Archive for December 3, 2021

Intuit QuickBooks Canada Shares Their Small Business Holiday Shopping Guide

Posted in Commentary with tags on December 3, 2021 by itnerd

Canadian small businesses need our help this holiday season, but some shoppers don’t know where to start.

To make it easier for Canadians to support small businesses during this busy time, Intuit QuickBooks Canada has curated a selection of local gifts in its Small Business Holiday Shopping Guide

From plant-based candles and vegan body products to delicious gift boxes and high-quality socks, there’s something special for all the friends and family on your ‘nice list’. And hopefully that can help you to better support small businesses during the holiday season.

Cloud DX Has Been Selected By Medtronic For A National Collaboration

Posted in Commentary with tags on December 3, 2021 by itnerd

Cloud DX has been selected by Medtronic Canada ULC, a subsidiary of Medtronic plc, a global leader in healthcare technology, to provide world-class virtual healthcare to patients across Canada. This partnership advances Medtronic’s commitment to improving patient outcomes and lowering overall costs along the care continuum. Cloud DX’s remote patient monitoring (RPM) technology and services are exclusive to Medtronic and its Canadian client base, which is spread across Canada. Medtronic Canada delivers care in a broad range of clinical areas, including spinal and cardiac surgeries, cardiology, critical care, diabetes, vascular and renal care. Most clinical areas are expected to improve patient outcomes and satisfaction with some aspect of virtual care in the future. Initially, Medtronic seeks to integrate the Connected Health platform and associated services within both perioperative and complex chronic disease pathways in Canada.

Under the agreement, a typical deployment would involve the enrollment of a chronic care or surgical patient onto the Connected Health platform, generating recurring revenue, depending on the length of the monitoring program. Cloud DX generates revenue upfront for kits prescribed to patients for use at home, and then a monthly subscription fee per patient for software, services, and support. Additional revenues could also be generated through customizations, consulting, and special services, as needed.

Cloud DX’s upcoming investor meeting is set for noon on December 8, 2021. You can register here. Leadership will discuss Virtual Care as a Platform and associated revenue streams, including the Cloud DX and Medtronic partnership agreement.

Former Ubiquiti Developer Charged With Extortion Among Other Things Related To Whistleblowing Incident

Posted in Commentary with tags on December 3, 2021 by itnerd

You might recall the mess that Ubiquiti got into earlier this year when they had to admit that they massively downplayed a security breach. Well there was a serious plot twist in that story. It seems that the person who blew the whistle on Ubiquiti was a former developer for the company who was also trying to extort them. And now he’s charged:

Nickolas Sharp, a former employee of networking device maker Ubiquiti, was arrested and charged today with data theft and attempting to extort his employer while posing as a whistleblower and an anonymous hacker.

“As alleged, Nickolas Sharp exploited his access as a trusted insider to steal gigabytes of confidential data from his employer, then, posing as an anonymous hacker, sent the company a nearly $2 million ransom demand,” U.S. Attorney Damian Williams said today.

“As further alleged, after the FBI searched his home in connection with the theft, Sharp, now posing as an anonymous company whistleblower, planted damaging news stories falsely claiming the theft had been by a hacker enabled by a vulnerability in the company’s computer systems.”

According to the indictment [PDF], Sharp stole gigabytes of confidential data from Ubiquiti’s AWS (on December 10, 2020) and GitHub (on December 21 and 22, 2020) infrastructure using his cloud administrator credentials, cloning hundreds of GitHub repositories over SSH.

Throughout this process, the defendant tried hiding his home IP address using Surfshark’s VPN services. However, his actual location was exposed after a temporary Internet outage.

To hide his malicious activity, Sharp also altered log retention policies and other files that would have exposed his identity during the subsequent incident investigation.

“Among other things, SHARP applied one-day lifecycle retention policies to certain logs on AWS which would have the effect of deleting certain evidence of the intruder’s activity within one day,” the court documents read.

After Ubiquiti disclosed a security incident in January following Sharp’s data theft, while working to assess the scope and remediate the security breach effects he also tried extorting the company (posing as an anonymous hacker).

His ransom note demanded almost $2 million in exchange for returning the stolen files and the identification of a remaining vulnerability.

The company refused to pay the ransom and, instead, found and removed a second backdoor from its systems, changed all employee credentials, and issued the January 11 security breach notification.

After his extortion attempts failed, Sharp shared information with the media while pretending to be a whistleblower and accusing the company of downplaying the incident.

This caused Ubiquiti’s stock price to fall by roughly 20%, from $349 on March 30 to $290 on April 1, amounting to losses of over $4 billion in market capitalization.

This pretty much proves that one not only has to worry about hackers on the outside, but those inside your company with an axe to grind. That makes having a solid security posture insanely difficulty. But it’s clearly now a requirement based on this incident.

Trump’s Social Media Site Posts Open Source Code Already Available On GitHub To Avoid Being Sued

Posted in Commentary with tags on December 3, 2021 by itnerd

You might recall that Donald Trump was trying to launch a social media site, and ignoring the fact that it was almost immediately pwned by hackers, it used code from a open source code from a social media platform called Mastodon improperly. Which then led to threats of a lawsuit. It now seems Trump and company are now trying to quietly avoid being sued:

To avoid a lawsuit, Donald Trump’s social media site is quietly acknowledging the computer code powering the platform comes from Mastodon. Trump’s “Truth Social” site now features a dedicated section labeled “open source,” which contains a Zip archive to Mastodon’s source code. “Our goal is to support the open source community no matter what your political beliefs are. That’s why the first place we go to find amazing software is the community and not ‘Big Tech,'” the site adds. Truth Social created the section on Nov. 12, two weeks after social networking provider Mastodon threatened to sue Trump’s platform for violating its open-source license. 

Since Mastodon is an open-source software project, anyone can use it for free. But if you do, the software license demands the code and any ensuing modifications to your Mastodon-powered platform be made publicly available, allowing the entire Mastodon community to benefit. (This doesn’t include publishing any user data or disclosing admin access, though.) […] However, it appears the uploaded Zip archive is simply a barebones version of the existing Mastodon source code you can already find on GitHub. The archive itself is only a mere 30MB in size. Nevertheless, Rochko said the Zip archive might “become more interesting” once Truth Social finally launches.

I seriously doubt that it will get more interesting because these humans clearly have no clue what they are doing. One just cannot spin up a social media site out of thin air as that’s something that takes the Facebook’s and Twitter’s of the world years to do. Take my word for it, this site is unlikely to see the light of day. And even if it does, it is likely to be a train wreck next to a dumpster fire.