Archive for November 1, 2022

TELUS Makes A Pair Of Announcements Today

Posted in Commentary with tags on November 1, 2022 by itnerd

TELUS has got some great initiatives launching this week and I’d like to highlight two of the announcements that they’ve got on the go this week:

Meet TELUS’ Friendly Future Makers

Today TELUS announced the seven recipients of our inaugural Friendly Future Makers Awards. Launched this past August, Friendly Future Maker Awards program is a nation-wide search for young Canadians creating positive and long-lasting change in their communities. 

After receiving hundreds of heartfelt nominations across the country, seven Friendly Future Makers were selected by a panel of TELUS judges. Each Friendly Future Maker will receive a prize pack worth $7,000, including $5,000 to be placed in an RESP or to help fund an initiative of their choosing, a $1,000 TELUS gift card, and a $1,000 donation to a registered charity of their choice.

Here is the link to the media release for more information.

Supporting Amnesty International Canada

In light of the continued unrest in Iran, throughout November, TELUS is raising funds through TELUS Friendly Future Foundation to support Amnesty International Canada’s work in protecting women’s and children’s human rights globally. 

To help support this initiative, Canadians can text DONATE to 41010 to give $20 to TELUS Friendly Future Foundation in support of Amnesty International Canada.

In addition, TELUS Health has initiated a 24/7 free crisis hotline available to all those in need of emotional support at 1-844-751-2133. International support is also available here.

There will be more coming from TELUS later this week so watch for posts in the coming days.

Elon Musk Announces Twitter Blue For $8 A Month

Posted in Commentary with tags on November 1, 2022 by itnerd

Earlier today, I posted blowback about Twitter and it’s overlord Elon Musk was getting due to his idea of charging for being verified on Twitter. It now seems that Musk has moved from $20 a month to $8 a month based on this stream of Tweets from Musk’s Twitter account:

I truly encourage you to read the entire string of Tweets as it shows you what you get for your $8 a month, and it shows you where his head is at. But, here’s one reaction to this:

That is a valid point. Because what Musk isn’t smart enough to understand is that this firestorm is not about price. It’s about making sure that someone on Twitter is who they say they are. Musk really needs to figure that out and rethink this strategy.

I honestly don’t think that this will not put out the firestorm that this whole thing has created. In fact, I would not be surprised if this accelerates the firestorm.

OpenSSL Releases New Version To Fix A “Critical” Flaw

Posted in Commentary with tags on November 1, 2022 by itnerd

The OpenSSL Project is releasing a new version of OpenSSL today that will patch an undisclosed flaw in current versions of the technology, leaving companies in a bind to quickly fix the vulnerability before hackers potentially begin to exploit it. I first posted about this last week, and I recommend that everyone who uses OpenSSL update to this version ASAP.

I have some commentary on this patch from a few sources. Starting with Alex Spivakovsky, VP of Research at Pentera:

The fact that OpenSSL is self-labeling the vulnerability as a “critical flaw” means that companies would be wise to pay attention. With OpenSSL taking care of the patch, the most important thing security teams can do at this point is try to inventory their instances of OpenSSL and prioritize future remediations based on organizational impact. This will ensure that once the patch is issued they can systematically remediate their most critical instances.

I’m really impressed with OpenSSL’s handling of the process and not shying away from admitting to a flaw on this level. Software bugs and vulnerabilities happen, and it’s a natural byproduct of the software development process. OpenSSL’s proper handling of this disclosure will likely help many companies mitigate the potential impact of the flaw.”

I also wanted to share Rezilion’s information blog post on this topic, along with this commentary from Yotam Perkal, Director of Vulnerability Research at Rezilion 

“Yes. We won’t know how exploitable it is until Tuesday once the fix and more information are released. But regardless of how critical/ easily exploitable it is, what is safe to assume is that the attack surface won’t be nearly as significant as Heartbleed as OpenSSL 3.x is relatively new and hence won’t be common in a production setting. See my tweet as reference:

Derek McCarthy, Director, Field Engineering of XIoT Cybersecurity Firm, NetRise, provided the following commentary:

Since the details of the vulnerability have yet to be published, we can’t know exactly the impact that this will have on affected software and devices. However, OpenSSL’s definition of a ‘critical’ vulnerability (their own internal scale – not CVSS) is one that ‘affects common misconfigurations which are also likely to be exploitable”, additionally, these vulnerabilities will typically include a ‘significant disclosure of the contents of server memory’, which could often lead to serious impacts such as Remote Code Execution (RCE).

Due to the likely serious nature of these vulnerabilities, organizations should be prepared to scope and address this issue across the enterprise. This once again highlights a common issue that CISOs face, however. How do you scope which of your devices are running a vulnerable version of OpenSSL? This is more trivial for ‘traditional’ devices and applications, but in dealing with the eXtended Internet of Things (XIoT), asset owners are often left with the option of reaching out to their vendors, which is often a convoluted and inefficient (to put it lightly) process.

You can get more info on the patch here. And as I said earlier, you should download it and install it on anything that uses OpenSSL 3.

UPDATE: I have additional commentary. Starting with Neal Humphrey, AVP of Security Strategy at Deepwatch. 

“The news is out on the OpenSSL front, and thankfully things have been downgraded from Critical to High. While there is a remote code execution (RCE) aspect to the exploit, it is not at the level of the Log4J issues from last year. Log4J was an issue due to its spread and the access that it provided. The OpenSSL issues can be seen as widespread as Log4J but it just isn’t as dangerous. That being said, users should still look to upgrade based on the exploit due to the distributed nature of OpenSSL and it’s ability to modified, different from log4j”

I will have additional commentary and analysis as the day goes on. Stay tuned!

UPDATE #2: I have additional commentary from Kevin Bocek, VP of Security Strategy & Threat Intelligence at Venafi:

“Patching this new OpenSSL vulnerability is just the start, as it demonstrates how machine identities can be broken, allowing threat actors to masquerade as trusted services. Whether we’re running in the cloud in Azure, using Kubernetes in Amazon AWS, or using Apache in your datacenter, the entire digital business requires safe authentication of machine identities. The vulnerabilities in OpenSSL show the impact of poor machine identity management – specifically authenticating machine identities – opening the door to attackers. 

“The current lack of visibility of complex cloud environments leaves businesses dangerously open to attack. Cloud is an untapped war front for threat actors, and I suspect we’ll see a lot more attacks on cloud native environments over the next few months. There’s a knowledge gap on both the threat actor and security sides, so we’re yet to truly understand the security implications, the attacks we might face, and vulnerabilities we may uncover. As we develop a deeper understanding of these complex environments, we’ll see a lot more critical vulnerabilities and high-impact attacks unearthed.

“Now that the seriousness of this vulnerability has been disclosed, it is likely that threat actors are already looking to take advantage of it. To protect themselves, organizations must prioritize patching, and fast. But as with Heartbleed, organizations also need to replace the machine identities impacted by OpenSSL’s vulnerability. We can’t be successful in digital business without the four tasks of machine identity management – authentication, authorization, lifecycle, and governance – work correctly. History has shown that the industry needs to be ready for these events, now and in the future.”

UPDATE #3: I have a blog post from Rezilion that goes into the weeds by analyzing this issue in detail. Plus I have additional commentary from Yotam Perkal, Director of Vulnerability Research at Rezilion:

Is there any cause for concern?

The short answer is, you should be worried.

How worried should you be?

Well, that depends how many vulnerable instances of OpenSSL3.x you have in your environment and do you have the ability to accurately detect them so that you could apply the patch once it’s out.

The OpenSSL team announcement caused significant concern for several reasons. First, this is only the second time that the OpenSSL project team classifies a vulnerability as critical. The previous time being Heartbleed (CVE-2014-0160) which enables attackers to compromise sensitive information such as secrets and private keys that were meant to be protected by SSL/TLS.

Second, OpenSSL is extremely prevalent in modern computer environments. The relatively long advance warning window provided by the OpenSSL project team has added to the speculations regarding the significance of this vulnerability.

That said, the potential impact in this case seems relatively limited. Mainly due to the fact that the vulnerability only affects OpenSSL versions 3.x.

Why is that significant?

Well, version 3.0 of OpenSSL was only released a year ago. In IT terms, it is considered a new library. Hence, not many software projects and applications have migrated to use it which makes it relatively rare to find in production systems.

For proportion, there are currently under 16,000 publicly accessible servers worldwide running potentially vulnerable versions of OpenSSL (3.X) while close to 240,000 servers are STILL vulnerable to Heartbleed 8 years after its initial discovery

Does Yotam think this is an issue worth covering?

Yes. It definitely deserves coverage.

What kind of tools this vulnerability might affect. What platforms/companies etc use this?

As I mentioned earlier, Second, OpenSSL is extremely prevalent in modern computer environments. Yet since version 3.x is relatively new it is less common to find in a production setting.

These are several Linux OS distributions that come with OpenSSL 3.x out-of-the-box. For example (a more comprehensive list is available here):

CentOs stream 9

Fedora 36

Fedora Rawhide

Kali 2022.3

Linux Mint 21 Vanessa

Mageia Cauldron

OpenMandriva 4.3

Redhat ES 9

Rocky Linux release 9.0

Ubuntu 22.04 (Jimmy)

Do note that there is a possibility that an OS distribution does not come with OpenSSL 3.x by default yet it was actively installed at a later stage.

If you are running Docker containers in your environment, please refer to the DockerHub image vulnerability database which tracks vulnerable container images under DSA-2022-0001.

Docker currently estimates that around 1,000 docker image repositories (Official Images and Verified Publisher Images) are potentially vulnerable.

UPDATE #4: I have commentary from Mattias Gees, Container Product Lead at Venafi

“When OpenSSL first announced this patch was coming, I immediately thought back to major vulnerabilities of the past, such as Heartbleed and Log4j. However, this vulnerability has been downgraded from critical to high severity by OpenSSL, mainly because it doesn’t cause data leakage and the attack vector is relatively small. But this doesn’t mean we’re off the hook as the risk of DDoS attacks is still high if servers request client authentication, and a malicious server connects.

“Servers that are on OpenSSL 3.0 and are using Client Authentication in a non-trusted environment – such as public facing servers – should patch immediately to ensure they don’t fall victim to DDoS attacks. Servers running in trusted environments should still be patched, but the urgency here is reduced as attacks won’t be effective unless a threat actor manages to infiltrate your network.”

Hisense Announces The U88H Series

Posted in Commentary with tags on November 1, 2022 by itnerd

With a remarkably bright picture, vibrant colours and impressive contrast, the Hisense U88H Series Quantum Dot Google TV delivers an immersive viewing experience.

Launched earlier this year at CES 2022 in Las Vegas, the premium 4K ULED TV, which features a Mini LED upgrade paired with Hisense’s Quantum Dot technology, is now available in Canada. The U88H Series is available in 55-inch, 65-inch and 75-inch models.

With a 120Hz refresh rate, a peak brightness of up to 1,500 nits and picture upgrades like IMAX Enhanced, Ultra Motion Sports Mode, Filmmaker Mode, Dolby Vision IQ, state-of-the-art picture quality with Dolby IQ and HDR10+, the U88H Series takes picture quality to a new level. With growing interest in free, live over-the-air broadcast, especially local news, sports and network content, the newly integrated NEXTGEN TV (ATSC 3.0) offers extensive options to watch content in 4K HDR and Dolby audio. 

Some features of the U88H Series include:

  • Quantum Dot — Boasting a palette of more than a billion colours, Hisense Quantum Dot ULED TVs display true lifelike colours with beautiful gradation that elevates the overall picture quality with authentic colour, brilliant contrast, clear motion and distinct details.
  • Mini LED — Much smaller than conventional LEDs, they allow for significantly more LEDs on each panel producing incredible detail and contrast with deeper black and brighter white levels
  • 1,500 nits Peak Brightness — A higher number of nits means TVs with HDR can reach a higher contrast ratio. This allows the U88H to better differentiate between bright and dark scenes without losing detail. 
  • Ultra Motion Sports Mode — The native 120Hz refresh rate and sports mode removes “noise” using a dynamic algorithm tailored to moving object, resulting in a truly vibrant, crystal-clear image. It also enhances crowd surround sound effects, meaning lifelike crowd sound while the commentator stays clear and focused.
  • Google TV™ — Equipped with Google, the U88H brings together movies, shows and more from across your apps and subscriptions and organizes them just for you. Discover new things to watch with recommendations based on what you watch and what interests you. The voice control remote makes it easier to find movies and shows, answer questions, control smart home devices, and more.

The  U88H Series televisions are available in stores and online at  Visions Electronics stores across Canada and online at Best Buy, Amazon, The Brick, Tanguay, and other authorized retailers. 

For more information, please visit hisense-canada.com

Musk Appears To Have Frozen Out Moderators On Twitter…. That’s Not Good

Posted in Commentary with tags on November 1, 2022 by itnerd

Elon Musk is free speech at all costs sort of guy. And it is possible that we’re starting to see that in action as this Bloomberg story reveals that members of Twitter’s Trust and Safety organization appear to be frozen out from moderating content on the platform:

Twitter Inc., the social network being overhauled by new owner Elon Musk, has frozen some employee access to internal tools used for content moderation and other policy enforcement, curbing the staff’s ability to clamp down on misinformation ahead of a major US election.

Most people who work in Twitter’s Trust and Safety organization are currently unable to alter or penalize accounts that break rules around misleading information, offensive posts and hate speech, except for the most high-impact violations that would involve real-world harm, according to people familiar with the matter. Those posts were prioritized for manual enforcement, they said.

People who were on call to enforce Twitter’s policies during Brazil’s presidential election did get access to the internal tools on Sunday, but in a limited capacity, according to two of the people. The company is still utilizing automated enforcement technology, and third-party contractors, according to one person, though the highest-profile violations are typically reviewed by Twitter employees.

San Francisco-based Twitter declined to comment on new limits placed on its content-moderation tools.

Here is why this is a huge problem:

The scaled-back content moderation has raised concerns among employees on Twitter’s Trust and Safety team, who believe the company will be short-handed in enforcing policies in the run-up to the US midterm election on Nov. 8. Trust and Safety employees are often tasked with enforcing Twitter’s misinformation and civic integrity policies — many of the same policies that former President Donald Trump routinely violated before and after the 2020 elections, the company said at the time.

Other employees said they were worried about Twitter rolling back its data access for researchers and academics, and about how it would deal with foreign influence operations under Musk’s leadership.

On Friday and Saturday, Bloomberg reported a surge in hate speech on Twitter. That included a 1,700% spike in the use of a racist slur on the platform, which at its peak appeared 215 times every five minutes, according to data from Dataminr, an official Twitter partner that has access to the entire platform. The Trust and Safety team did not have access to enforce Twitter’s moderation policies during this time, two people said.

If Musk is promising that Twitter won’t become a “free for all hellscape“under his leadership, then this doesn’t help to meet that standard. It’s becoming increasingly clear that Elon Musk is going to drive down the value of Twitter so much due to his poor decision making, that he’ll burn through a ton of cash and it will start to affect his other ventures like Tesla and Space-X. Which means that this will not end well for Musk on multiple fronts.  

An Update On Bell’s Gigahub Rollout Issues…. It’s Not You, It’s Them

Posted in Commentary with tags on November 1, 2022 by itnerd

You might recall that I wrote about the new Bell Gigahub which is part of their 8 Gbps fibre rollout, and the troubles that some people have had with it when it comes to using their own gear with the Gigahub. And I asked for people who were in the Greater Toronto Area who were having trouble with to ping me so that I could see these issues first hand. First of all, I’d like to thank the people who’ve I met over the last couple of weeks to look at this, and it’s allowed me to conclude that this Gigahub has issues. And what’s really good about this situation is that Bell has confirmed that there are issues with the Gigahub via this thread on DSLReports.com and that a firmware fix is coming (click to enlarge):

Bell_Dom is a Bell employee who really goes above and beyond to help Bell customers on DSLReports.com. Thus if he says it, it’s fact. Though I would love to know when this firmware is rolling out so that I can be ready to assist the people that I’ve met further.

In any case, here’s what the issue is:

  • If you have a Bell service that uses XGS-PON, then the Gigahub will work fine. Bell’s 8 Gbps service uses XGS-PON.
  • If you have a Bell service that uses GPON, then the Gigshub doesn’t work with your own hardware properly. Every other Bell service uses GPON.

Thus I have to assume that that Bell or Sagecomm who makes the Gigahub screwed something up with their GPON support when it is used with a third party router. I’m kind of not surprised by this as people using their own gear are an edge case to Bell. Thus I can see that they would not spend any time testing that scenario.

I’ll be keeping an eye on this and I will provide updates as I become aware of them.

UPDATE: I was asked in the comments below if one should change their Gigahub to XGS-PON to GPON to fix this issue. The answer is NO. Absolutely NOT. This is a setting for the Bell hardware that Bell’s hardware has to communicate to the Bell network depending on the use case. By that I mean that depending on what Bell speed tier you have, this setting might change. Changing this will break access to the Internet. So you should not touch this. Again, Bell will address this issue in a firmware update.

Twitter Is Descending Into A Hellscape For Employees Under Musk

Posted in Commentary with tags on November 1, 2022 by itnerd

Twitter under Elon Musk is becoming the one thing that he promised it wouldn’t become. A Hellscape. Specifically a hellscape for his employees. CNBC reports that Musk is forcing employees to prove their worth, and meet insanely impossible deadlines:

Twitter employees who were there before Musk took over said they have been asked to show his teams all manner of technical documentation, to justify their work and their teams’ work, and to explain their value within the company. The threat of dismissal looms if they do not impress, they said.

The employees said they are worried about being fired without cause or warning, rather than laid off with severance. Some are worried that they will not be able to reap the rewards of stock options that are scheduled to vest in the first week of November, according to documentation viewed by CNBC.

Meanwhile, the Twitter employees said they have not received specific plans from Musk and his team yet, and are largely in the dark about possible head count cuts within their groups, budgets and long-term strategies.

Musk has set nearly impossible deadlines for some to do-list items, however.

And:

Managers at Twitter have instructed some employees to work 12-hour shifts, seven days a week, in order to hit Musk’s aggressive deadlines, according to internal communications. The sprint orders have come without any discussion about overtime pay or comp time, or about job security. Task completion by the early November deadline is seen as a make-or-break matter for their careers at Twitter.

In an atmosphere of fear and distrust, many Twitter employees have stopped communicating with each other on internal systems about workplace issues. What’s more, some of Twitter’s Slack channels have gone nearly silent, multiple employees told CNBC.

Meanwhile, Musk and his inner circle have been plumbing archived messages in the systems, ostensibly looking for people to fire and budgets or projects to slash.

A couple of things spring to mind. First is the fact that if a leader of other human beings has to threaten people to get them to perform, that leader doesn’t have the ability to lead. Second, this culture of fear that Musk is creating is going to send key people to the exits. And then what does he do?

Honestly, if I worked for Twitter, and I hadn’t made my way to the exits by now, I would be doing do immediately. Even working for Burger King would be better than working for Elon Musk.

Nearly a Third of Cybersecurity Leaders Are Considering Quitting: Black Fog

Posted in Commentary with tags on November 1, 2022 by itnerd

Almost a third (32%) of CISOs or IT Security DMs in the UK and US are considering leaving their current organization, according to new research from BlackFog, released today. Of those considering leaving their current role, a third of those would do so within the next six months. These findings come as demand for cybersecurity talent intensifies, with reports of hard to fill vacancies and skills shortages across UK and US organizations.  

This research, which explored the frustrations and challenges faced by cybersecurity professionals also highlights the impact that cyber incidents have on turnover and job security. It revealed that of those who had been a CISO or IT security leader at a previous organization, two fifths (41%) either left, or were let go, due to an attack or data breach. 

When asked about the aspect of their role that they disliked most, 30% cited the lack of work life balance, with 27% stating that too much time was spent on firefighting rather than focusing on strategic issues.  

However, their role in keeping their organization safe from cyberthreats was clearly valued, with 44% of respondents stating that the most enjoyable aspect of the job is being the company ‘protector’ and having the ability to keep everyone working securely. 

The struggle to keep up with new cyber security approaches 

Escalating cybersecurity threats are driving new innovations to help organizations improve their cybersecurity posture, however, BlackFog’s findings show:

  • More than half, 52%, admitted that they are struggling to keep up to date with new frameworks and models such as Zero Trust.  
  • A further 20% felt that keeping the skill levels of their teams in line with these was a ‘serious challenge’. 
  • 54% also felt that they weren’t able to keep up to date with information on the latest cybersecurity solutions such as anti data exfiltration. 
  • 43% of respondents found it difficult to keep pace with the newest innovations in the cybersecurity market. This number varied by country, with 49% of US respondents agreeing versus 36% in the UK. 

Aligning with Board expectations

There were several key positives reflected in this study, especially in the realm of Board’s expectations for the respondents. BlackFog’s findings show that 3 out of 4 (75%) agree that there is a full alignment between the Board’s expectations of what they can achieve in their role and what they are equipped and able to deliver. In fact, two thirds (64%) of respondents were able to complete their priority tasks within the first six months of their starting date. This may be down to the fact that, on average, 27% of IT spending goes towards the security budget. 

Elon Musk’s Plan To Charge Twitter Users To Keep Their Verified Status Is Going Over As Well As You’d Expect… Which Is Not Well

Posted in Commentary with tags on November 1, 2022 by itnerd

Yesterday in one of my posts about the sideshow that Twitter has become under Elon Musk, I said this about Twitter’s plan to charge $20 a month to have people keep their verified status on Twitter. AKA: The blue checkmark:

I really can’t see movie stars, politicians and athletes who are already verified by Twitter giving Elon Musk $20 a month to keep their blue checkmark. What I do see them doing is abandoning the platform in droves. 

That appears to be playing out right in front of our eyes. A reader pointed me towards this Tweet with novelist Steven King:

That got the attention of Musk:

Musk’s habit of throwing out comments that can come across as insulting and dismissive really isn’t helping him here. Then he said this:

I can’t wait to see how he dances arounds this issue. Because Musk really created a situation that has caused all sorts of noise that he simply didn’t need to create. And Zack Nelson who is also known as “JerryRigEverything” summed it up best:

On top of that, Hopewell Chin’ono who is a Zimbabwean investigative journalist and documentary film maker had this to say:

The point here is that Musk is too busy trying to make Twitter profitable that he doesn’t see the bigger picture of what Twitter actually is. It also reinforces that he acts on impulse and doesn’t think through his schemes. Musk at this this point is causing so much chaos within Twitter that there’s zero chance that Twitter survives. And I would say that Musk should really figure out an exit strategy that puts Twitter into the hands of people who are capable of running the company. Because he’s proven that in the short time that he’s owned Twitter, he’s not capable of running it in a way that encourages people to stay on the platform.