Browse > Home / Search

Albert the (Bug) Bounty Hunter

August 18, 2022

Albert Pedersen, an inquisitive scholar in Denmark, makes a hobby of prodding software for vulnerabilities. Now he has proudly collected a bounty after his second successful hunt. Gizmodo reports, “A College Student Discovered a Bug in Cloudflare Email Routing that Let You Read Any User’s Emails.” Email routing services allow users to create disposable email addresses that point back to their “real” accounts and can be valuable privacy tools. That is, if they are truly secure. Writer Lucas Ropek reports:

“Unfortunately, as demonstrated in research published Wednesday by a college student from Denmark, Cloudflare’s service had a giant bug in it. The flaw, when properly exploited, allowed any user to read—or even manipulate—other users’ emails. … The vulnerability, which Cloudflare has confirmed but says was never exploited, involved a flaw in the program’s ‘zone ownership verification’ system, meaning that it was possible for a hacker to reconfigure email routing and forwarding for email domains that weren’t owned by them. Proper manipulation of the exploit would have allowed someone with knowledge of the bug to re-route any users’ emails to their own address. It would have also allowed a hacker to prevent certain emails from being sent to the target at all. In his write-up, Pedersen notes that it’s not that difficult to find online lists of email addresses attached to Cloudflare’s service. Using one of those lists, a bad guy could have quite easily targeted anybody using the forwarding service. After discovering the exploit, Pedersen managed to reproduce it a number of times using multiple personal domains and decided to report the issue to Cloudflare’s bug bounty program.”

We are sure Cloudflare considers the bounty to be $6,000 well spent. Had the bug gone unsquashed, the repercussions may have gone well beyond the troublesome privacy issues. Bad actors could also have used it to reset passwords, gaining access to financial and other accounts. As Ropek points out, this is a good illustration of why two-factor authentication is worth the hassle. As talented as he is, the intrepid young Dane is only one person. He may not catch the next bug in time.

Cynthia Murrell, August 18, 2022

Written by Stephen E. Arnold · Filed Under cybersecurity, News | Comments Off on Albert the (Bug) Bounty Hunter 

Is Google Drive — Gulp — a Hacking Tool for Bad Actors?

August 17, 2022

Russia is a near-impregnable force when it comes to hacking. Vladimir Putin’s home base is potentially responsible for influencing many events in the United States, including helping Donald Trump win his first presidential election. Russia neither confirms nor denies the roles hackers play in its and global politics. Unfortunately, Cyber Scoop shares how a common Google tool has been purloined by hackers: “Russian Hacking Unit Cozy Bears Adds Google Drive To Its Arsenal, Researchers Say.”

In what is one of the simplest ways to deliver malware, Russian hackers from the state-funded unit Cozy Bear are using Dropbox and Google Drive. Did you read that? Russian hackers are using legitimate cloud storage services, including one from one of the biggest tech giants, to deliver malware. Palo Alto Networks’ Unit 42 researchers are confounded by the delivery process, because it is hard to detect:

“This is a new tactic for this actor and one that proves challenging to detect due to the ubiquitous nature of these services and the fact that they are trusted by millions of customers worldwide,” the researchers said. “When the use of trusted services is combined with encryption, as we see here, it becomes extremely difficult for organizations to detect malicious activity in connection with the campaign.”

Russian hackers and other black hat people have used cloud storage services to deliver malware before, but using Google Drive is a new tactic. Google is a globally trusted brand that makes more people vulnerable to malware. When people see Google, they automatically trust it, so potential victims could unknowingly download malware.

Dropbox is deleting any accounts that are exploiting their services for hacking. The good news is cloud storage services want to protect users, but the bad news is they are not acting fast enough.

Whitney Grace, August 17, 2022

Written by Stephen E. Arnold · Filed Under Cloud computing, cybersecurity, News | Comments Off on Is Google Drive — Gulp — a Hacking Tool for Bad Actors? 

Google: If True, This Is a Management Moment

August 15, 2022

I read tabloids when I ride the subway in New York, Paris, or London. Nope, to Madrid’s and Moscow’s undergrounds. No thanks.

I spotted a New York Post article called “Google Execs Threaten Workers with Layoffs: There Will Be Blood on the Streets.” Wow, blood on the streets of Mountain View. Pretty exciting. I also liked the “threaten” idea. What an outstanding and sensitive management move… if accurate.

Let’s assume, just for chuckles, that the article is accurate.

I learned:

Google executives are telling their employees to shape up or ship out, warning that layoffs are coming if results don’t meet expectations. Employees who work in the Google Cloud sales department said that senior leadership told them that there will be an “overall examination of sales productivity and productivity in general.”

And, pray tell, are those expectations. More chat applications? How about some big time acquisitions that go exactly where? Motorola, hello, hello. What about a high lift project like solving death? Oh, sorry. Been there and failed at that. Maybe mending fences in Australia? Yeah, that is a good idea once the most recent fine has been paid.

The write up quote the Google top dog as saying:

… he wanted to solicit ideas from his employees on how to get “better results faster.”

Okay, that certainly opens to do to some creating thinking. Based on my attending law enforcement and intelligence conferences, the quick money comes from fraud, human trafficking, selling contraband, and possible a few weapons deals. I would toss in getting in the fulz business as another “let’s noodle that” idea.

My personal perspective is different. I think the actual term is my viewshed, but I could be wrong, a practice I have explored in my 77 years of muddling along. Here we go:

  1. Google embodies the management methods of what I call a “high school science club.”
  2. The company had been purposeful when refining its “clever” search system and obtaining inspiration from GoTo, Overture, Yahoo ad sales technology. Once achieved, the once sharp lens lost its ability to focus
  3. The culture of the Google in interesting. Foosball, bean bags, volleyball, and car washes complement the weird caste approach to food. Change may not come easily into this good organization.

But maybe the write up is incorrect. Google is nothing more than the best managed online advertising outfit in the world. See. Money works to explain the reality. Blood? Hmmm. Possibly an overstatement?

Stephen E Arnold, August 15, 2022

Written by Stephen E. Arnold · Filed Under Google, Management, News | Comments Off on Google: If True, This Is a Management Moment 

Is the New Era of Timesharing Winding Down?

August 11, 2022

What kind of question is that? Stupid for sure. The cloud is infinite. The earnings bright spots for Amazon, Google, and Microsoft are cloud revenue and services. Google wants to amp up its cloud because sitting in third place behind the dorky outfits Amazon and Microsoft is not part of the high school science club’s master plan. And Microsoft cannot cope with Amazon AWS. Accordingly Microsoft is chasing start ups in order to be in the front of the ChocoTaco line for the next big thing. And Amazon. Fancy moves like killing long-provided services like backup, making changes that will cause recoding of some applications, and thinking about ways to increase revenue from Fancy Dan billing thresholds.

The cloud is the big thing.

If the information in “Why AI and Machine Learning Are Drifting Away from the Cloud” is on the money, one of those odd ball Hegelian things may be gaining momentum. The reference is to the much loved and pretty obvious theory that sine waves operated in the biological world. I am referring to the old chestnut test question about thesis, antithesis, and synthesis. Stated another way: First there was a big computer. Then there was timesharing. Then there was the personal computer. Then there was client server. That begot the new version of the cloud. The future? Back to company-owned and controlled computers. Hegelian stuff, right?

The article presents this idea:

Cloud computing isn’t going anywhere, but some companies are shifting their machine learning data and models to their own machines they manage in-house. Adopters are spending less money and getting better performance.

Let’s follow this idea. If smart software becomes the next big thing as opposed to feeding people, the big clouds will face customer defection and maybe pushback about pricing, lock in, and restrictions on what can and cannot be done on the services. (Yep, some phishing outfits use the cloud to bedevil email users. Yes, some durable Dark Web sites host some of their data on big cloud services. Yep, some cloud services have “inspection” tools to prevent misuse which may not be as performant as the confections presented in marketing collateral.)

With more AI, perhaps there will be less cloud. Then what?

The write up points out:

Companies shifting compute and data to their own physical servers located inside owned or leased co-located data centers tend to be on the cutting edge of AI or deep-learning use, Robinson [vice president of strategic partnerships and corporate development at MLOps platform company Domino Data Lab] said. “[They] are now saying, ‘Maybe I need to have a strategy where I can burst to the cloud for appropriate stuff. I can do, maybe, some initial research, but I can also attach an on-prem workload.”

Hegel? What’s he got to do with this rethinking of the cloud, today’s version of good old timesharing? Probably nothing. The sine wave theories are silly. Ask any Econ 101 or Poli Sci 101 student. And who does not enjoy surprise charges for cloud computing services which are tough to see through? I know I do.

Stephen E Arnold, August 11, 2022

Written by Stephen E. Arnold · Filed Under Business strategy, Cloud computing, News | Comments Off on Is the New Era of Timesharing Winding Down? 

Google Kicked Out of School in Denmark

August 11, 2022

Like its colleagues in Netherlands and Germany, the Denmark data protection authority has taken a stand against Google’s GDPR non-compliance. European secure-email firm Tutanota reports on its blog, “Denmark Bans Gmail and Co from Schools Due to Privacy Concerns.” Schools in the Helsingør Municipality have until August 3 to shift to a different cloud solution. We learn:

“In a statement published mid July, the Danish data protection agency expresses ‘serious criticism and bans … the use of Google Workspace’. Based on a risk assessment for the Helsingør Municipality, the data protection authority concluded that the processing of personal data of pupils does not meet the requirements of the GDPR and must, therefor, stop. The ban is effective immediately. Helsingør has until August 3 to delete pupil’s data and start using an alternative cloud solution. … This decision follows similar decisions by Dutch and German authorities. The issues that governmental institutions see themselves faced with has started with the invalidation of Privacy Shield back in 2020. Privacy Shield has been a data transferring agreement between the USA and the European Union and was supposed to make data transfers between the two legally possible. However, the agreement has been declared invalid by the European Court of Justice (ECJ) in 2020 due to privacy concerns. One major problem that the EU court pointed out is that data of foreigners is not protected in the USA. The protections that are there – even if limited – only apply to US citizens.”

So the NSA can gain unfettered access to the personal data of Europeans but not US citizens. We can see how authorities in the EU might have a problem with that. As the Danish agency notes, such a loophole violates rights considered fundamental in Europe. Not surprisingly, this Tutanota write-up emphasizes the advantages of a Europe-based email service like Tutanota. It is not wrong. It seems Denmark has woken up to the Google reality. Now what about Web-search tracking?

Cynthia Murrell, August 11, 2022

Written by Stephen E. Arnold · Filed Under Google, News, Privacy | Comments Off on Google Kicked Out of School in Denmark 

How about a Decade of Vulnerability? Great for Bad Actors

August 10, 2022

IT departments may be tired of dealing with vulnerabilities associated with Log4j, revealed late last year, but it looks like the problem will not die down any time soon. The Register reveals, “Homeland Security Warns: Expect Log4j Risks for ‘a Decade or Longer’.” Because the open-source tool is so popular, it can be difficult to track down and secure all instances of its use within an organization. Reporter Jessica Lyons Hardcastle tell us:

“Organizations can expect risks associated with Log4j vulnerabilities for ‘a decade or longer,’ according to the US Department of Homeland Security. The DHS’ Cyber Safety Review Board‘s inaugural report [PDF] dives into the now-notorious vulnerabilities discovered late last year in the Java world’s open-source logging library. The bugs proved to be a boon for cybercriminals as Log4j is so widely used, including in cloud services and enterprise applications. And because of this, miscreants soon began exploiting the flaws for all kinds of illicit activities including installing coin miners, stealing credentials and data, and deploying ransomware.”

Fortunately, no significant attacks on critical infrastructure systems have been found. Yet. The write-up continues:

“‘ICS operators rarely know what software is running on their XIoT devices, let alone know if there are instances of Log4j that can be exploited,’ Thomas Pace, a former Department of Energy cybersecurity lead and current CEO of NetRise, told The Register. NetRise bills itself as an ‘extended IoT’ (xIoT) security firm. ‘Just because these attacks have not been detected does not mean that they haven’t happened,’ Pace continued. ‘We know for a fact that threat actors are exploiting known vulnerabilities across industries. Critical infrastructure is no different.'”

Security teams have already put in long hours addressing the Log4j vulnerabilities, often forced to neglect other concerns. We are told one unspecified US cabinet department has spent some 33,000 hours guarding its own networks, and the DHS board sees no end in sight. The report classifies Log4j as an “endemic vulnerability” that could persist for 10 years or more. That is a long time for one cyber misstep to potentially trip up so many organizations. See the article for suggestions on securing systems that use Log4j and other open-source software.

Cynthia Murrell, August 10, 2022

Written by Stephen E. Arnold · Filed Under News, Security | Comments Off on How about a Decade of Vulnerability? Great for Bad Actors 

Microsoft Teams: The Disconnect between Users and Features

August 5, 2022

I have mentioned that “free” Microsoft Teams does not work on my Mac Mini which I use for Facetime, Zoom, and WebEx meetings. The Massachusetts Attorney General knows about my problems first hand. Let’s just say that there were fewer than 30 investigators who recognized that Microsoft and Apple are not exactly in sync.

I read “Microsoft Says It Added More Than 450 New Teams Capabilities in the Past Year.” In the past year, there have been some issues with Windows updates killing printers and a few trivial security gaffes. Hey, who is trying to make a league table of Microsoft software vulnerabilities? Not me.

The write up states:

officials also updated investors on Teams momentum a bit, saying they’ve added more than 450 capabilities over the past year.

Among the technological gems added, according to the write up, were in the words of the write up, “It is unclear what “Teams capabilities” means, but that can cover things across chat, meetings, integrations with Microsoft Viva, and a lot more.”

Okay, unclear. I did a quick search on Swisscows.com for Microsoft Teams features. Here are a few of the precious stones presented to me:

  1. Adjust filter brightness
  2. Background blur
  3. A horizontal participant gallery
  4. A customer lockbox
  5. Day view in calendar
  6. Anonymous meeting join across clouds

And more than 440 more important additions.

My view is very simple. Why not get Teams to work for those who are using Mac Minis? You know. Basic functional reliability. Microsoft Teams, like Zoom, is essentially a telephone call, right? And why not get that printer thing fixed? And security? I think that particular issue is unfixable. Sorry but that’s just my opinion, not a PowerPoint about Microsoft’s security capabilities. PowerPoints are easy. Delivering what customers and users want is much more difficult.

Do the MSFT priorities pursue the trivial, not the substantive?

Stephen E Arnold, August 5, 2022

Written by Stephen E. Arnold · Filed Under Business strategy, Microsoft, News | Comments Off on Microsoft Teams: The Disconnect between Users and Features 

Salesforce, Alibaba, and China: Is an Enterprise Superapp the Goal?

August 4, 2022

I read an announcement about a tie up among Salesforce, Alibaba, and whoever is over-seeing the high profile online outfit. “Salesforce Shutters Hong Kong Office, Leans on Alibaba in China” reports:

As a result of its tightened partnership with Alibaba, Salesforce is “optimizing our business structure to better serve the Greater China Region” and “opening new roles while eliminating some others,” the spokesperson said. The company’s career page shows it’s currently hiring a product management director and a senior software engineer in the southern Chinese city Guangzhou, where it placed its tech team.

The cited article points out:

Salesforce’s interest in China lies in serving international businesses localizing in China, but it can’t do it alone due to the country’s intricate regulatory restrictions.

What will Alibaba do?

Alibaba will be taking over the firm’s sales in mainland China and Hong Kong, while Taiwan will fall under the management of its Singapore office…

Several observations:

  1. Like Oracle, Salesforce is taking steps to make sure it is able to operate in some acceptable way in China
  2. The technology for these deals is probably sealed in a quantum secure container so that “partners” are unable to learn what’s in the black boxes. (Well, that’s the hope?)
  3. China faces some challenges, and it is possible that Alibaba’s overseers could make helpful suggestions which make this tie up less or completely unattractive.

What happens if Alibaba integrates Salesforce functionality into its apps and services? Will we have a commercial superapp purpose built for China and companies permitted to operate in the Middle Kingdom?

Net net: Nah, just “lean on” and lean in.

Stephen E Arnold, August 4, 2022

Written by Stephen E. Arnold · Filed Under Business intelligence, Business strategy, News | Comments Off on Salesforce, Alibaba, and China: Is an Enterprise Superapp the Goal? 

Forget Fragile: The Future of Tech Means Failure … Maple Leaf Own Goal

August 4, 2022

Canada presages the future. Syrup, uranium mines, tar sands, and Rogers — The backbone of Canada. Maybe I should not include Rogers in the list after reading “How a Coding Error Caused Rogers Outage That Left Millions Without Service.” I learned:

a coding error was introduced that triggered a cascade of events, resulting in a massive outage that left millions of Canadians without cellphone, internet or home phone service for at least a day. The shutdown of one of Canada’s dominant telecommunications networks created widespread chaos.

Now Rogers is not along with the own goal problem. I noted “Major Microsoft 365 Blackout Raises Tough Questions for Software Giant.” And lest we forget “Google, Oracle Cloud Servers Wilt in UK Heatwave, Take Down Websites.”

I know I have heard presentations in which really rich people have explained that chaos creates opportunities. These people should know. I was an advisor to an individual who had at one point more than $9 billion. (Alas, he has been removed from the hockey game of real life. Maybe a rest home near a lake? I have lost track of the wizard.)

Yep, chaos, disruption, problems that scream for solutions. An investment wonderland, but what about those who simply empty the trash in wonderland?

The future, it appears, rests with individuals who are responsible for a single keystroke. Put the == in the wrong place and one does not output user satisfaction. According to the Rogers’ story, one gets no emergency phone service, no WiFi (pronounced in some parts of Canada wee fee which I love), dead Interac debit machines, and – of course – no phones. (Teens with Rogers mobile services were apparently unhappy.)

And the promised fix?

This Sunday [July 24, 2022], in an open letter to customers, Rogers CEO Tony Staffieri vowed to invest more in testing, oversight and artificial intelligence to improve the reliability of the company’s networks. He put the price tag of the changes at around $10-billion over three years.

Yeah, smart software and oversight. By whom? GenXers and GenYers? Perhaps the tooth fairy?

Several observations:

  1. The cloud services like Rogers apparently believe their own marketing babble about fail over, redundancy, and uptime. Belief is, as the article makes clear, is not reality in the zippy world of big time telco clouds and services.
  2. The idea that the best, the brightest, and the smartest technical professionals work tirelessly to keep the service online earned an F as in Failure. No front row seat in the advanced class for these whiz kids.
  3. The customers who missed tornado warnings, a report about a dangerous person, or what to pick up from Canadian Tire en route to the the campground in Saskatchewan were in the communications dark.

Net net: Big companies forget the statement”

For want of a shoe, the horse was lost. For want of a horse, the rider was lost. For want of a rider, the battle was lost. For want of a battle, the kingdom was lost, And all for the want of a horseshoe nail.

The nail was a single error in a single line of code. Thus, the future: Chaos or opportunity. You choose. I am glad — thrilled, in fact — that I am old and will miss the future. Have fun!

Stephen E Arnold, August 4, 2022

Written by Stephen E. Arnold · Filed Under AI, Management, News | Comments Off on Forget Fragile: The Future of Tech Means Failure … Maple Leaf Own Goal 

Time Travel in the Datasphere: Lock In Is Here Again

August 3, 2022

“Lock in” was a phrase I associated with my university’s data processing and computer center in 1962. I was a 17 year old freshman, and I got a tour of the school’s state of the art IBM mainframes located in one of the buildings in the heart of the campus. Remember I went to a middling private college because I fooled some scholarship outfit into ponying up money to pay for tuition and books. That still amazes me 60 years later.

I do remember looking at the IBM machines lined up inside a room within a room. A counter separated the “user” from the machines. Another room held three keypunch machines. There was a desk with a sign in sheet and a sign that said, “Help wanted.” Hey, even then it was clear that money was to be had doing the computer thing.

The tour was uneventful. Big machines blinked and hummed. The person giving the tour did not want to explain anything to a small group of students who qualified to enter the digital sanctuary. No problem. I got it. If a person wanted to use a computer, one had to work in the computer center. It was infinitely better to work behind the counter, wear a white lab coat, and stuff the front pocket with pencils. I was in. I even wore a slide rule strapped to my belt like Roy Rogers with a math fetish. Quick log, Stephen was my moniker.

I learned very quickly that using computers was done the IBM way. Don’t bend, fold, spindle, or mutilate. Don’t push buttons on the keyboard unless you knew what that key press did. Don’t think about learning anything about any of the other computing devices. IBM was the way. Why? The funding for the computer center and much of the engineering department came from an outfit engaged in manufacturing equipment to produce big holes in the ground or eliminate pesky trees from the path of the Trans Amazon Highway. The company was an IBM outfit.

Ergo, lock in. My mind was locked into IBM. Even today if someone mentions an MIT LINC, I am quick to snort. Hey, big iron.

Well, lock in is back, and there are many Millennials, GenXers, and whatever other category marketers use to describe young people who don’t know about lock in. Navigate to “A Third of Businesses Feel Locked In to Major Cloud Providers.” The write up explains that lock in is here again:

new research from Civo shows that 34 percent of users feel locked into the services these major providers deliver, with 65 percent of these saying that data transfer costs are too expensive for them to move off their current cloud.

This is the goal of lock in. Switching costs are too high. A lousy economy provides an endless parade of people who think that those low entry fees for the cloud will persist. Then the lucky customers discover the joy of per unit transactional pricing. Now the deal is more expensive than other ways to access computers and software. But to kick the cloud habit, one has to do more than spend a month in rehab. One must reengineer, invest, plan, and be smart enough to actively manage complex systems.

Yep, lock in.

That 33 percent figure may be bogus. But one thing is absolutely certain. More companies will embrace the cloud and find them with me, back in the university’s computer center, learning that there is one way to do computers. What’s amusing is that lock in is here again. Too bad IBM was not able to become the big dog. But the IBM notion of lock in lives on. And for some today, it is a fresh and new as a Rivian truck. There is one difference. That 1962 computer set up was actually pretty reliable. Today’s cloud systems are a work in progress. Choose cloud providers wisely. Digital divorces, like real world divorces, can be messy, expensive, and damaging.

Stephen E Arnold, August 3, 2022

Written by Stephen E. Arnold · Filed Under Business strategy, Innovation, News | Comments Off on Time Travel in the Datasphere: Lock In Is Here Again 

« Previous PageNext Page »

  • Archives

  • Recent Posts

  • Meta