Weekend Edition 55: Security, Elonworld, SBF Trial, and More...
Weekend Edition 55: Security, Elonworld, SBF Trial, and More…
NSA Top 5 Security Problems
Qakbot Ransomware not Dead Yet
ElonWorld: X Sued, Neuralink Competitor Gearing Up
Bankman-Fried Trial News
AI News
AWS and Azure to Be Examined by UK Competition Authority
Apple Fixes Their Shit
Duck Duck Go: We Were a Contender…
WE 1 – NSA’s Top 5 Corporate Cybersecurity Issues
The nation’s top spying agency has released its top 5 list of knuckle-dragging IT screw-ups they’ve found in corporate America.
The top bonehead, come-on-I-know-enough-to-do-better-than-that, mistake that the NSA found was failing to change default settings on new hardware and software. Usually these defaults are public knowledge, regularly posted to maufacturer or developer websites, not to mention countless forums and blogs. If you have yet to change your default logins, you owe it to yourself to figure out how and at least do that. This is basic, guys.
Number two on the derp list is not handling your permissions properly. Here’s the situation: you have a large network, with in-house servers, a hundred or more workstations, a couple dozen printers, routers, switches, firewalls (well maybe not that, if you can’t even manage to set up accounts properly), and WiFi access points, but you unwittingy set up all accounts as administrators, so that you don’t have so much management to do on the network (maybe?). This, in a Microsoft environment, is a recipe for a security disaster. As administrators, these users have full access to change settings, install and uninstall programs and hardware, not to mention opening your network to all manner of attack vectors. Only your IT guys (and perhaps not even all of them) should have administrator privileges. Not John and Jane Doe in the cubicles, they don’t need that much power in your network.
Number three is slightly less basic, but even at that, it, if your IT guys have a clue what they are doing as network admins, should be a slam dunk. It has to do with proper network monitoring inside your network. This is like setting up a secure area, but imagining that you don’t need security cameras to enhance surveillance in that space. Put the effort in. Install the cameras and the monitors, as well as sufficient on-premise storage to manage the logs in question. These logs can save your life, figuratively, when you do eventually get attacked, that way you can trace the vector for the attack, and patch that vulnerability.
Number four is another network basics issue: not segmenting your network(s) into vlans and the like, so once an attacker gets in past the initial wall, they just have clean access to ransack the whole place without anything else to stop them. If you segment your network(s), they will at least have to figure out where their targets actually live and work through more (even if they may be basic) firewalls in order to access their chosen targets. It may buy you enough time, if you have solid enough internal networking monitoring (and staff) to stop them before they get to anything really sensitive. However, if you don’t have that in place, then the likelihood is high that you have not segmented your network(s), either, and you’ll be that much more screwed in the inevitable event of a successful cyber attack against your company.
Number 5 has to do with patching vulnerabilities and other issues. If you do not have a coherent patching system, then you’re likely to miss a workstation here, or a server there when you find the need to patch your system (which should be regularly, as criminals are always shifting their vectors and methods of penetrating your system). If not everything gets patches at once, you will have blind spots and weaknesses that you thought were handled effectively, but were not. Make sure that your IT plans have comprehensive patching as a feature, that way you are less likely to miss things.
The list was actually a top 10, so here are the rest:
Bypass of system access controls
Weak or misconfigured multifactor authentication (MFA) methods
Insufficient access control lists (ACLs) on network shares and services
Poor credential hygiene
Unrestricted code execution
Numbers six and ten both tie back into number two, as if user accounts are set up with proper permissions, you are less likely to have someone able to inappropriately bypass access controls, and certainly wouldn’t be able to just run random code on one of your workstations. MFA and credentials are huge issues, and you may be tempted to think that just because you have MFA set up in your organization that it will save you from bad passwords which are easily brute-forced, but poor MFA (such as strictly basing it on SMS or email) can lead to MITM (man in the middle) attacks, as both of those things can be snooped or hacked into and redirected if an attacker is determined enough. A better way to approach MFA is to use something like Aegis or Authy to handle those codes, rather than simply trusting SMS to do it safely. This will cut down on many illegitimate access headaches for you. ACLs are related to number four, the network segmentation issue, as well as number two, the administrator access for all users issue. ACLs, when set properly, will keep resources safe from attack, as well as keeping one department’s resources separated from another department. This should be basic network engineering design, but apparently, corporate IT doesn’t get it, or perhaps, the management of the company doesn’t understand the need for these things, thus will not allow their IT team to set things up properly because it would be too inconvenient. I don’t know.
WE 2 – Qakbot Ransomware Still a Thing…
Now we are being warned that the Qakbot RaaS (Ransomware as a Service) infrastructure is not dead yet. Always reminded of Monty Python when I see that phrase… Lol. The FBI tried to take it down, but apparently only took out the botnet’s command & control servers, not completely destroying it. This is what leads the researchers at Cisco to believe that Qakbot may not 100% dead. It has still been sending out emails with links to download the Ransom Knight/ Cyclops ransomware, rather than Qakbot itself. Some other researchers have questioned that this is still Qakbot, insisting that it is rather something separate which seems to use former members of that botnet for something else entirely. As I said in the first piece today, criminals are always shifting their methods so that it is harder to catch them. After all, the gang behind Qakbot was not apprehended, but the C&C servers running the botnet were taken over and shut down by the FBI back in August (wait, you mean they aren’t just hyper-focusing on Trump and his supporters? They are actually doing some reasonably useful things as well?). We shall see if this is Qakbot or something else entirely in the coming days and weeks. Be careful with emails guys, always, always check that something actually came from the person that it allegedly came from. Do not just randomly open attachments from people you don’t know, or even from someone you do know, if you weren’t expecting to receive an attachment from someone, make sure to touch base with them first. These attachments can and often do contain bits of nasty code which can make your machine a part of one of these botnets, not to mention putting your data at risk as well. If you check with the person and they sent it, you are probably ok to open it. If not, then please, don’t open it. These steps will save you and your IT guys much grief in the future. They will thank you for not just randomly opening emails from people you don’t know. Phishing attacks are one of the most common ways that pieces of malware find their way onto systems and networks. Take this warning seriously and help your IT team help you to keep your company’s assets safer.
https://www.pcmag.com/news/notorious-qakbot-botnet-threat-continues-despite-fbi-takedown
WE 3 – Elon World
3-1: X Sues X… No, Elon Isn’t Suing Himself…
No, the platform formerly known as Twitter isn’t suing itself. There is another extant social media platform called X which is suing Elon’s personal social media playground. The suit seeks relief, in the form of a permanent injunction against the giant around the name, since their platform, which exists to connect lawyers and their clients, is also known as X, and this name change on Elon’s part will lead, and has already led to a decline in users on that smaller, Florida-based platform. The Florida platform is known as X Social Media, and has been around since 2015. They say that they have invested (probably too much) in brand awareness and advertising over the last 8 years. Yet another reason why a single letter is not a good idea for a name for something that will be public-facing. Many other companies have claims on various related trademarks, whether logos or full on brands, from X Social Media, to Meta, to Microsoft. Elon is looking pretty room-temp in the IQ department, here. He should have done more research before making this jump, just because he always wanted a platform called “X” which could handle anything and everything someone might want or need to do online.
https://www.pcmag.com/news/x-sues-x-over-name-elon-musk-twitter
3-2: Neuralink Has Competitors?
Apparently they do. One of them, Precision Neuroscience, is building a factory in Dallas, TX as we speak. They are at roughly the same phase of the process as Neuralink is, that is, FDA permission for human trials. The co-founder and Chief Science Officer of Precision is a Neuralink alumnus, and sees this move as crucial for safe development (both in terms of industrial espionage and for the health and privacy of the people they seek to help) of their brain-computer interface technology. Some others in the space are Synchron, Paradromics, and Blackrock Neurotech. I’d never heard of anyone other than Neuralink in the space, but then the media is fixated on “wunderkind” Musk, so why would they give airtime to anyone else? After all, the media is controlled by the same people who created Musk. It sounds like Precision’s methodology is less invasive than Neuralink’s, which seems like a net-positive to me, if we are going to move forward with this step toward merging man with computers. That whole thing just feels like a non-starter to me. I don’t want all of my neural energy and signals read and processed by some datacenter somewhere, then spat into my computer or phone via an app. It’s all too damn invasive, I mean, I love technology as much as the next guy, but some things just should not be. Even Star Trek never dealt with this in a positive way… The closest thing I can recall were the Binars or the Borg. The Binars were at least relatively benign, where the Borg were more or less like a technological cancer of sorts, on a galactic level. No individualization (other than the Queen), and all thoughts within the collective were funneled toward the goal of expanding the collective. Just freaky. Not a fan.
WE 4 – SBF BS: The Trial Has Begun
4-1: SBF Tried to Pay Trump to Not Run in 2024
SBF’s biographer (what the hell? A 30 year old gets a biography written?) claims that he tried to pay Trump $5 Billion to not run in the last election Let’s process this a bit shall we? He was brazen enough to float the idea to someone on Trump’s team, not just chat about it internally. He never really made the attempt for a couple of reasons, though, one, he was unsure of its legality, and two, FTX fell apart about a year ago now, so he went from being flush with cash to being more or less broke. Two very good reasons to not try to bribe someone to not run for office. Yes, this would have been bribery if he had gone through with it. Then, aside from that, the wheels fell off of his crypto lambo. We have talked about how he is accused of money laundering, wire fraud, and a litany of other things in the past, and we will rehash all that in a bit, as his first trial began on Tuesday, October 3. The writer, who met with him over 100 times in the last couple of years, is convinced that at least SBF didn’t really grasp the reality that he was living on customer funds. He claims that SBF is no Madoff. I’m still not convinced that most crypto isn’t fraudulent on its face, anyway. Well, no more fraudulent than fiat currency, that is just underpinned by the government. Well, let’s continue talking about this clown.
4-2: Trial 1: Start
SBF being charged with 7 things, which if he is convicted of all of them, he will net at least a 100 year sentence. Wow. We have covered this before, but let’s get into it again, shall we? So, he claims that he was unaware of all of this, but it looks like, that is pretty much a bald-faced lie…
The full list of charges are:
Conspiracy to commit wire fraud on customers of FTX.
Wire fraud on customers of FTX.
Conspiracy to commit wire fraud on lenders to Alameda Research.
Wire fraud on lenders to Alameda Research.
Conspiracy to commit fraud on customers of FTX in connection with purchase and sale of derivatives.
Conspiracy to commit securities fraud on investors in FTX.
Conspiracy to commit money laundering.
Now, all that said, the reason why he is being accused of these things is because he did indeed misuse customer funds, whether he was conscious of that fact or not. It was not only illegal to do so, but was against their own terms of service to use customer funds for anything without express consent from the owners of those funds. It smells really bad, even though we are supposed to be considering him innocent until proven guilty. That is hard when the evidence, even as someone who is a legal layperson, really strongly points toward guilt. We will see how many of these charges stick vs how many he is able to disprove somehow. I don’t know how likely I am to be able to present this impartially moving forward. His lawyers have their work cut out for them in more or less trying to argue from ignorance for SBF, however, the judge has already stated that that strategy would be a nonstarter in opening arguments. We’ll see how all this goes, he has another trial to look forward to, after this one wraps around Thanksgiving, next March, which will cover more charges made since his extradition.
4-3: Who Might Testify?
SBF’s parents, ex-girlfriend, Anthony Scaramucci, a bunch of investors from FTX and others, including his brother. How was Mooch related to this? If you recall, he was momentarily a press secretary for the Trump admin, I think between Spicer and Huckabee-Sanders. FTX seems to have funneled resources to and through the Bankman-Fried family as a whole, SBF’s parents and his brother were at least semi-involved with all of this, whether simply receiving those resources in the form of money or property, or being more intimately involved with the operation of FTX. Caroline Ellison is the step daughter of Gary Gensler, who had been one of SBF’s professors, and is the current head of the SEC. She was the CEO of Alameda Research, as well as the on again, off again romantic partner for SBF. Mooch was an investor, friend, and business partner of SBF. Wow. No wonder Trump has had such strong words about BTC and crypto as a whole. Not saying that he was directly involved or even likely talked to SBF at any time while he was in office. However, Scaramucci was involved, at different times, with the Trump admin. Make of that what you will.
https://www.cnbc.com/2023/10/03/sam-bankman-fried-trial-witness-list-scaramucci-ellison-more.html
WE 5 – AI Nonsense
5-1: Google Assistant to Get Bard Soon
Hey Google! Sorry if I just triggered your phones or wiretap devices, all… But soon enough, the simpler AI of Assistant will get a boost via the injection of Bard into the system. That’s right, Assistant with Bard is coming soon, and will be able to do almost anything that you can do with Bard or ChatGPT, only within your Android device and the Assistant. It will be able to summarize missed emails, analyze pictures, and generate things for you based on text or voice prompts. I never got into any of the voice assistants, because they just never sat right with me and I also was never initially happy with their results. I wasn’t patient enough to train them effectively, so I always had parts of my phones which I never really touched. How many of you are like me in that way? If you want a decent speech to text engine which you can use to hook into your phone’s keyboard, try the Futo Voice Input app, you can find it on Fdroid, if you add the repository for it, or even on the Play Store. It is put together by a braintrust which is dedicated to open source and device repairability. If you are a fan of Louis Rossmann, you’ll appreciate this organization. I’ll drop a link below to the F-droid repository.
https://www.pcmag.com/news/google-assistant-is-getting-a-bard-generative-ai-upgrade
https://app.futo.org/fdroid/repo/
5-2: Copilot: Can It Run Windows For You?
This article kind of drools over the notion of ease of use in reference to the ever evolving cluster fuck that is Windows. Pardon my foul language. Windows has only gotten more and more complex over the years, and Copilot, once it has been iterated upon (assuming that it makes it through that process, which is not guaranteed, RIP Cortana) is intended to enable that kind of fluid interaction. Its stated goal is to “turn every user into a power user”. Perhaps I am an elitist, but I think that if you want to get good at something, dumbing it down and adding another layer of surveillance tech to the equation doesn’t seem like the way to do that. Why don’t we just make the interface simpler and cleaner, so that actions are intuitive, even for the youngest users, rather than adding AI to the mix? On the surface, and turning off the skeptic and cynical parts of my brain, this article makes a valid point. I do want something akin to Jarvis, only without Big Brother watching my every action in excruciating detail, then making itself smarter at my expense. Is there a way to have my cake and eat it, too? I don’t know. I can dream, though. The only way I can see this happening is if everyone had the ability to self-host their own AI models. That is an exceptional amount of computing power, know-how, and overall power consumption that would be necessary for the whole population to have access to tools like that. I also question the impulse in that direction, though, because as much as it could make life easier and create moments of lower friction for creativity to flow, is that always a good thing? I don’t know. What do you guys think?
WE 6 – AWS and Azure to Be Examined by the UK CMA
I talked about the possibility of this referral coming months ago, and salivated over it, while simultaneously lamenting the need for a government large enough to smash mega corporations if need be. I am a ball of contradictions on this topic. I admit it. However, I feel like Big Tech needs to be taken to school. Maybe even behind the woodshed. They have become abusive to us because we allowed them to by continuing to utilize their products and services like a bunch of mindless sheep. They take advantage of us by offering cheap, relatively easy entry ways into the world of cloud computing, but then making it hard to leave their walled gardens. This is wholly unfair to us as consumers, as well as to other innovative businesses which may be better for us as a whole, even if they may not be as initially frictionless as the Azures and AWSs of the world. As they figure it, in the UK, AWS and Azure cover 60-70% of the market for cloud services, and even Google is dwarfed in comparison, at a mere ~11-21% of the UK market. Those are eye-popping numbers. The CMA is concerned that this represents too much concentration of power in the hands of too few, which is rarely good for anyone in the long run. They will carefully examine the situation, and we can expect a report with their findings and potential fines and whatnot by early 2025. I hope that the UK smashes these giants with an aptly sized hammer, not just levies fines against them, as is the typical turn of events in cases like this. We shall see. What is your take on these issues? Is it good to have government big enough to push around trans-national corporations like Microsoft and Amazon? Should MSFT and AMZN have ever gotten to where they are in terms of market share? I’m not questioning the quality of their cloud platforms, just the ways in which they maintain their grip on the businesses and individuals which see no alternative other than to depend on them.
WE 7 – Apple Shenanigans
7-1: Apple Fixes Their Shit
iOS 17.0.3 was released to fix some of the overheating issues with the iPhone 15 series of devices. If you listen to or watch the show, here is where Connor will start his rant about how stupid some of their “fixes” have been in the latest updates.
This article tries to comfort people about how hot their phones have been getting lately, echoing Apple that it doesn’t have anything to do with the new materials used, and that unless there is a warning about heat on the screen, the devices are safe to use. Ignore that burning sensation in your hands and the acrid scent of char-grilled fingertips wafting up from your lightly smoking, $1000+ status symbol. They try to pin the extra heat on poorly optimized apps, or the restore process, but insist that the updates they pushed out this week are bug fixes to reduce that extra heat on your wholly unnecessary updated iPhone status symbol. That is why I call them status symbols: they are overpriced for what they do, and unless you have one from 4+ years ago, currently, you don’t NEED a new one. Stop mindlessly consuming, just because Apple says you should.
https://www.cnbc.com/2023/10/04/apple-iphone-15-overheating-fix-released-in-ios-update.html
7-2: DuckDuckGo: Apple Almost Switched to Us…Really Guys.
As a part of the antitrust trial against Google, the founder and CEO of DuckDuckGo testified that Apple was much closer to switching default search engines than anyone outside knew. There were a series of 20 calls or meetings between 2016, when Weinberg first pitched the idea, and 2019, when Apple finally ended the conversation. Weinberg always felt that at least on his side, these talks always went well, but that the standing contract with Google was the primary deal breaker for the partnership moving forward, even just for private mode searches within Safari. They also pitched to Samsung, Mozilla, and Opera, but time and time again, felt stymied by the extant agreements all of them had with the 800lb gorilla. Apple executives remember things a bit differently, though. One, who also testified, was concerned with the link to Microsoft (as DDG uses the Bing indexes) as an Achilles’ heel for the whole thing, an incongruence with the way that they presented their product. I used to use DDG. Used to love it. Then it went woke and started tampering with results. If I am going to use a search engine, I don’t want it to feed me ads or what its creators think I should want to see, but just what I ask to see. If DDG does not provide that, then I don’t care so much about its vaunted privacy focus, because its whole MO is eroded by the way that their algorithms tamper with my search results. I think that testimony like this will lead to heavy fines, if not potentially a Ma Bell situation with Google. I want to see it splintered in to a thousand, tiny pieces, and prevented forever from reintegrating in to its previous state. That is likely too much to ask, but a boy can hope, can’t he?