Russia May Not Contribute to the Tor Project in 2022

December 28, 2021

This is probably not a surprise to those involved with the Tor Project. We noted some evidence of Russia’s view of anonymized Internet browsing in “Russia Blocks Privacy Service Tor In Latest Move To Control Internet.” The article reports:

Russia’s media regulator has blocked the online anonymity service Tor in what is seen as the latest move by Moscow to bring the Internet in Russia under its control. Roskomnadzor announced it had blocked access to the popular service on December 8, cutting off users’ ability to thwart government surveillance by cloaking IP addresses.

The Tor Project responded with some tech tips for ways to get around the Putin partition. (Think Tor bridge. Some details are at this link.)

Does this mean that Russia has no interest in Tor? Nope. We think that some of Mr. Putin’s fellow travelers are hosting Tor relay servers, but that’s just something we heard from a person yapping about freedom.

What’s next? How about blocking any service originating in nation states not getting with Mr. Putin’s Ukrainian program? It is unlikely that Sergey Brin’s flight on a Russian rocket ship will become a reality in 2022. We also heard that the Google Cloud hosts some services that Mr. Putin thinks may erode the freedoms enjoyed by Russian citizens.

Stephen E Arnold, December 28, 2021

Log4Shell: Tough to Hide This Fire

December 28, 2021

Billy Joel is absolutely right when he sang the acclaimed song “We Didn’t Start The Fire” about the world’s slow demise. Unlike the planet, the Internet is regularly set ablaze and the demise is quick. The current flame is “Log4Shell” and it gives bad actors back doors into clouds and enterprise systems to steal data, download malware, erase information, and cause mayhem. AP News explores the breach in: “‘The Internet’s On Fire’ As Techs Race To Fix Software Flaw.”

The bug dubbed “Log4Shell” originated in open source Apache software used to run Web sites and other Web services. While open source software is a boon to the world, it is not updated as quickly as proprietary software. Amazon, for example, updates itself daily while systems running Apache only update at their owners’ behest.

Funny enough the “Log4Shell” vulnerability was first noticed in a children’s game:

“The first obvious signs of the flaw’s exploitation appeared in Minecraft, an online game hugely popular with kids and owned by Microsoft. Meyers and security expert Marcus Hutchins said Minecraft users were already using it to execute programs on the computers of other users by pasting a short message in a chat box.Microsoft said it had issued a software update for Minecraft users. ‘Customers who apply the fix are protected, it said.”

Cyber security is not child’s play, but hacking is for some bad actors. Thankfully developers are working on a patch to prevent further damage. Security professionals really should not panicking and combine their knowledge to find a solution quicker.

A couple of points:

  1. The issue allegedly was disclosed by an Alibaba tech professional, possibly Chen Zhaojun
  2. China suspender an apparently “big” cyber security deal with Alibaba after the disclosure

Are these two actions connected; specifically, did China lose control of a really nifty zero day? Beyond Search thinks that the career trajectory of some Alibaba professionals will be interesting to watch. Are there IT jobs in Ürümqi?

Whitney Grace, December 28, 2021

 

Whitney Grace, December 27, 2021

The Apple of a Chinese Eye: Big Bucks, Big Secrets

December 28, 2021

This is one way to deal with regulations in a nation famous for its tight control over tech companies. TechSpot reveals, “Tim Cook Reportedly Signed Secret $275 Billion Investment Deal with China to Help Apple Succeed in the Country.” Writer Rob Thubron cites an article from The Information (paywalled) which claims to have interviews and internal documents showing the Apple CEO personally lobbied Chinese officials in 2016. He informs us:

“Cook signed a ‘memorandum of understanding’ with China’s National Development and Reform Commission that involved Apple making concessions in exchange for legal exemptions. Apple’s promise included helping Chinese manufacturers develop advanced manufacturing technologies and support with training of Chinese talents, using more Chinese-sourced components in its devices, signing deals with the country’s software firms, and investing directly in Chinese companies. Additionally, some of the billions of dollars Apple put into the country would go toward retail stores, research and development centers, and renewable energy projects. One of the ways Apple has allegedly benefitted from the deal is its ability to hold onto the encryption keys for iCloud user data in the region. The Chinese government usually forces foreign companies to hand over responsibility for such data to local organizations.”

Yes, never let it be said the Chinese government values its citizens’ digital privacy. Apparently, though, loosening its stranglehold on information is worth it when it comes to Apple. Thubron continues:

“The iPhone maker has a history of kowtowing to the Chinese government, having previously removed thousands of games, apps, and VPNs from its App Store at the behest of local officials. It also purged a protest app and the Quartz news app during the Hong Kong pro-democracy protests.”

It seems this policy of compromising the principles of freedom in the land of censorship is paying off for Apple. We learn its annual sales grew by 83% in China during the fiscal fourth quarter. We are not surprised to see the bottom line is the top priority for the company.

Cynthia Murrell, December 28, 2021

DarkCyber for December 28, 2021, Now Available

December 28, 2021

This is the 26th program in the third series of DarkCyber video news programs produced by Stephen E Arnold and Beyond Search. You can view the ad-free show at this url. This program includes news of changes to the DarkCyber video series. Starting in January 2022, Dark Cyber will focus on smart software and its impact on intelware and policeware. In addition, Dark Cyber will appear once each month and expand to a 15 to 20 minute format.

What will we do with the production time? We begin a new video series called “OSINT Radar.” OSINT is an acronym for open source intelligence. In a December 2021 presentation to cyber investigators, the idea surfaced of a 60 second profile of a high value OSINT site. We have developed this idea and will publish what we hope will be a weekly video “infodeck” in video form of an OSINT resource currently in use by law enforcement and intelligence professionals. Watch Beyond Search for the details of how to view these short, made-for-mobile video infodecks. Now when you swipe left, you will learn how to perform free reverse phone number look ups, obtain a list of a social media user’s friends, and other helpful data collection actions from completely open source data pools.

Also, in this DarkCyber program are: [a] the blame for government agencies and specialized software vendors using Facebook to crank out false identities. Hint: It’s not the vendors’ fault. [b] why 2022 will be a banner year for bad actors. No, it’s not just passwords, insiders, and corner-cutting software developers. There is a bigger problem. [c] Microsoft has its very own Death Star. Does Microsoft know that the original Death Star was a fiction and it did not survive an attack by the rebels?, and [d] a smart drone with kinetic weapons causes the UN to have a meeting and decide to have another meeting.

Kenny Toth, December 28, 2021

Microsoft: Whipping Up the Dataverse to Distract from Security Issues?

December 27, 2021

I pegged the half-baked Windows 11 as a way to deflect tech writers from Microsoft’s noteworthy security challenges. The names almost became household words, spoken in retirement facilities and pre-schools. The mantra? SolarWinds, Exchange Server, Printspooler, Azure, etc.

How does a giant company with millions of “users” respond? My first thought was: Get everyone amped over the Windows 11 release. And the “real” tech journalists responded. Big names like Paul Thurrott were not clued in to the release. Wow, surprise! ZDNet chased the ball around the cubicle. And to cap the PR push Windows 11 users cannot select a different browser. That will put some “real” tech bloggers teeth on edge.

What was the result? The mind boggling security issues have been pushed into the background. From Microsoft’s point of view, that may be a good thing.

So what’s next?

How about this? “Microsoft is mining the Xbox 360 ‘Red Ring’ controversy for profit, and that’s not cool.” Yep, that’s the headline for a story about Microsoft hardware failure. The promotion was couched within a YouTube video. Plus, Microsoft will sell its faithful and security indifferent users a poster. No NFT for the Softies? This is a tree killing, ink centric offering.

To what end?

Just try to recall that the SolarWinds’, Exchange, etc. vulnerabilities still bedevil some security professionals. Will the tech bloggers and experts cut from Thurrott wool notice?

Nah. Red herring is a wonderful dish for a New Year’s feast in my opinion.

Stephen E Arnold, December 27, 2021

Does Amazon Have Canaries?

December 27, 2021

I read “‘There’s No Moment of Silence’: What Happened after 2 Amazon Employees Reportedly Died within Hours of Each Other.” If accurate, two employees in an Amazon Alabama facility expired. When I saw the headline, I thought about the death of six Amazon workers in a company warehouse. “Amazon Criticized Over Safety at Tornado-Hit Warehouse” describes what happened. Today is December 23. I think that means that in the last week and a half, reports of eight Amazon worker deaths have reached Harrods Creek, Kentucky. Kentucky is semi familiar with work related deaths. The coal mines were noted for their safety track records. Some of those old fashioned safety conscious operations relied on canaries to alert the happy workers that a problem existed: Dead bird, bad air. Has Amazon considered canaries — either digital or with feathers  — for its facilities?

Stephen E Arnold, December 27, 2021

Data Science Information at Your Fingertips

December 27, 2021

Just a brief honk about a useful resource. Data scientist, engineer, and blogger Manpreet Singh draws our attention to an “Amazing List of Data Science Cheat Sheets.” Singh begins with a word to those wondering what, exactly, data science is—linking to UC Berkeley’s page on the subject. He then reveals the trove of quick-access info is located at GitHub, posted there by engineer Favio Vazquez. Singh includes a series of screenshots that give a taste of the collection. He writes:

“When you load up this repo you will see a few different folders, these folders house a ton of different cheat sheets for different disciplines: [screenshot 1] You can also scroll down a bit to see a breakdown of these sheets: [screenshot 2] These cheat sheets range in use, but they all offer a ton of value for your data science needs. All you have to do is click on the cheat sheets you want to see, you will then be redirected to some awesome looking cheat sheets: [screenshots 3 and 4] Without a doubt, if you’re planning on learning data science, I would highly recommend checking out these cheat sheets.”

With topics as wide-ranging as business science, calculus, SQL, and machine learning, this list is a one-stop source of reference material for the current or aspiring data scientist. Savvy readers may wish to bookmark the useful page.

Cynthia Murrell, December 27, 2021

Russia Says Happy Holidays to Google

December 24, 2021

I think I have figured this out. Each month the Russia legal system fines Google some money. Think of this as a tax levied on being allowed to operate in a country not fond of certain Ukrainian officials. Come to think of it. Russia does not exactly love the Google. The first hint was the go nowhere deal for Sergey Brin to fly into space, a goal that has remained out of reach. A failure for a ride must have been as painful as the failure of the Google Glass thing.

Russian Court Fines Google Nearly $100M Over Content” delivers the holiday news to the well managed outfit in Mountain View. What was Google’s transgression? (I know it is difficult to pick from the cornucopia of alleged missteps.) Here’s what the write up reports:

A Moscow court has fined Google nearly $100 million over its failure to delete content banned by local law.

Will Google pay? Sure, eventually.

I am interested to see what “fine” emerges in January. Won’t Russia enforcement officials pull Googzilla’s tail to collect another financial output? Apple has made clear that US companies will cut deals to do business in certain nation states. Russia’s approach is more direct: Find the Google guilty. Collect money.

Perhaps Mr. Putin will propose a more predictable approach? Is an Apply type of deal on the to do list for 2022?

What a nice way for the Russian bear to wish GOOG “Happy Holidays”!

Stephen E Arnold, December 24, 2021

Mother Google Wants Tidy Cubbies

December 24, 2021

Google is going to save us from our disorganized selves, whether we like it or not. TechRadar reports, “Google Drive Update Will Force You to Clean Up Your Mess of Files and Folders.” It is for our own good, really. To force users into tidying up, Drive will automatically migrate multi-location files to shortcuts, a system launched in August of last year. With the pandemic-prompted shift in remote work, use of cloud-based systems like Drive had suddenly boomed. Writer Joel Khalili tells us:

“This [shift] caused an influx in the number of documents, spreadsheets, presentations and other assets hosted in Google Drive, creating various file management and navigation issues. With the upcoming update, Google will hope to impose some measure of order on the chaos, which is only exacerbated by the opportunity for files to exist in multiple locations. According to the blog post, administrators will be notified via email a number of weeks before the migration to shortcuts takes place. Before the process begins, admins will be able to specify whether shortcuts are introduced in all possible scenarios, or only for content shared within the company’s own domain. Google Workspace users, meanwhile, will be served a banner warning of the changes, but will be required to take no further action. All existing file permissions will be preserved after the migration takes place, says Google.”

We suppose that is one way for Google to save on data storage costs. If the company can position it as a boon for users, all the better. Will it also seek a way to make us eat our vegetables? Will mom root through the data in order to make a definitive parental decision? What if some data are in violation of the Google’s terms of service? What’s the punishment? Google jail, a fine, a trial? We don’t know.

Cynthia Murrell, December 24, 2021

JPMorgan Chase: One Insignificant Question

December 24, 2021

Years ago I did some analysis for an upscale financial outfit which shall remain nameless in this post. I recall one question I was asked at lunch, at institution-sponsored conferences, and in hallways. The question? It was, “How do burner phones work?” The individuals asking often said, “I am just curious, of course.”

Of course.

I thought of these questions when I read “SEC Gives JPMorgan Chase Record Fine for Using WhatsApp to Conduct Business.” [If the link is dead, you are on your own, gentle reader.] The write up explains that some over achievers were sidestepping assorted rules, guidelines, recommendations, suggestions, and cultural norms to “conduct business” without being monitored. Here’s a passage I noted:

The SEC said the practice of using third-party communication apps was widespread at JPMorgan Chase. Another regulator, the Commodity Futures Trading Commission, also said Friday that it fined JPMorgan $75 million for using unapproved communications.

Okay. WhatsApp.

But what about burner phones? Probably not a problem among the squash playing financial health fanatics. I am just curious, of course.

Stephen E Arnold, December 24, 2021

« Previous PageNext Page »

  • Archives

  • Recent Posts

  • Meta