Although advances in quantum computing technology continue to be made, quantum computers today are still limited, and suffer from relatively high error rates in each operation they perform.

In the future, it is possible that error rates can be lowered such that a large, general-purpose quantum computer could exist. It is, however, impossible to predict when this may happen as many engineering and physical challenges must be overcome first. If such a computer could exist in the future, most traditional public key cryptography (PKC) algorithms in use today will be vulnerable to attacks from it.

Breaking Public Key Crypto is A Very Bad Thing Indeed, and would basically break the Internet.  If you're in the security field, you really should read this.

 

Dad Joke CCIC - Special Cisco edition

In honor of the Cisco bug from hell, here are some computer networking Dad Jokes:

Five routers walk into a bar.  Who gets the car keys?  The Designated Router.

An IPv6 packet walks into a bar.  Nobody talks to him.

What did the OSPF router say to the other OSPF router?  Hello.  Hello.  Hello.

I would tell you a joke about UDP but you probably wouldn't get it.

Why yes, I am a nerd.  Why do you ask?

Vandals cut down most famous tree in UK

This tree:

Voted Tree of the Year in 2016 by the conservation charity Woodland Trust, the Sycamore Gap Tree was one of the most photographed trees in the United Kingdom. It’s also known as the “Robin Hood Tree” because it appeared in the 1991 film Robin Hood: Prince of Thieves, despite Hadrian’s Wall being some 130 miles north of Sherwood Forest.

According to the National Trust, this iconic sycamore tree was planted in the late 1800s by John Clayton, the saviour of Hadrian’s Wall, to be a feature in the landscape. 

So why would someone cut it down?  Tik-tok views:

Why would anyone do this? A question we are all confused over. Police officers are looking into claims that the tree was felled to be posted online and carried out as part of a TikTok stunt

Dumbass Tik-tockers.  Hang em.  From a tree.  As a warning to others.

Begun, the AI malware wars are

This is not good:

Cybercriminals are leveraging generative AI technology to aid their activities and launch business email compromise (BEC) attacks, including use of a tool known as WormGPT, a black-hat alternative to GPT models specifically designed for malicious activities.

According to a report from SlashNext, WormGPT was trained on various data sources, with a focus on malware-related data, generating human-like text based on the input it receives and is able to create highly convincing fake emails.

The only real defense you have against this new AI-generated email threat is to be very, very cautious (should I say "suspicious") of all emails that you get.  As with firearms, the most important computer security safety tool is between your ears.

 

Aesop, about the Internets that you just won ...

... you can pick them up in the usual place.

There are only two things I have to add to the discussion of the Titan/Titanic disaster:

1. OceanGate seems not to have considered that their target customer had enough cash to sue them into oblivion if things went Tango Uniform.

2. OceanGate's investors did not consider what their liability would be if things went Tango Uniform.

The legal proceedings promise to be epic.  And yeah, I don't care that the release that their customers signed mentioned the word "death" three times.  Doesn't release them from liability for reckless endangerment and misrepresentation. 

UPDATE 23 JUNE 2023 19:42:  Big Country gets an honorable mention with this one:

He has more, so get over there.  He's of a similar mind of the legal predicament that OceanGate is in.

UPDATE 23 JUNE2024 20:04:  Miguel has an important pro-tip.

A message to commeter Birdchaser

You will remember the header at the cop of the comment box: Remember your manners when you post.

You didn't.  Boy, howdy.

Your comment didn't make it through moderation because of your very disrespectful and profane attack on me.  This is my place, not yours.  I don't care that you feel really really strongly about Donald Trump.  Cathedra mea, regulae meae.

I've only banned one person in the 15 year run of this blog (my abusive ex-wife).  Congratulations - you're number two.

Go away and don't come back.  All comments from you will be nuked without being read.

Endorsed

Peter thinks that short format social media makes people nastier:

I question whether most "short format" social media outlets are worthwhile any more.  Most seem to be overrun with people who talk their hind ends off, but don't listen very much - or very well.

Yup.

No, Chinese researchers didn't crack RSA

RSA is the encryption that underpins secure Internet messages.  Without it, there would basically be no commercial Internet.  So it was concerning to see a paper published saying that Chinese researchers have a quantum encryption technique that cracks RSA.  Except, not so fast:

The paper from 24 researchers in China might have remained a matter for those well-versed in advanced mathematics, cryptography, and quantum computing – a fairly small set of people – but for the fact that it got noticed by cryptographer Bruce Schneier.

"This is something to take seriously," he wrote in his blog on January 3rd, 2023. "It might not be correct, but it’s not obviously wrong."

Schneier did not take a position on the paper, but the following day The Financial Times took notice in an article titled, "Chinese researchers claim to find way to break encryption using quantum computers."

Evidently they haven't.

Late that day, on January 4, Scott Aaronson, chair of computer science at The University of Texas at Austin, and director of its Quantum Information Center, offered a rebuttal with a succinct three word review of the paper: "No. Just No."

Crypto mathematics is notoriously hard to do right, and deceptively easy to screw up.  It looks like this paper made an unwarranted assumption that a particular algorithm is much faster when using quantum cryptography.  It's actually no faster than plain jane cryptography.

So secure Internet messages are safe, at least for now.

The Internet interprets censorship as damage

It routes around it.  Big Brother Google (you do love Big Brother, don't you?) cast Big Country into the Outer Darkness, yea with bell, book, and candle.

He's baaaaaaaack.

Looks like this may have wedged Divemedic's blog, though.

UPDATE 24 October 2022 11:53: Divemedic's blog is back.