go to sections menu

The Technology blog and podcast

This is for the technology blog and podcast Commentary, articles, and podcasts

header picture for Ingegno theme

You are here: January 2022

Go to Homepage [0], contents or to navigation menu

Olympic app riddled with problems that the IOC says are not problems

I’ve been contemplating this article for several days, and I did write up the show notes for the up coming Security Box show notes for this though.

The problem is, that we really haven’t covered olympic security although there may have been a mention in podcast 47 as olympic did give one result.

Be that as it may, this is going to probably be the biggest thing I think we’ve covered, even if past podcasts and show notes and the like of older podcasts may have been lost.

In today’s article, we’re going to talk about an app called “my 2022” which the IOC is touting as being just fine, and the people who looked at it telling them that it is fine.

One of our DJ’s here at the mix contacted me in regards to this as he heard about it briefly through WGN in Chicago. As I remember talking about this in other aspects which I can’t find at the moment, it reminded me of different types of stories like ones covering web sites with malicious flash players to watch the games and other types of stories.

The article this time is titled: Toronto lab finds security vulnerabilities, censorship framework in Olympic app and it comes from the CBC in Canada.

Researchers at a Toronto-based tech laboratory have uncovered security vulnerabilities and censorship frameworks in an app all 2022 Beijing Olympics attendees must use.

The Citizen Lab, a research institute at the University of Toronto’s Munk School of Global Affairs and Public Policy that studies spyware, found a “simple but devastating” flaw in the MY2022 app that makes audio files, health and customs forms transmitting passport details, and medical and travel history vulnerable to hackers.

Researcher Jeffrey Knockel found MY2022 does not validate some SSL certificates, digital infrastructure that uses encryption to secure apps and ensures no unauthorized people can access information as it is transmitted.

This failure to validate means the app can be deceived into connecting with malicious hosts it mistakes as being trusted, allowing information the app transmits to servers to be intercepted and attackers to display fake instructions to users.

“The worst-case scenario is that someone is intercepting all the traffic and recording all the passport details, all the medical details,” said Knockel, a research associate, who investigated the app after a journalist curious about its security functions approached him.

According to the article, the organizers are requiring every single person to download this application.

The researchers also mentioned that it sends highly sensitive data, but is unclear who gets that data. This is concerning, as later in the article we learn that the IOC says that they had people check it and also asked for the research paperwork.

The update in January indicates that there were no changes to the claims talked about in the article, and that it may be worse now.

The article also talks about a keyword list which may or may not be active talking about Jews and other things being sensored. but not proven. But, the real paragraph is the kicker for this discussion.

The IOC noted it has conducted independent third-party assessments on MY2022 with two cyber-security testing organizations and found there are no critical vulnerabilities in the app.

Really? You’ve done independent reviews and this has not come up? How could this be?

Not surprisingly:

The Beijing Organizing Committee did not respond to a request for comment.

While we’re at it, there’s plenty more, so I suggest that you read the article, as every time I think about this, the angrier I get as the IOC claims its their app and wants to claim ignorance.

Oh yes, did I mention the SSL issues they talked about too? Probably not, but that’s OK, its talked about in the article.

Let the comments begin.

Comments (0)

The Security box, podcast 78: Windows Update includes a Wormable Flaw

The Security box, podcast 78: Windows Update includes a Wormable Flaw

Hello folks, welcome to the Security Box, podcast 78. Here is the download of the Security Box for this week.

While I was alone, I know that people may find the program of value, so I am releasing it and of course, the replay is available on Clubhouse through my network club if you want to view the raw recording and see who may have popped in during the program.

I didn’t have any guests, but that’s ok. The file is 93.6mb.

Now, here are the show notes.

Welcome to podcast 78 of the Security Box. As we do typically on the podcast, we spend some time catching people up on what has been going on in Redmond, Washington with Windows Update.

We’ve only got one article, however, News of the week for January 14th has the other article.

‘Wormable’ Flaw Leads January 2022 Patch Tuesday comes to us from Krebs on Security, and it covers this huge problem and others across Redmond and others too.

Please feel free to send your messages, topics and the like for consideration. Thanks for listening!

Thanks so much for listening, and make it a great day! I hope you’ll enjoy the program as much as I have bringing it to you.

I’ll have more blogging later on.

Comments (0)

Microsoft fixes patch, broke VPN services

This probably doesn’t happen too much, but i ran across a story on Ars Technica while looking for something else we’ll be covering.

The article is titled Microsoft fixes Patch Tuesday bug that broke VPN in Windows 10 and 11 which is a good thing. Its an out-of-band patch which you should at least know about if you’re interested.

I hope that this finds you well.

Comments (0)

Sans News Bites, January 18, 2022

This is the web link for Sans News Bites for January 18, 2022. The newsletter has thoughts on the recent arrests of REvil members and other stuff that might be of interest to you.

The top story is the one that interested me, but I agree that this isn’t enough. We know that Russia is probably up to no good, yet they arrested their own after careful cooperation plans that included us not metaling in the Ucrain problems I heard about in yesterday’s room on clubhouse.

What do you guys think about this or any other aspect of the newsletter?

Comments (0)

I call Spam on this one: telling someone to email to a domain that doesn’t exist among other things

I’ve received one cease and desist article in my entire life, and while I know why, it was something that I didn’t find threatening. It was many years ago and it was in regards to sinulcasting a station I happened to listen to at the time.

This, however, is very suspicious. Asking Siri about the 88 number, it indicates that it is a prefix for Bulgaria.

This guy also puts the same message in both sections of my form, as well as asking if I got his prior email. I didn’t because I don’t even recognize the name. There’s more I’ll talk about, but get a load of the message below.

Below is the result of your feedback form. It was submitted by () on Tuesday, January 18, 2022 at 15:30:59

Name: John Lucas
phone: 88486517526
contact_method: phone
bug: no
additional_bug_info: Greetings, My name is John Lucas, I have been waiting for your response regarding the message I sent you about my late clients investment/assets. Please kindly get back to me because I have received the final notice by the bank regarding his assets If you happen not to receive my previous message, let me know so that I can resend it for you to read and understand the deal in full and what is required of you. Contact me strictly on my E-mail: Kind Regards, Barrister. John Lucas (Esq) Legal Practitioner & Solicitor. SPAIN, UK, SWEDEN, USA & GERMANY Address: Castellon de la Plana 201, 28006, Madrid ? Spain
comment_or_question: Greetings, My name is John Lucas, I have been waiting for your response regarding the message I sent you about my late clients investment/assets. Please kindly get back to me because I have received the final notice by the bank regarding his assets If you happen not to receive my previous message, let me know so that I can resend it for you to read and understand the deal in full and what is required of you. Contact me strictly on my E-mail: Kind Regards, Barrister. John Lucas (Esq) Legal Practitioner & Solicitor. SPAIN, UK, SWEDEN, USA & GERMANY Address: Castellon de la Plana 201, 28006, Madrid ? Spain

submit: Submit comment or question to the Jared Rimer Network

HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 OPR/54.0.2952.54

Next, this guy puts the text of my form within the body to submit the form to the network. My legit forms don’t have that, I’ve never seen it, so don’t understand why they put that in there.

The IP adress according to abuse IP DB is coming from Sweeden, and the first abuse report matches what I see.

Now, the domain. I went to the web site mentioned., it doesn’t even exist! You can’t send an email to a domain that doesn’t exist! I figured there must be a new business around so figured I’d call them and tell them that someone was using their domain for Spam. But the domain doesn’t even exist.

And, why do they have to put the same message in the bug reporting section of my form when they indicate there’s no bug? That is irritating. Just saying!

Anything else you saw about this that you don’t like? Sound off in the comments or send me an email! Contact info is on the blog, I forget which page its on though. Have a good one!

Comments (0)

Windows Update: Wormable flaw on the loose, Other software too

Hello folks,

A little late, I’ve got Krebs on Security’s article on Windows Update. My computer last week called for a reboot, so I did it.

There are several CVE numbers given within the article.

‘Wormable’ Flaw Leads January 2022 Patch Tuesday is the article.

We’ve got already over 21,000 CVE’s and we’re in the middle of the month of January,, approaching the end. This necessarily can’t be good, but at the same time it is, as more bugs are getting fixed.

Hidden in This Week in Security News – January 14, 2022 from last week, Trend Micro also has a blog entry talking about Windows Update but I don’t see it in my feed. They do have other news in here that may be of interest, so take a look and see what interests you.

Comments (0)

The Security box links, podcasts 62-76

Hello everyone,

Its been quite awhile since we have been able to release podcast links directly. Sendspace at one point had to protect their infrastructure with a captcha, which broke the wizzard.

I could still use it through the web, but it was a bit hard to do as I put stuff within folders of folders in spots, and I always had to go get a cookie to even get it to work.

With that said, I went to do some stuff and tried the wizzard again after logging in to do what I needed to do, and it worked as it once had before. I sent Sendspace an email and thanked them for fixing it so we can use the wizzard once again.

Below, please find links to the podcasts I did not get links to, and feel free to leave those comments!

As always, we appreciate everyone who has come along on the security landscape and we hope you’ll continue to listen and learn just like we’re doing. There’s always something to learn, and I love learning along with you all.

I’ll continue to blog and provide information and thoughts as much as I can, and feel free to join me on the ride.

Comments (0)

The Security box, podcast 77: Google, why is this not a critical bug?

Hello folks,

Its time to bring some good news around here. We’re now able to return to bringing you direct links to the show, and this podcast will have that link. I’ll also post later on with links to prior shows that we couldn’t get links for until now.

We thank SendSpace for allowing us to use their platform, and the wizzard works once again.

As for the program, thanks to all who participated, and we even have at least one listen through replay so thanks very much for listening through Clubhouse.

As usual, the RSS feed has the program.

Here are the show notes for podcast 77.

Hello folks, welcome to the security box, podcast 77. Google fixes nightmare Android bug that stopped user from calling 911 is our main topic of today’s program, but I also cover other tech and other odds and ends too. We did have one guest available to chat with us, and we thank them for coming. We hope you enjoy the program and the few tracks at the end, and thanks so much for listening!

Here is the 86.35mb file for everyone to download.

Thanks so much for reading, participating, and listening!

Comments (0)

IOS 15.2.1 now out, no fixes for blind users

Hello folks,

Last night, I was notified of an update to IOS to 15.2.1. Apple Vis does have a small write up. One of the bugs fixed was dealing with messages and photos not loading via Icloud. The second talks about third party car play applications not responding to input.

The blog post talks about how to update IOS to the latest release.

I hope that this information is of value to you!

Comments (0)

Webinar: Nuclear Ransomware 3.0: We Thought It Was Bad and Then It Got Even Worse

Knowb4 is hosting a Webinar titled Nuclear Ransomware 3.0: We Thought It Was Bad and Then It Got Even Worse which will be on Wednesday, January 19th at 2 PM ET, 11 am PT. The webinar is an hour, and this is going to get interesting.

As part of the segment I’ve recorded for this week’s Throwback Saturday Night I mentioned the subject line and mentioned that I had not read the email.

Well, I did, and this is a webinar and it looks like its going to get interesting.

  • Host: Roger Grimes
  • What you’ll learn:
  • How ransomware is evolving beyond double extortion, what’s coming next
  • Proven best practice defenses that you need to follow to avoid becoming a victim
  • How to empower your users to be the best, last line of defense when everything else fails
  • Register for the event through this link
  • This means that the Security box will happen after the event is over, so I’ll schedule it between 12 and 12:30 PM US PT, 3 and 3:30 ET, and 2 and 2:30 CT.

    I hope you can join me, as I hope we can learn a lot. Thanks so much for reading!

    Comments (0)

    An app developed to get us to bus stops

    One of my buddies sent me this article titled Next Stop on the App Store: Artificial Intelligence Mobile App Helps People With Low Vision Find Bus Stops and I’m sending this to my team at Metro to see what they think.

    I know of a couple of places where it could be benificial to me, one around here where we have multiple bus stops at the same area, and the potentials of multiple buses stopping at the same stop.

    I don’t rely on Google Maps necessarily, but I rely on what vision I have to find benches and then wait near light, or if there is a pole nearby, wait there.

    One driver got someone off because I wasn’t at the official stop when I wrote a report of a passup. I explained how we were trained and they asked whether I had someone to teach me.

    Sadly, I had nobody to teach me, and I do not like getting drivers in trouble even for a passup. It doesn’t make me feel good, as I’m a rider like anyone else. I even was passed up early in the morning, as I was under the light, but they didn’t see me until they were across the street.

    One driver even stopped to pick me up at a stop after they saw me and I was at the bench and near the pole, but I definitely wonder if this app could’ve helped me?

    I’m curious on why I need sighted assistance to set up the app? Transit App, Metro’s official app, didn’t need to be set up by a sighted person for me to utalize its features.

    I’ll see what my people think, but i’m curious on whether you nice people have used this app before or even read the article?

    Get in touch.

    Comments (0)

    5,000 web sites were offline, belonged to school districts, timeline is similar to 2017 for me

    Hello everyoone,

    This articular article was sent to our list today, and reminds us that ransomware is still on the loose.

    Similar to what happened with me indirectly in 2017 Valley College where I had attended free classes was affected then. A Cyberscoop article I blogged about in 2019 talked about this too.

    Then we come to this NCSAM posting I blogged about in 2020 titled NCSAM: Schools are no longer safe, now PII on students are out on the surface and dark Web In that article, I blog about this heavily linking to those articles on top of my own thoughts on what I think we should do.

    While Valley College affected me, these cases that are talked about affect more students than just your college student. I could only imagine what parents are giving the schools now even though Covid is becoming a problem again and distance learning is taking hold once again.

    Now, Michael gives us this tech crunch article: Finalsite ransomware attack forces 5,000 school websites offline. It is similar to my story because it happened right after the beginning of the year, and actors know that during the holiday, this is the time they can pounce on such a target. This particular case is much larger than Valley College for me, and the numerous school attacks I’ve blogged through the years as this story covers 5,000 schools hit at once. This is a bigger deal than Valley, but similar because of the timing.

    Let’s make no mistake about it, any of these stories are bad, and I don’t wish people to go through any of it.

    We’re sadly in a different era now, and my email from knowb4 indicates that we’re now in nuclear ransomware 3.0. I haven’t read the email yet, but saw that this morning.

    I’m not sure now what to think. I hope that we can try to get a grasp on this before it is too late. Read all of these articles, including the latest on the 5,000 schools and what might affect you. Just be aware of it.

    One of the paragraphs I’m only quoting partially says:

    Finalsite spokesperson Morgan Delack told TechCrunch that 5,000 of its total 8,000 global customers — including school districts in Kansas City, Illinois, and Missouri — are affected by the incident.

    One reddit user claimmed that email couldn’t be sent either. Some email may still not be reaching customers (you, the parent or student) as we speak. This is now becomoing a larger problem, one that we are not yet capable of grasping quite yet. Just take a look, and be aware.

    Comments (0)

    Android should be ashamed of itself, fixes bug that disallowed 9-1-1 calls

    I saw this article late the other day, and finally got around to reading it. It is unfortunately sad that Android had this bug where Microsoft Teams of all apps was part of the culprit of disallowing someone from calling 9-1-1.

    The article talks about someone in December who needed 911 because of a situation going on at their home. Luckily, a landline was available and they were able to get the help they needed.

    While I tried the emergency calling button a couple of times, I didn’t really need it. Because I had no speech or no idea what it was doing, they called me back. I just said I was doing something with the phone, but everything was fine.

    In this Android’s case, there was no call made at all. It could’ve been tragic, and Google decided to wait an entire month to fix it, although the 6 is getting delayed due to other technical problems.

    For the full article, Read the ars technica article titled: Google fixes nightmare Android bug that stopped user from calling 911. This can’t be good.

    Comments (0)

    The Security box, podcast 76: Student Data getting sucked up by advertisers

    While I as the only one on Clubhouse today, I felt that this topic is worth exploring even if it is just a thought piece. Podcast listeners, you may use contact info within the podcast to get in contact with me.

    While I only blogged the article this morning, it appears here because that’s what we do with the podcast show notes.

    The RSS feed is available for you to get a copy. If you need a copy and you can’t get RSS for any reason, please contact me and I’ll be happy to send you a copy.

    Here are the show notes as I wrote them.

    Welcome to the Security box, podcast 76. On this podcast, we’re going to talk about advertisers who are sucking up student data, even though legal action was taken. We’ll also have comments and news items from the public if any, maybe some other topics if it turns in to one, and we’ll see what else comes up.


    Thanks so much for listening to the podcast, and we’ll be back next time! Hopefully, we’ll have a discussion next time, but it depends on who is available and what’s happening with others. In any case, we’ll be back with another great topic I’m sure.

    Comments (0)

    Student data still taken even after legal got involved

    Today’s topic is going to be Advertisers are sucking up student data, even after legal action, researchers say which I read during the Christmas break.

    We take several paragraphs as part of the discussion, and I think this will take podcast 76 in a good direction.

    Since I’m barely getting a chance to blog about this today, I’ll keep this short, and its going to be linked again in our show notes when the podcast is released.

    Feel free to comment and let us know if we can air those comments. I can leave the name or handle out but the general comment can definitely be aired if you wish.

    I hope this finds you well.

    Comments (0)

    go to sections menu

    navigation menu

    go to sections menu