CafePress: Just 23 Million Customer Details May Have Slipped Away
August 6, 2019
I read “CafePress Hacked, 23M Accounts Compromised. Is Yours One Of Them?” Several years ago I participated in a meeting at which a senior officer of CafePress was in the group. The topic was a conference at which I was going to deliver a lecture about cyber security. I recall that the quite confident CafePress C suite executive pointed out to me that the firm had first rate security. Interesting, right?
The write up in the capitalist tool said:
According to that HIBP notification, the breach itself took place on Feb 20 and compromised a total of 23,205,290 accounts. The data was provided to Troy Hunt at HIBP from a source attributed as JimScott.Sec@protonmail.com.
I thought that an outfit with first rate security would not fall to a bad actor. I also assumed that the company would have reported the issue to customers promptly. It seems as though the breach took placed more than five months ago. (February 2019 and today is August 5, 2019.)
What’s DarkCyber’s take on this?
- The attitude of a CafePress executive makes clear that confidence and arrogance are poor substitutes for knowledge.
- The company looks like it needs a security and management health check.
- A failure to act more quickly suggests significant governance issues.
How about a T shirt with the CafePress logo and the phrase “First Rate Security” printed on the front?
Stephen E Arnold, August 6, 2019
Department of Defense: Procurement and Management in the Spotlight
July 30, 2019
There’s more chatter about Oracle’s attempt to remain relevant at the Pentagon. Almost overlooked is the report by the Department of Defense’s Inspector General. The IG had the delightful task of auditing contractor networks. The idea was that maybe some processes could be improved.
ExecutiveGov noted:
DoD OIG found that the agency’s contracting offices have not developed approaches that will help validate contractual requirements, send contractor notifications, mark CUI documents and confirm implementation of CUI security controls. In addition, the report confirmed that the Defense Threat Reduction Agency did not take prompt action to mitigate the leak of information from a DoD contracting office.
FedScoop pointed out:
The report also cites some communication failures. A failure to properly mark controlled but unclassified information, for example, blinded contractors to what steps they needed to take to ensure information security. DOD contracting offices “inconsistently tracked” which contractors had what type of information, leaving both sides of the contracting process in the dark, the report states.
Interesting reading because the report may be helpful to different DoD centric entities. There are some redactions, but the main points are clear. DarkCyber found the comments about “no oversight” interesting. Without oversight, is cost control possible? Can scope creep be limited?
Stephen E Arnold, July 30, 2019
Google: Being Responsible
July 29, 2019
Individual states have been legalizing or decriminalizing marijuana left and right, but the federal government still considers it an illegal substance. That is why, according to 9to5Google, “Google Immediately Bars All Marijuana Delivery Apps from the Play Store.” Google wouldn’t want to run afoul of the Feds, now would it? Reporter Damien Wilde writes:
“The updated policy now states that applications that help users buy or allow users to order marijuana products will now be removed. Here is the updated marijuana policy, as per the Play Store developer guidelines:
‘Here are some examples of common violations:
‘Allowing users to order marijuana through an in-app shopping cart feature.
‘Assisting users in arranging delivery or pick up of marijuana.
‘Facilitating the sale of products containing THC.’
“In a statement to Android Police, Google stated that applications like the popular Eaze and Weedmaps will only need to remove the shopping cart flow from within their applications to comply with the new rules. These apps simply need to move the shopping cart flow outside of the app itself to be compliant with this new policy. We’ve been in contact with many of the developers and are working with them to answer any technical questions and help them implement the changes without customer disruption.”
An update to the article reports Eaze has complied, requiring users to navigate to its own website to make a purchase. We imagine Weedmaps will soon follow, reducing both apps to window-shopping platforms. What, then, is the point? Perhaps they anticipate a time when federal law catches up to states’ decisions.
Cynthia Murrell, July 29, 2019
Facebook: Running Out of Users? No, Just Nibbling on Its Foot
July 25, 2019
About that Facebook growth? The US may be saturated, and FBF or Facebook fatigue may be kicking. Rumors about “phantom” Facebookers in far flung countries won’t die. The regulators are flocking with legal eagles, and some countries see Facebook as a piggy bank filled with easy money.
What else could go wrong?
According to Information (no, that’s the name of an online publication), quite a bit. “Facebook Secret Research Warned of ‘Tipping Point’ Threat to Core App” discloses allegedly confidential information that doom approaches with a Like icon. (We will take a look at secrets let loose in our August 6, 2019, “DarkCyber” video program.)
What’s the Facebook secret?
…if enough users started posting on Instagram or WhatsApp instead of Facebook, the blue app could enter a self-sustaining decline in usage that would be difficult to undo. Although such “tipping points” are difficult to predict…
Here’s a Venn diagram (remember those you algebra lovers?) to prove this “secret”:
These could be Facebook’s five circles of social hell. Source: Information (that’s a great name when searching!)
To simplify, Facebook is cannibalizing itself. Without a flow of “real,” honest to goodness users of “old” Facebook, it’s possible for the core service to shrink and maybe die.
No, no, no, howls one group of FB Likers. Yes, yes, yes, shout another group which collectively dislikes Facebook.
Several observations:
- Monopolies do what they do, steered by the invisible hand of digital leprosy
- Reversing the cannibalism is going to take more than high school science club management methods, apologies, and writing checks to assorted nation states
- A weakened Facebook can fall prey to the MySpace disease, the digital pneumonia which thrives in poorly managed social spaces.
Net net: Worth watching. Get your popcorn, kick back, and think how certain government agencies will obtain high value information from a weakened Facebook.
Stephen E Arnold, July 25, 2019
Google: Some Interesting News Regarding an Interesting Company?
July 9, 2019
DarkCyber noted a handful of interesting Google news items. We assume that each of these is true, or in the words of one podcast, “actual factual” information.
First, Digital Journal reports that Google is working on cold fusion. The write up explains:
Cold fusion is a hypothesized type of nuclear reaction taking place at room temperature (hence the reference to ‘cold and contrasting to the “hot” fusion which papers within stars or as part of hydrogen bombs). There is currently no accepted theoretical model that would allow cold fusion to occur, and when attempted results have not been reproducible.
Nevertheless, Digital Journal reports via Physics World:
Google together with several research institutes in the U.S. is reported to have reopened what they call the “cold case” of cold fusion. Despite the many failures to observe cold fusion, the scientists contend that the case is not yet closed, and that cold fusion energy is indeed achievable. Google are investing $10 million into the project and there are thirty scientists involved.
Second, “YouTube Software Engineer Injures 8 in Drug-Induced Fourth of July Rampage, Police Say” reports that a person allegedly a Google YouTuber, ingested LSD and behaved in an manner which caused Sonoma county officers to shoot him.
The news story summarized these actions by the alleged Googler:
- To get past his friends trying to stop him, Koffi choked one, stabbed one with a pencil and punched two in the chest, side and face.
- While trying to get away in his rental car, he hit the car parked behind him and lodged the sedan into the house’s garage.
- Koffi ran down the street before a security guard began questioning him. He stabbed the guard’s chest with the metal stake end of a landscape light, then sped away in the guard’s running and unlocked truck.
- On the road, he hit two pedestrians. He then struck a woman walking on a bluff. After hitting a wall, he drove through the side yard of a home and got back on the road in time for two patrol cars to pull up.
- Koffi accelerated toward the officers, ramming into one patrol car as a deputy fired a gun. He didn’t stop until he was shot at least three times through the windshield.
Third, Google researchers allegedly discovered a way to brick (disable) Apple iPhones with an iMessage. According to BGR (Boy Genius Report):
The only fix is a factory reset and there’s no way to recover lost data that wasn’t backed up….The good news is that Apple patched this issue in iOS 12.3, which means that you’re safe as long as you’ve updated to the latest stable iOS release, or if you’re on an iOS 13 beta.
Cold fusion, LSD, and bricking iPhones — linked with a single threat: The Google. Dare I use the acronym: HSSCMM? No, not even high school science clubs could pull off these three events in a week or so.
Stephen E Arnold, July 9, 2019
Google to Kiwis: You Are Flightless Birds, Not Us
July 5, 2019
I read “Google Suspends Trends Email Alerts in New Zealand after Breaching Court Order.” The headline caught my attention. New Zealand? Home of Kim Dotcom. Get away spot for some Silicon Valley Lord of the Rings admirers? A handy place to experience earth tremors.
The write up reminded me:
Google has backed down in a spat with the New Zealand government after its email alert system Trends breached a court order suppressing details of a high-profile murder case. According to Reuters and AFP, Google has suspended its Trends feature in the country following outcry from the New Zealand government.
I can understand Google’s point of view. New Zealand is a mere country and a small one at that. It is far away, and it does not click as much as an important country’s residents.
The hassle surfaced because an automated Google alert named the person who killed another. Stating the alleged killer’s name was a no no. Google ignored that court order.
Google said, “Yo, we’re sorry.” However, Google was not too keen on making changes to its systems because a mere country wanted the US firm to follow the laws of that lesser nation state.
Here’s the nifty part. The write up reported:
New Zealand politicians reacted strongly to this reply, with justice minister Andrew Little accusing Google of “flipping the bird” at the country’s legal system.
What’s the problem with Google (a big virtual country) doing what’s good for itself. Plus, little countries have to be careful because Google has digital firepower and could use it to send a message. Oil embargo? Forget that? How about no email and no Web traffic?
The write up included this statement:
In the UK, for example, politicians have argued that Facebook is incapable of policing “harmful” content on its platform, and needs to be overseen by domestic regulators. In France, Google has been fined millions of dollars for failing to meet EU data privacy laws. And in New Zealand, Facebook was strongly criticized by prime minister Jacinda Ardern for failing to stop the spread of videos of the Christchurch terrorist attacks. “They are the publisher not just the postman,” said Arden in March. “There cannot be a case of all profit no responsibility.”
Get real. This is the Google politicians and officials are irritating. What about removing New Zealand and the UK from Google Maps?
If you are not on Google, you don’t exist. Understand?
Stephen E Arnold, July 5, 2019
YouTube: About Face
July 5, 2019
DarkCyber noted another example of high school science club management methods. “YouTube Reinstates Yanked Ethical Hacking Videos” reports:
YouTube’s clear as mud moderation rules were once again confused this week as the site pulled a bunch of ethical hacking videos, only to reinstate them shortly afterwards.
The UK news source reports that Google allegedly said to another online information service:
“With the massive volume of videos on our site, sometimes we make the wrong call,” a Google spokesperson told The Verge after the videos were restored. “We have an appeals process in place for users, and when it’s brought to our attention that a video has been removed mistakenly, we act quickly to reinstate it.”
The Inquirer.net writes:
Iffy moderation on YouTube. Surely not.
DarkCyber wants to point out that “iffy” is a standard operating procedure when implementing high school science club management methods. The science club is, by definition, correct. There is a corollary about consistency; that is, “What the science club does is, by definition, consistent.
You have to be in the science club to appreciate the truth of this statement.
Stephen E Arnold, July 5, 2019
Google: The Deciders Decide and Damage Some Security Data Flows
July 4, 2019
I read “YouTube Strikes Infosec Channels for Instructional Hacking Content.” DarkCyber view is that some information which routinely makes its way into open source should not be there. But, hey, we’ve been accused of being dinosaurs before. DarkCyber’s beloved leader, Stephen E Arnold, coined the term “Googzilla” and its reptilian connotations definitely applies to some of the DarkCyber team.
The point of the write up strikes DarkCyber as:
‘Youtube banning security disclosures doesn’t make products more secure, nor will it prevent attackers from exploiting defects – but it will mean that users will be the last to know that they’ve been trusting the wrong companies, and that developers will keep on making the same stupid mistakes…forever.’
Several observations:
ITEM 1: DarkCyber’s sparkling fountains of fire describes the management of some Silicon Valley firms as following the management precepts of “high school science clubs.” This means that bright, arrogant, confident, and generally mathy type people create an us-them dichotomy. Then the “us” people create a tidy little world which allows pranks, outstanding decisions, and numerous snide comments to pass for intelligence. Apply the HSSC method and you get…
High School Science Club Management Methods
A good example is a decision which is short sighted, difficult to explain, and probably as practical as driving a US Fourth of July parade war fighting vehicle to a party at the local Burger King.
ITEM 2: Figuring out what is positive information versus negative information is subjective. This means that one person will see the dress as one color and another person will see the garment as another color. Which is it? Don’t ask me, just ask the people at the search company. I know I can’t figure out what people will “perceive.” Obviously, the HSSCMM allows this type of decision making. The science club is, by definition, right. Plus, now member of the science club have lots of money.
ITEM 3: When making the Loon balloon into a commercial company or insisting that search results are relevant, Silicon Valley type companies are delightful. When these firms decide what information is technically permissible or not allowed demonstrates their decision making capabilities. If there were viable MBA programs, perhaps this type of deciderism would become a case study. Oh, right, MBA programs are facing some headwinds now.
Net net: The deciders decide. The followers follow. Medieval methods are good. The punishment? Banishment. DarkCyber assumes this is preferable to a dungeon in Mountain View or a ban on Philz coffee.
Stephen E Arnold, July 4, 2019
GSA Inspector General Finds Something Obvious
July 3, 2019
I read “GSA IG: Federal Acquisition Service Ineffective in Administering Enterprise IT Modernization Contract.” Startling. Amazing. Shocking.
The write up explained:
The IG said that FAS failed to ensure that the Transition Ordering Assistance task order met the requirements for the EIS information technology modernization initiative, resulting in “high rates of spending with minimal transition progress.” Other findings include deficiencies in planning and management, invoicing and contractor performance assessments.
How does one address the shortcomings?
Easy.
Get in the consultants. Form a team. Work up “metrics for work completion”. Make sure these are in line “with budget concerns.” Then everyone implement “interagency agreements.”
Who knew that solving a problem would be so straightforward.
Why do these problems exist? Maybe consultants and staff struggling to deal with certain types of complex interactions.
What happens to projects underway as these recommendations are followed? Maybe more inefficiency, delays, and waste.
Camus might have dropped Sisyphus as his hero and substituted the GSA’s Inspector General?
Stephen E Arnold, July 3, 2019
Machine Learning: Whom Does One Believe?
June 28, 2019
Ah, another day begins with mixed messages. Just what the relaxed, unstressed modern decider needs.
First, navigate to “Reasons Why Machine Learning can Prove Beneficial for Your Organization.” The reasons include:
- Segment customer coverage. No, I don’t know what this means either.
- Accurate business forecasts. No, machine learning systems cannot predict horse races or how a business will do. How about the impact of tariffs or a Fed interest rate change?
- Improved customer experience. No, experiences are not improving. How do I know? Ask a cashier to make change? Try to get an Amazon professional to explain how to connect a Mac laptop to an Audible account WITHOUT asking, “May I take control of your computer with our software?”
- Make decisions confidently. Yep, that’s what a decider does in the stable, positive, uplifting work environment of a electronic exchange when a bug costs millions in a two milliseconds.
- Automate your routine tasks. Absolutely. Automation works well. Ask the families of those killed by “intelligence stoked” automobiles or smart systems on a 737 Max.
But there’s a flip side to these cheery “beneficial” outcomes. Navigate to “Machine Learning Systems Are Stuck in a Rut.” We noted these statements. First a quote from a technical paper.
In this paper we argue that systems for numerical computing are stuck in a local basin of performance and programmability. Systems researchers are doing an excellent job improving the performance of 5-year old benchmarks, but gradually making it harder to explore innovative machine learning research ideas.
Next this comment by the person who wrote the “Learning Systems” article:
The thrust of the argument is that there’s a chain of inter-linked assumptions / dependencies from the hardware all the way to the programming model, and any time you step outside of the mainstream it’s sufficiently hard to get acceptable performance that researchers are discouraged from doing so.
Which is better? Which is correct?
Be a decider either using a black box or the stuff between your ears.
Stephen E Arnold, June 28, 2019
-
- Subscribe to Beyond Search
Feature archive
News archive
-
