The Technology blog and podcast

The Security box, podcast 161: Open Forum, Week 1

OK, so … we’re here to present the Security Box. I had to leave gthe day it was out, but we’re going to have the podcast posted now.

I hope you enjoy week 1 as much as I have putting it together for you with our good Friend Nick.

Here is the 148.1mb file for you to have if you don’t have RSS already.

---

Welcome to the security box, podcast 161. On this podcast, we’re covering a few notations of the recently released IOS 17, tons of articles from the blog, and having ourselves an open forum. We hope that you enjoy the program as much as we did putting it together for you.

Supporting the podcast

If you’d like to support our efforts on what this podcast is doing, you can feel free to donate to the network, subscribing to the security box discussion list or sending us a note through contact information throughout the podcast. You can also find contact details on our blog page found here. Thanks so much for listening, reading and learning! We can’t do this alone.

Comments (0)

Book Selection: Your Face Belongs to us

Hello everyone,

Welcome to another book selection here on the blog. This time, after an absence of reading and or listening to books, I’ve already started this one. Its titled Your Face Belongs to Us: A Secretive Startup’s Quest to End Privacy as We Know It and its author and reader is Kashmir Hill.

As a side note, Terry and I are both reading this one, and I’m in chapter 2 and its a 25 chapter 3 part book. Its reading length is 10 hours and was released on the 19th of this month.

My first thoughts are two words. Holy shit. You’ll have to read the prologue to get an understanding on why these two words describe the book to date.

Now, let’s tell you what the book is about, directly from Amazon.

---

The story of a small AI company that gave facial recognition to law enforcement, billionaires, and businesses, threatening to end privacy as we know it

“The dystopian future portrayed in some science-fiction movies is already upon us. Kashmir Hill’s fascinating book brings home the scary implications of this new reality.”—John Carreyrou, author of Bad Blood

Longlisted for the Financial Times and Schroders Business Book of the Year Award

New York Times tech reporter Kashmir Hill was skeptical when she got a tip about a mysterious app called Clearview AI that claimed it could, with 99 percent accuracy, identify anyone based on just one snapshot of their face. The app could supposedly scan a face and, in just seconds, surface every detail of a person’s online life: their name, social media profiles, friends and family members, home address, and photos that they might not have even known existed. If it was everything it claimed to be, it would be the ultimate surveillance tool, and it would open the door to everything from stalking to totalitarian state control. Could it be true?

In this riveting account, Hill tracks the improbable rise of Clearview AI, helmed by Hoan Ton-That, an Australian computer engineer, and Richard Schwartz, a former Rudy Giuliani advisor, and its astounding collection of billions of faces from the internet. The company was boosted by a cast of controversial characters, including conservative provocateur Charles C. Johnson and billionaire Donald Trump backer Peter Thiel—who all seemed eager to release this society-altering technology on the public. Google and Facebook decided that a tool to identify strangers was too radical to release, but Clearview forged ahead, sharing the app with private investors, pitching it to businesses, and offeringit to thousands of law enforcement agencies around the world.

Facial recognition technology has been quietly growing more powerful for decades. This technology has already been used in wrongful arrests in the United States. Unregulated, it could expand the reach of policing, as it has in China and Russia, to a terrifying, dystopian level.

Your Face Belongs to Us is a gripping true story about the rise of a technological superpower and an urgent warning that, in the absence of vigilance and government regulation, Clearview AI is one of many new technologies that challenge what Supreme Court Justice Louis Brandeis once called “the right to be let alone.”

---

You can probably see if the book is elsewhere, but per usual, we’re linking to Amazon which has Kindle, hardcover and audio. Enjoy this one!

We’ll have more soon. See you later!

Comments (0)

Musing: This has got to be the stupidest thing I’ve ever seen

There’s no article related to this, but I had to read the following boost twice to hear how stupid this sounds. I’m not blaming the person who boosted this, nor am I blaming the person who posted it. Maybe it is humor, and if it is humor, I didn’t find it funny.

Here is the boost.

Celeste, AKA DJ Celrock!: Boosting Missing The Point (MissingThePt): To combat bots, Elon requires all Twitter users to change their password to their credit card number+expiration date+three digit security code+zip code.

If this is true, Twitter, now known as X, will now have exactly what they need to sign everyone up for their services without their knowledge. If nothing else, if Twitter doesn’t have that access, Criminals could in theory get in to accounts with this knowledge of the fact he is “requiring us” to “change our passwords” in such a way that criminals can just overtake our accounts with nothing more than what we use to purchase things online.

I’ve just got to post this and laugh at this one. Have fun with this musing for today!

Comments (0)

Here is another T-Mobile security problem, … this one seems bad

Like we need more bad news over at T-Mobile, this one looks bad. You’re in your own application on your own account, but you see someone else’s info including credit card number, balences if applicable and purchase history.

Apparent T-Mobile security breach sees personal data revealed to other customers comes to us from 9to5 Mac.

They highlight past breaches going back to the several in 2021 and one this past March which is still really unkown.

If I hear anything else, I’ll be sure to get people notified as quickly as I can get it.

This … can’t be good.

Comments (0)

HHS settles with L.A. Health care over Hippa violations

I’d love to see more of these. I think that if the health care industry as a whole was targeted by the organization that targeted these guys, maybe their security would be more up to par. Then again, maybe not?

“Breaches of protected health information by a HIPAA-regulated entity often reveal systemic, noncompliance with the HIPAA Rules,” said OCR Director Melanie Fontes Rainer.  “HIPAA-regulated entities need to be proactive in ensuring their compliance with the HIPAA Rules, and not wait for OCR to reveal long-standing HIPAA deficiencies.  Entities such as LA Care must protect the health information of its insureds while providing health care for the most vulnerable residents of Los Angeles County through its coverage, which includes Medicaid, Medicare, and Affordable Care Act health plans.”

It shouldn’t stop here with Los Angeles. All of these health care industries Databreaches has posted about whether we have posted about it or not should be targeted by this OCR group to see if there are any compliance issues.

Not all breaches could be targeted by compliance issues, but we have no way to know.

Full article by databreaches: HHS Office for Civil Rights Settles with L.A. Care Health Plan Over Potential HIPAA Security Rule Violations if you’re interested.

Comments (0)

Elon Musk says X will charge users ‘a small monthly payment’ to use its service | TechCrunch

Here’s another article that talks about the fact that Twitter is going possibly completely paid. It has even a bit more than the other, and while I try to only post one article, I think multiple may be necessary here. Let the games begin.

X owner Elon Musk today floated the idea that the social network formerly known as Twitter may no longer be a free site. In a live-streamed conversation

Source: Elon Musk says X will charge users ‘a small monthly payment’ to use its service | TechCrunch

Comments (1)

Here’s something new, charge everyone for twitter … how successful will that be, musk?

I’d honestly like to see how this is going to go with everyone. This network has made it public with those on the podcast that we will not be paying for Twitter, seeing that we can’t use third party apps which are easier to use than the app or site.

Just Recently as an example, I got a direct message. Great! I went on the web, tried to reply to it on the web, found I could not. I don’t know why. Tried pressing enter on the DM, tried to find a reply button, nothing.

So, I had to result in using my phone to reply to the musician who gave me a code of his recent release.

This musician is not going to be named, as many Bandcamp artists are giving codes to users by choice, so I’m not going to say which one.

But now, I can see why in a previous boost, i saw what I saw. It basicly said that they wouldn’t pay for Twitter.

And I know for a fact that I have 4 accounts, one on staff has two, one of which I help maintain as part of my 4.

I wonder if this is going to be the beginning of the end that we’ve been calling for? Some of us have been predicting that within 6 months to a year, Twitter would be pretty much history.

Here’s the latest coming from a site called Variety. ngler
Plus Icon
elon-musk-charge-all-x-twitter-users-fee-1235726693/#article-comme is the article, and I bet we have no say so now.

Here’s the boost which I saw before the article I am posting about.

Celeste, AKA DJ Celrock!: Boosting JamminJerry (jamminjerry): regarding that last boost I just did about the idiot charging for twitter, I bet you lose a whole bunch of users that way, and you still won’t get rid of bots, like you claim it will fix. I know I won’t be paying for it, so if he does do this, I am deffinitly gone from it.

Jerry, I know we’ve not spoken in quite a number of years, and now i understand your post here. After reading the variety article linked above, this is just going to add to the interesting column over at Twitter.

I honestly don’t call it X, I call it Twixer. I’ll never call the platform X.

Comments (0)

Why did it take so long from breach to notification? Your guess is as good as mine!

In an article I posted and we talked about across the network, it took what we think is way too long to be notified.

The first paragraph of the Databreaches article says:

Some state and federal laws provide specific timeframes by which breached entities must provide notice to regulators and to those affected by a data breach. Unfortunately, loopholes abound, as we seen in statutory language such as Minnesota’s breach notification law, where for timing of notification, it says: “The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach, identify the individuals affected, and restore the reasonable integrity of the data system.”

I’m not against the fact that we need to secure the system first, make sure the data is safe and as secure as possible before notification, but you’ll find out that in this instance, there was a huge delay.

One side of the article we’re talking about says that it took 4 months to be notified of the breach, and 2 months to notify everyone. But the article also talks about how it took over a year.

If I were running a business that got breached, I would definitely not wait an entire year to notify anyone of a breach, state or otherwise.

If it took a year for me to know there was a breach, that’s an ongoing problem. But if I was notified two months afterword, I am responsible to notify customers, steakholders and the like of this breach as oon as possible.

The lengthy databreach article is titled An inexcusable gap from breach to notification, or an excusable one? and I hope that you give this a read.

It should not under any circumstance after notification take an entire year to be letting your customers know of a breach.

Give me a break!

Comments (0)

Social media attacks targeting banks? You bet!

As I continue to catch up with tons of reading, this particular article where social media attacks are going up as banks are now targeted is more important.

Some banks may be more prone than others, at the same time, we all need to be aware of what’s going on.

Just revcently, I got a facebook friend reuest. I’m doubtful that it is who the name I saw, but that is only the beginning with attacks.

While other trends facing other businesses on social media are lower, we shouldn’t be putting our guard down. I suspect we’ll fluctuate depending on what is going on, but it isn’t going anywhere any time soon.

Despite the decline, 2023 social media attack volume is still consistent with 2022 and well above the average number of attacks in 2021. Social media has emerged as a preferred channel for cybercriminals to target businesses indiscriminately, with abuse occurring in the form of advertisements, illegitimate business pages, and phony executive profiles. The rapid nature of communication via these channels, in addition to the ease of account creation makes brand abuse and impersonation a light lift for cybercriminals looking to perform nefarious activity.

I understand that Mastodon is considering a captcha model, but from what I’ve heard, they were looking at H-Captcha.

While Sendspace had it because of Cloud Flair, the backbone they have, its aweful. You have to set a cookie, and hope it sticks. What I’ve found, is to set the cookie, then go and do what I need to do keeping my browser open.

But H-Captcha requires up to sign up, and other solutions like what Google offers does not. Google offers Recaptcha, and version 3 is supposed to be behavioral based and only throws up something if it senses something off. I like that approach better.

In Q2, cyber threats and impersonation were nearly tied as the top threat type on social media. Cyber threats were most observed, with 34.5% of overall attacks targeting businesses taking the form of telephone support scams, giveaway scams, employment scams, and more. This is the second consecutive quarter cyber threats has won the majority of threat volume.

There’s a lot more to dive in to, so why not read the article like we did? Social Media Attacks Targeting Banks See Greatest Increase Since 2021 is the article, and I hope that ou find it of interest.

If you’ve got banking friends whether a financial advisor or someone who assists you regularly at the bank, let them know about the article so they can find it and pass it along.

Together, we can make that difference.

Comments (0)

IOS, watch, TV and more … bring on the updates!

Well, the whole gammut has been released. As predicted, IOS was to be released today and This Apple Vis post titled iOS 17 and iPadOS 17 Now Available With New Features and Accessibility Enhancements has all of the details on IOS and Ipad.

I experienced one of these when placing a facetime call yesterday, so I guess we’ll see how that goes.

Here is the post on TV OS called tvOS 17 Now Available; Bringing FaceTime to the Apple TV, an Updated Control Center, and Improvements to Apple Fitness+ for those who have a TV from apple and want to see what’s new.

For those who have apple watch, I’m not excluding you either. Here’s Apple Vis’s post on that too. Its titled watchOS 10 Now Available With Stackable Widgets, Updated Apps, New Workout Features, and More.

If you’re blind or deaf-blind, Scoot at AppleVis does have our rundown. I’ve not read this as of writing time, but plan to by the time this posts.

Don’t forget that we blogged earlier this morning about ios 17 and had a blog post from Apple Vis that talks about what has been fixed, what’s buggy and the like.

If you decide to wait for a bit as a bug might be too problematic to you, that’s great. Just make sure you update to 16.6.1 for a critical fix to fix a zero-day.

blog post

Whatever you do, please make the right decision for you. The press like 9to5mac and others will have more mainstream coverage, you are welcome to search these out through social media or your RSS.

Happy updating!

Comments (0)

IOS 17 will be released today

Hello,

So, from what I am hearing, IOS 17 will fully be released today. As usual, Apple Vis has a listing of bugs listed by severity and it eems like while there may be some show stoppers, there aren’t a whole lot of items this time.

Here is the Applevis posting that talks about what they have found.

Please note, they are a small team. Not everyone will experience what they report, and your millage may vary.

Have fun with the update! We’ll be in touch soon!

Comments (0)

Have you got your patch on?

Have you gotten your patch on? I know that it might be time for me to reboot at some point, and there’s good reason to apply updates for this month.

There are several zero-day things that we will be patching.

Brian Krebs has the complete rundown from his blog. The article is titled Adobe, Apple, Google & Microsoft Patch 0-Day Bugs and you should read it.

You could check Komando’s site as their newsletter covered even some Linux stuff too.

They also covered Android specific things too.

Those things were in their recent newsletter, which I recently read.

Hope things are well, more later!

Comments (0)

Tweesecake 0.16.3 now released

After a long absence, Tweesecake released today. Here’s what’s new.

• Core: On a Mac, if speech is unable to be initialized through VoiceOver, we now try to initialize the default system voice and speak through that. This fixes a bug in Mac OS Sonoma betas 1 and 2 where you could not use TweeseCake.
• Mastodon: Adds mentions buffer!
• Mastodon: Mentions are no longer displayed in the notifications buffer. Note: If you want this to apply fully, clear your notifications buffer. It won’t hurt anything if you don’t.
• Mastodon: Visibility is now included in the default toot template. Note: If you want this new template to apply, go to your mastodon config, find Toot Template, interact with it, hit the restore default button, then save.
• Mastodon: Add support for languages in posts. To set post language, click the Set Post Language button and select your language from the list that appears. By default the language is set to English. Also, the new $language placeholder was added to the toot template. It is not included in the default template though.
• Mastodon: Play the send_dm sound if sending a direct reply.
• Mastodon: Attempt fix of bookmarks/favorites buffers.
• Mastodon: Make it possible to mention users from different types of notifications.

Use The configuration session, general and go to the bottom for the version. Hit ctrl+win+enter to start the update process.

Happy caking!

Comments (0)

Book Review: Fancybear Goes Phishing

Some time back, I finished Fancybear Goes Phishing. I have been meaning to write a review for it for quite awhile and things just continued to come up, but now … here we are.

---

This book is definitely something worth reading. From convictions to people to learning how they either got convicted or not, you’ll definitely learn something.

Scott, who is not a security expert by trade, really diives in to it with the first ever worm we know about, the Morris Worm.

wikipedia

In the first several chapters, we learn how Robert created this worm, and eventually his conviction. I’m not giving you any details on his conviction except to say that he was f0ound guilty of causing over $1,000 of damage which was under the just created CFAA.

Wikipedia

This book also covers Fancybear themselves as well as other Russian folk under the various names we’ve been talking about for years.

One of the best stories that really sticks out at me is with a gentleman who gets picked up young, promises that he will fly right, but ends up getting the maximum 5 years for the crimes he commited. As we’ve talked about on these podcasts, the crimes for hacking, DDOS and taking personal info that doesn’t belong to you must be higher than the 5-10 years these guys get. The gentleman in question was to get out in July of this year, spending about half of his life already in prison.

The other big non-surprise of this book that we have covered numerous time of, was the biggest phone company problem T-Mobile. How easy it was to get at the data talked about back in 2006 was mindblowing, although as we’ve discussed, they’ve continued to have breaches since. Can anyone say 8 this year to date?

The ending chapter, which is not numbered has to be one of the best bow ties I’ve ever seen in a book as great as this. From someone who had no knowledge of this field, tying the bow was great. The final 13 minute conclusion was good too.

You definitely want to pick up this book, it was a must read.

This book is not available on BARD, but may possibly be found on Bookshare. We link to Amazon here so you get the full book title.

---

Fancy Bear Goes Phishing: The Dark History of the Information Age, in Five Extraordinary Hacks by Scott J. Shapiro

about the book

---

“Unsettling, absolutely riveting, and—for better or worse—necessary reading.”

—Brian Christian, author of Algorithms to Live By and The Alignment Problem

An entertaining account of the philosophy and technology of hacking—and why we all need to understand it.

It’s a signal paradox of our times that we live in an information society but do not know how it works. And without understanding how our information is stored, used, and protected, we are vulnerable to having it exploited. In Fancy Bear Goes Phishing, Scott J. Shapiro draws on his popular Yale University class about hacking to expose the secrets of the digital age. With lucidity and wit, he establishes that cybercrime has less to do with defective programming than with the faulty wiring of our psyches and society. And because hacking is a human-interest story, he tells the fascinating tales of perpetrators, including Robert Morris Jr., the graduate student who accidentally crashed the internet in the 1980s, and the Bulgarian “Dark Avenger,” who invented the first mutating computer-virus engine. We also meet a sixteen-year-old from South Boston who took control of Paris Hilton’s cell phone, the Russian intelligence officers who sought to take control of a US election, and others.

In telling their stories, Shapiro exposes the hackers’ tool kits and gives fresh answers to vital questions: Why is the internet so vulnerable? What can we do in response? Combining the philosophical adventure of Gödel, Escher, Bach with dramatic true-crime narrative, the result is a lively and original account of the future of hacking, espionage, and war, and of how to live in an era of cybercrime.

Includes black-and-white images

---

Have fun reading this one! You’ll thank me later.Its 434 print pages and over 14 hours in audio. This book is a 2023 book.

Comments (0)

The Security Box, podcast 160: Freenom sued, drops free domains, more

Hello folks,

Welcome to the Security box. We’ll continue to use Clubhouse as long as we can, but I do know that some people use the app and it has become inaccessible. What a shame.

On this week’s podcast, we’ve got a little bit of some sad news that doesn’t necessarily affect this cast, but does explain last week’s absence.

We’ve also got a topic and we’ve got some news too.

The RSS should have the program by now.

Here is the 107.4mb file for those who need a direct download.

Now, without any further ado, here are the full show notes, and we’ll be back next week!

---

Hello folks, welcome to podcast 160. On this week’s edition, we’ll reveal the sudden absence of TSB, we’ll have news and notes from around the landscape that folks may have read, and aa very interesting topic that deals with Freenom and the phishing landscape. Apparently, Facebook is in this too. Of course, we’ll have any questions answered that people have too. Thanks for your support of TSB and thanks so much for listening!

The Absense of TSB

The sudden departure of TSB was not one the JRN was necessarily prepared for. While we have from time to time rescheduled TSB, and/or took specific holidays off like the Christmas break, Thanksgiving week, and possibly others, this was so sudden.

While working on TSB’s release and catching up its EMHS page we got a message on Dice World. While that wasn’t out of the ordinary, as I have gotten messages on Dice World before, the source and what the message contained was one of shock and grave concern.

The short version is that the JRN’s MENVI helper, Janet Quam, passed away on the 30th of the month of August. While I have been told numerous things, a letter which I published on September 10th goes in to what Janet did with the network from various podcasts which don’t exist anymore, to tech skills and a willingness to learn.

There was no health related stuff discussed except to state that we were aware of health concerns. To read the letter, please read the blog post titled A death across the network, here’s a letter.

It links to a Youtube copy of the funeral. MENVI’s links page also has a link to the Obituary. We thank you for your support! A song appropriate will be played at the end of the program when we play music.

---

Meta, Freenom and phishing domains

Our topic comes to us today from an article which was published to Krebs on Security on 5/31. Its titled Phishing Domains Tanked After Meta Sued Freenom. As we’ve talked about on Throwback, we’ve now got other issues because of this suit, and other top level domains that are now taking what the free domains did. We’ll make sure to bring this up.

---

Supporting the podcast

If you’d like to support our efforts on what this podcast is doing, you can feel free to donate to the network, subscribing to the security box discussion list or sending us a note through contact information throughout the podcast. You can also find contact details on our blog page found here. Thanks so much for listening, reading and learning! We can’t do this alone.

Comments (0)

Car companies, get your act together!

Some days ago, there was a Kim Komando minute on this, her newsletter covered this, and even Brian Krebs mentioned it in a multi-toot spree within the past several days.

The article linked is titled It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy and we’ll be talking about this as part of Throwback’s Security hour this week.

On it, we’ve got the Kim Komando minute, and even a video of which she did with someone talking about this issue.

The security hour is hour two of the show which airs on 98.6 the mix, KKMX international.

Let’s discuss this a little bit.

My first major question, although it is relatively answered in Tesla’s case is how the hell cars know our sex lives? I mean, we’ve talked about Elon’s own car telling on him as his car sat off but still recording and uploading to the cloud.

Mozilla goes on to talk about their privacy policies. None of the manufacturers do very well on having you, the driver, opt out of any type of data collection.

The four main headings that are numbered are quite interesting to read.

• <1. They collect too much personal data (all of them)
• 2. Most (84%) share or sell your data
• 3. Most (92%) give drivers little to no control over their personal data and
• 4. We couldn’t confirm whether any of them meet our Minimum Security Standards

I believe number 4 is the biggest. Not being able to confirm any type of security standards is pretty bad. The article indicates that you should opt out of using apps if possible. I wouldn’t necessarily care if they knew I listened to XM, but I wouldn’t connect their app to the car as that might be where the majority of the problem from what I can tell.

This is just going to be an interesting discussion, and it wouldn’t surprise me if on both podcasts this is the hot topic of them.

May the fun begin!

Comments (0)

FTC says that Intuit is saying their product is free when it isn’t

I’ve personally not used Intuit’s Terbo Tax as I have no need to have it. But I will say that if their product is supposed to be free, and its then saying that you need to pay, than I think there is merrit to this.

I have heard comercials indicating that the product is free, but I ahven’t heard them advertised in awhile.

The article I came across is titled gation region
list of 8 items
BIZ & IT
TECH
SCIENCE
POLICY
CARS
GAMING & C which can be perused if you wish.

Intuit says they’ll appeal saying the FTC has ruled in its favor in all of its cases for years and says this decision is unfair.

Since I’ve only read one article, I’m not about to pick sides here, but software in general should be either free or paid, not free for some things and paid for others unless that is how it works and we understand that.

Comments (0)

IOS 16.6.1 now out

With out updating, people will potentially have issues. One note I saw today was that this fixes a zero click to get our favorite folks on to your phone, pegasus.

iOS 16.6.1 for iPhone now available with important security fixes is the article to read. Its not long, and there may be others out there.

Comments (0)

Ransomware update from Bleeping computer

I’m still a bit behind, but trying to find things of value. Today, we’ll give you a ransomware update from this past week.

This might be of interest as one group was recently renamed, what a surprise?

New file extensions to be aware of possibly?

The Week in Ransomware – September 8th 2023 – Conti Indictments is the article.

More later!

Comments (0)

Russian man gets 9 years in U.S. prison

Finding some good news, databreaches had a short piece about someone who will need to serve 9 years in U.S. prison for hacking.

They’re like us, but I think what they wrote should be shared.

Its titled Russian man with Kremlin ties gets 9 years in US prison for hacking and insider trading scheme and I believe this is the second time in recent times that we’ve seen articles similar to this one.

May the good news continue!

Comments (0)

« Newer Posts — Older Posts »

go to sections menu

---