Brilliant retweet from John Kovalic:

Sep. 23rd, 2017 09:06 am
thewayne: (Default)
[personal profile] thewayne
Originated by: Oktoberfest Hero @Palle_Hoffstein

A whole lot of folks on here believe society doesn't owe anyone a job or health care but somehow believe women owe them a date.

Sep 22, 2017

I know I couldn't have said it better meownself.

More on the iOS 11 update

Sep. 20th, 2017 06:26 am
thewayne: (Default)
[personal profile] thewayne
I learned last night that apparently my iPad can take the update, so apparently it is an iPad Mini 2. So that's cool. And I may go ahead and risk upgrading my phone. I'm pushing my departure back to Thursday from Wednesday: I didn't get everything done that I needed to do, including reviewing five long boxes of comics in case there's anything that I want to keep (possible but not very likely), and the difficulty of loading my car since I recovered four banker boxes of comics from my storage unit yesterday afternoon. I'm not sure if it's all of my comics, I know there's three or more long boxes at my parent's that I'll deal with when I get there, but that'll be a vast bulk of them and a lot of space recovered.

On top of that, only 3 hours of sleep last night. AND one of the nose pads fell out of my reading glasses. Found the nose pad, fortunately I have a spare screw from a previous broken set of reading glasses.

I forgot to mention a new feature of iOS 11 that should be interesting: you have a Do Not Disturb mode for driving: anyone texting you receives an autoreply saying that you're driving and will get back to them later. I like that. Definitely appealing when you're about to set out on a 500 mile drive. I'm doing a different outbound route that a friend says is much more picturesque, so we'll see. It's also rather cellular dead, which causes me a slight amount of apprehension. Just need to fuel up and hit the restroom before hitting that 200 mile stretch.
thewayne: (Default)
[personal profile] thewayne
Maybe that was midnight Cupertino time, I don't know. Regardless, both of our iPads are too old, as is my wife's iPhone 4S. That leaves my iPhone 6 as the only device that can run it, and since I'm about to head for Phoenix and I won't have my iMac with me for a system restore should something glitch, I think I'll hold off a bit. For that matter, the new MacOS is supposed to drop in a couple of days, and I won't be upgrading to that until I get back from Phoenix, so I'll probably just do a device upgrade frenzy when I get back.

Some of the features in iOS 11 are pretty cool. I like the 'press the power key 5 times to disable the fingerprint reader', definitely cool. It doesn't materially affect me as I don't use the fingerprint reader to unlock my phone, but that's OK. And they've apparently made the reverse video mode more intelligent for not reversing images, which is good. I really wish they had an override for web pages and such so you could force white letters on black background, for example. That's what I love about Ars Technica and hate about most others, I find white on black to be much easier on my eyes.

But I DO NOT like updating my phone apps over WiFi (as I wrote about last week), I thought loading apps through iTunes was easy and one-stop syncing. They've just increased the hassle and it's likely to increase the time between me doing updates from daily to weekly or monthly or whenever. Which increases potential security vulnerabilities, which ticks me off. iTunes should be a framework that supports plug-ins, then all they'd have to do is write a plug-in that reads the app store for just iPhone/iPad/Watch apps, and re-casts them in to the iTunes framework. It's still just one app store, it just looks like two.

Twits.

GET OFF MY LAWN! Kids these days.

(In a totally unrelated incident, I got "Sir'd" last week! I was sitting in a barber shop waiting for my guy to finish with his current client, and the other guys started talking about horror movies. I'm not a big horror movie fan, so I didn't participate until later. Now, this barber shop is an actual barber shop, not a hair salon, run by 30-somethings with tattoos up to their necks and possibly beyond, smoking their e-cigs and playing that reissued Nintendo Classic that came out last year when they're slow. I don't really care. So what if they're young. I piped up about some movie, I don't remember what, throwing in my $0.002 worth, and this one barber later comes over and apologizes, saying that he didn't know that he had an older gentleman in the shop and they wouldn't have been talking like that if they'd known! Yes, dude, I'm 55, and some day you'll be there, too, if you're lucky. Maybe I'm moving towards the far side of middle-age, but trust me, though I am growing older I definitely have not remotely grown up. In my headspace I'm still a 30-something, though my body constantly reminds me that I am not. I laughed at him, reassured him that I was not offended, then told them a pretty grizzly story about a quietly spectacular suicide that happened while I was working for the police department. The crime lab was in the basement as was computer services, and the car that this guy offed himself in was so pungent that finally I told my boss that I'm taking off for the day. The fire department later used that car as burn practice.

I'll go in to no further details, unless people want it, in which case I'll put it in a new post under a cut.)
thewayne: (Default)
[personal profile] thewayne
Apparently. In March they brought in the company that is investigating the May-July breech. These seem to be the same intruders.

From Slashdot:
Equifax Suffered a Hack Almost Five Months Earlier Than the Date It Disclosed (bloomberg.com)
Posted by BeauHD on Monday September 18, 2017 @05:20PM from the earlier-than-expected dept.
Bloomberg is reporting that Equifax, the credit reporting company that recently reported a cybersecurity incident impacting roughly 143 million U.S. consumers, learned about a breach of its computer systems in March -- almost five months before the date it has publicly disclosed. The company said the March breach was unrelated to the recent hack involving millions of U.S. consumers, but one of the people familiar with the situation said the breaches involve the same intruders. From the report:

Equifax hired the security firm Mandiant on both occasions and may have believed it had the initial breach under control, only to have to bring the investigators back when it detected suspicious activity again on July 29, two of the people said. Equifax's hiring of Mandiant the first time was unrelated to the July 29 incident, the company spokesperson said. The revelation of a March breach will complicate the company's efforts to explain a series of unusual stock sales by Equifax executives. If it's shown that those executives did so with the knowledge that either or both breaches could damage the company, they could be vulnerable to charges of insider trading. The U.S. Justice Department has opened a criminal investigation into the stock sales, according to people familiar with the probe.

In early March, they said, Equifax began notifying a small number of outsiders and banking customers that it had suffered a breach and was bringing in a security firm to help investigate. The company's outside counsel, Atlanta-based law firm King & Spalding, first engaged Mandiant at about that time. While it's not clear how long the Mandiant and Equifax security teams conducted that probe, one person said there are indications it began to wrap up in May. Equifax has yet to disclose that March breach to the public.


https://it.slashdot.org/story/17/09/18/230234/equifax-suffered-a-hack-almost-five-months-earlier-than-the-date-it-disclosed

The Bloomberg original story has auto-start videos.
https://www.bloomberg.com/news/articles/2017-09-18/equifax-is-said-to-suffer-a-hack-earlier-than-the-date-disclosed
thewayne: (Default)
[personal profile] thewayne
A proof of concept of this was revealed some months ago when a Burger King TV commercial said "Siri, tell me about the Whopper". Maybe it was Hey Google, I don't remember. Anyway, it was rapidly blocked, then BK came out with another commercial and they had a little war back and forth. And BBC apparently tries it with "Hey Siri, remind me to watch Doctor Who on BBC America." I was particularly amused at "Hey Siri, remind me to watch Broadchurch on BBC America" during the final episode of the series. I burst out laughing when that ad aired and had to explain it to the spousal unit. And as Sam Clemens said, or is alleged to have said, 'Analyzing humor is like dissecting a frog: you can do it, but the frog isn't good for much afterwards.'

Well, the Chinese have found another way: pitch the audio above the range of human hearing. The microphones can still catch it, and the command works. Now, I don't have voice-activated Siri on my iPhone, I have to hold down the button because I find that, for me, for the most part Siri is garbage. I don't think it's my enunciation, but maybe it is.

Makes me wonder if they'll put in a filter to cap mic input to 18-20 kHz or so to prevent this sort of abuse.

I read about this last week, perhaps on the day that I went down to help out that medical practice with their ransomware attack. The clinic was handling their last patients of the day, and the office manager was running the front desk, and was using his iPhone with Siri voice commands. He looked a little shocked when I told him about this attack.

https://apple.slashdot.org/story/17/09/06/2026247/hackers-can-take-control-of-siri-and-alexa-by-whispering-to-them-in-frequencies-humans-cant-hear

Here's the Slashdot summary:

Chinese researchers have discovered a vulnerability in voice assistants from Apple, Google, Amazon, Microsoft, Samsung, and Huawei. It affects every iPhone and Macbook running Siri, any Galaxy phone, any PC running Windows 10, and even Amazon's Alexa assistant. From a report:

Using a technique called the DolphinAttack, a team from Zhejiang University translated typical vocal commands into ultrasonic frequencies that are too high for the human ear to hear, but perfectly decipherable by the microphones and software powering our always-on voice assistants. This relatively simple translation process lets them take control of gadgets with just a few words uttered in frequencies none of us can hear. The researchers didn't just activate basic commands like "Hey Siri" or "Okay Google," though. They could also tell an iPhone to "call 1234567890" or tell an iPad to FaceTime the number. They could force a Macbook or a Nexus 7 to open a malicious website. They could order an Amazon Echo to "open the backdoor." Even an Audi Q3 could have its navigation system redirected to a new location. "Inaudible voice commands question the common design assumption that adversaries may at most try to manipulate a [voice assistant] vocally and can be detected by an alert user," the research team writes in a paper just accepted to the ACM Conference on Computer and Communications Security.
thewayne: (Default)
[personal profile] thewayne
and apparently did not have an IT background. Her LinkedIn profile has been deleted, and apparently an effort is being made to purge her from the internet. It won't be entirely successful, but it'll slow information retrieval down. The article mentions that she spent 14 years in industry, we don't know in what industry, which means she could have picked up a fair amount of IT knowledge, but not as much as if she'd studied IT and gotten a degree and a CISSP cert.

http://www.marketwatch.com/story/equifax-ceo-hired-a-music-major-as-the-companys-chief-security-officer-2017-09-15

https://it.slashdot.org/story/17/09/16/0244211/equifax-cso-retires-known-bug-was-left-unpatched-for-nearly-five-months


Also, scammers are calling people at random, claiming to be Equifax, wanting to verify your information. Obviously Equifax has better things to do right now than call you. Just hang up, don't give them your name or the time of day.

https://arstechnica.com/tech-policy/2017/09/ftc-opens-equifax-investigation-says-beware-of-equifax-calling-scams/


ETA:Apparently the Internet Archive Wayback Machine never cached her LinkedIn page, more's the pity. It says it has a page from September 9, but nothing is retrieved when you click on it.

Let's talk about the Equifax hack

Sep. 15th, 2017 04:37 pm
thewayne: (Default)
[personal profile] thewayne
It is indeed a doozy, perhaps the largest data privacy leak in history. Equifax has been collecting information on people for decades, and they do it without our express permission. But at the same time, they are used for credit scores and to generate bank decisions for our getting loans and such. Yet I never signed a contract with Equifax allowing them to collect information on me.

And they have, through zero fault of my own, personally screwed me over.

A couple of years ago my wife and I decided to shop car insurance. Our current insurer was doing some corporate shenanigans that we didn't care for, and it should have been possible to shave some bucks off our premiums, and it never hurts to shop. I called the car club AAA, we ran through my information, and they told me that they couldn't take me because I had three accidents on my record. I'm accident-free. Equifax had taken three accidents OF MY FATHER, whose name is Andrew Donald, and put them on my record, where my name is Donald Wayne. We lived at the same address some years back, but I was living in New Mexico at the time of the accidents and have never owned a Buick. As it happens, we were born in the same month, but not on the day and clearly not in the same year. No two digits in our birth date or year are the same. There's no reason to conflate us and put the accidents on to my record, except for pure sloppy processes.

So I have a pretty poor opinion of these credit bureaus.

What happened to Equifax is pretty simple. They built their data framework on an open source software package called Apache Struts. Like virtually all software packages, bugs are found and patches are issued. A particularly big problem with Struts was first patched in March, but the intruders were in Equifax's system from mid-March through July - approx 2.5 months. Thus it is perfectly reasonable for Equifax to blame open source software for its breach. [sarcasm off] Struts is a framework for Java programs to run either on servers or web browsers, and after updating the framework you have to recompile literally hundreds of programs, and doing that would be a tremendous PITA, but it MUST be done, otherwise shit like this happens. Apparently some management at Equifax didn't like to pay overtime, and now they have to cope with a tremendous amount of shit.

In some late-breaking news from this afternoon, Equifax's Chief Information Officer and Chief Security Officer are both "retiring", proving that for once, shit started at the top. In "there is occasionally some justice, or perhaps there will be" news, the Federal Trade Commission is investigating the breech. It will be interesting to find out what they learn, assuming they ever issue a report. I wonder if Congress will hold public hearings. The breech is being compared by some news agencies to Enron. According to the Reuter's story, "Shares of Equifax fell 2.4 percent on Thursday and trading volume hit a record high. The shares have lost 32 percent since the company disclosed the hack on Sept. 7.

Senate Democratic leader Chuck Schumer compared Equifax to Enron, the U.S. energy company that filed for bankruptcy in 2001 after revelations of a widespread accounting fraud."


But you see, this is not just a problem for people in the USA. Equifax holds information for people in Canada and Mexico. And Argentine, and possibly other Latin American countries. And the BBC is reporting that 400,000 UKians have information that was compromised in the theft, but their information exposure was minimal and should not lead to identity theft. Well, we'll see about that! In Argentine, apparently Equifax's software used the highly-[in]secure account/password combination of admin/admin.

This is one of my favorite stories, and it may be behind a paywall since it's from the Wall Street Journal. Here's the Slashdot summary:

Equifax was lobbying lawmakers and federal agencies to ease up on regulation of credit-reporting companies in the months before its massive data breach. Equifax spent at least $500,000 on lobbying Congress and federal regulators in the first half of 2017, according to its congressional lobbying-disclosure reports. Among the issues on which it lobbied was limiting the legal liability of credit-reporting companies. That issue is the subject of a bill that a panel of the House Financial Services Committee, which oversees the industry, discussed the same day Equifax disclosed the cyberattack that exposed personal financial data of as many as 143 million Americans. Equifax has also lobbied Congress and regulatory agencies on issues around "data security and breach notification" and "cybersecurity threat information sharing," according to its lobbying disclosures. The amount Equifax spent in the first half of this year appears to be in line with previous spending. In 2016 and 2015, the company's reports show it spent $1.1 million and $1.02 million, respectively, on lobbying activities. While the company had broadly similar lobbying issues in those years, the liability matter was new in 2017.

The title of the story is "Equifax Lobbied for Easier Regulation Before Data Breach", it's by Michael Rapoport and AnnaMaria Andriotis. f you do a little searching, you might be able to find a copy.

Now, the breech itself is extremely bad. If you were compromised, and there's a very good chance that you were, then the information that was stolen includes: your full name, social security number, previous addresses, list of jobs, all sorts of amazing things. Information about you that never changes. Information about you that you use to apply for credit cards, loans, mortgages, JOBS. The best thing you can do is to approach all four credit bureaus and put a FREEZE, not monitor, but FREEZE your credit. That means that no credit can be taken out in your name without postal correspondence going back and forth with your house. No credit reports can be pulled. It's about the best that you can do. Brian Krebs has an excellent post that he has to pull out a few times every year to discuss this. Definitely worth a read. Me? I'm unemployed. Banks would have to be idiots to issue credit under my information, still, I plan on freezing my accounts.

But that's not the worst.

For reasons unknown, Equifax had credit card transaction information, 200,000 transactions worth dating back to last November, sitting on their servers, apparently unencrypted. Massive violation of PCI compliance rules.

And who knows, there may be more yet to come.

I won't bother providing links to the stories about your surrendering your right to sue if you signed up for their monitoring service, that's been rescinded. There were at least two class-action law suits in development, along with a couple of States Attorneys General beginning investigation.

One more thing to mention: an op ed piece by Bruce Schneier, a very well-known and respected expert on encryption and privacy. He has some facts wrong, I think he wasn't as well-versed on the scope of the breech as perhaps he should have been when he wrote it. But at the beginning of the piece he talks about how the public are not customers of Equifax, we are what is being sold, and we have no say in the matter. And there are THOUSANDS of data brokers out there that we can't come close to naming all of them.

Equifax's feet will be in the fire for some time, I imagine.
thewayne: (Default)
[personal profile] thewayne
[ETA: probably applies if you use Windows also, I just don't know how iTunes and iPhone/iPad apps update on that platform]


Well, you can if you want, but you need to be aware of what it means.

The update is is intended for iOS 11, which is due later this month when the new iPhones release, so you don't need it right now, and it REALLY changes one thing that's really important to me: app updates. In the brave new world, you will now have to open the App Store app on your device, click on Updates, then update individually or click on Update All. Personally I think this will greatly reduce the rate at which people update their apps.

Myself, I don't like this. I use iTunes every morning to refresh podcasts and update apps, then I resync my phone. All done. Now I still have to go through the iTunes process, but now I have to go through an additional process on my phone and iPad? And where is the phone/iPad backup stored in case I need to restore it from scratch, admittedly a rare procedure. I DO NOT want to store an iPhone backup in the cloud as that is something that could be made available to government, I want that backup on my personal computer.

I hope there's enough caterwauling that Apple backs off on this and re-integrates app updates in to iTunes. Maybe they will, maybe they won't. I'm definitely not happy with their decision.

Just be aware that the App page is no longer present in the new version of iTunes. Now I have to decide if I want to do a backup reversion on my laptop to get the old version of iTunes back.
Page generated Sep. 25th, 2017 02:40 am
Powered by Dreamwidth Studios