Archive for June 7, 2024

Microsoft Backtracks On Recall Being Switched On By Default…. Not That It Matters

Posted in Commentary with tags on June 7, 2024 by itnerd

Microsoft Recall has been a dumpster fire since it was announced. It was seen as a privacy nightmare. Then a security researcher found how insecure it was. Since them, it has come to light that the situation is even worse than previously thought. I would recommend reading this article because it’s just mind blowing.

In any case, I guess that this all became too much for Microsoft who posted this blog post on Recall:

Even before making Recall available to customers, we have heard a clear signal that we can make it easier for people to choose to enable Recall on their Copilot+ PC and improve privacy and security safeguards. With that in mind we are announcing updates that will go into effect before Recall (preview) ships to customers on June 18.

  • First, we are updating the set-up experience of Copilot+ PCs to give people a clearer choice to opt-in to saving snapshots using Recall. If you don’t proactively choose to turn it on, it will be off by default.
  • Second, Windows Hello enrollment is required to enable Recall. In addition, proof of presence is also required to view your timeline and search in Recall.
  • Third, we are adding additional layers of data protection including “just in time” decryption protected by Windows Hello Enhanced Sign-in Security (ESS) so Recall snapshots will only be decrypted and accessible when the user authenticates. In addition, we encrypted the search index database.

Now to be fair to Microsoft, these are all meaningful changes. But I have to ask the question that most people are going to ask. Why was none of this part of the original spec for Recall? That might have mitigated some of the blowback. On top of that, even with these changes, I wouldn’t recommend ever using recall. Just think of the nightmares that it would create companies who have this feature turned on and a lawyer knocks on their door as part of some sort of legal discovery process. Or how about a domestic abuser who is intent on going after their partner in any way they can. The risks are too great, and Microsoft has no fix for that. So you’re better off not using it as a result.

Leave a comment »

LAUSD Investigates Claims Of Being Pwned By A Threat Actor For A Second Time

Posted in Commentary with tags on June 7, 2024 by itnerd

The Los Angeles Unified School District (LAUSD) is currently investigating a threat actor’s claims that they are selling stolen databases containing sensitive information belonging to millions of students and thousands of teachers. LAUSD, which is the second largest public school district in the United States, had more than 563,000 students enrolled for the 2023-2024 school year.

According to the threat actor, the stolen data is being sold for $1,000 on a hacking forum. The data allegedly includes over 11GB of information, encompassing more than 24 million student records, over 24,000 teacher records, and approximately 500 records containing staff information. The hacker shared samples of the data to prove its legitimacy, which included around 1,000 student records complete with Social Security Numbers (SSNs), addresses, parent addresses, email addresses, contact information, and dates of birth.
 
The authenticity and recency of the data remain uncertain as the threat actor only shared a small portion of the allegedly stolen information. There might be new information that has not yet been disclosed.
 
“We are looking into this and will get back to you if we have further information to share,” said LAUSD Public Information Officer Britt Vaughan in a statement to BleepingComputer.
 
In a related incident, LAUSD was hit by a ransomware attack in September 2022 over the Labor Day weekend. The Vice Society gang claimed responsibility for that breach, claiming they stole 500GB of files before encrypting the district’s systems.
 
Following the 2022 attack, LAUSD mandated all employees (teachers, support staff, and administrators) as well as students, reset their @LAUSD.net account credentials in person at a district site and expedited the rollout of multi-factor authentication.

Steve Hahn, Executive VP, BullWall has this to say:

   “The threat landscape has taken a sinister turn in the last few years, partly because these (mostly) Russian based threat actors consider our support of Ukraine an act of war and also because of the financial stakes. This is a multi-billion-dollar industry now. However recent years has seen the threat actors intentionally targeting young children for extortion and blackmail, which is precisely what this. It’s unconscionable.

   “Threat actors target schools with “dual extortion” techniques. They exfiltrate data on students and encrypt all of the school’s data in a sequenced attack. The school will have to pay to not have that data leaked and pay again to get it decrypted. The information they can get in an attack like this is devastating to the children involved. Information about their grades, sexual activity, medications or mental healthcare, domestic violence, sexual orientation or identity and disciplinary actions. When this gets leaked parents will be, rightfully, outraged and the political fallout severe. The threat actors know this and seem to disregard the impact on the well-being of the targeted children.

   “Unlike big corporations or other government services, schools simply don’t have the resources or personnel to prevent these attacks. It is not a matter of “if” a school district will be hit but “when” and the funding bodies don’t seem willing to allocate pro-active funding until they’ve been hit and see first-hand the fallout. However, even with the best prevention tools in the world a determined threat actor will eventually break through.

   “Schools need to limit the sensitive information they document and retain. They need recovery strategies for the eventuality and need to also focus on rapid containment of the event to limit the amount of data impacted. It is also important to hold tabletop exercises to create a playbook for what happens when they eventually do get hit. How Legal, Boards and City Councils will be involved. These exercises often open up the eyes of the city councils to just how impactful these events are.”

Dave Ratner, CEO, HYAS follows with this:

“Schools and universities are increasingly becoming common targets, both because of the treasure trove of data they contain and their overall cyber security posture, which is unfortunately often less than perfect based on limited budgets. It’s imperative that those in the education sector prioritize cyber security hygiene — often this can be accomplished in a budget-friendly manner via one of the many MSP and MSSPs that focus on best practices.”

It will be interesting to see if these claims of LAUSD being pwned again are true. If they are, then LAUSD will have to do a lot of hard work to make sure that threat actors don’t go three for three so to speak.

Leave a comment »

Bartender Has Been Updated To Remove Analytics Gathering…. So, Do You Trust Them Now?

Posted in Commentary with tags on June 7, 2024 by itnerd

Well here’s a plot twist that I didn’t see coming after this controversy popped up. Applause the company that now owns Bartender has just put out an update to bring the version to 5.0.53. A Reddit user got this and posted about it on Reddit:

So clearly the blow back was so bad, the company claims to have removed the analytics that fanned the flames of this controversy.

On top of that, the change log seems kind of suspect as what they are saying runs counter to what Reddit users have found out about Applause via their own FAQ which you can read as part of my original story above. It honestly sounds that this has become a damage control exercise as the company bought Bartender, really screwed up how it handled the purchase with users of the app, and tossed in some shady behaviour in the form of adding analytics which make you question the explanation provided by Applause as to why these analytics were added.

The real question is if this move makes you trust them?

The answer is my case is no. I will not be updating to this version and I will continue to run Ice for the time being. For Bartender and their new owners Applause to get me back, they will have to do a whole lot more to earn my trust because at the moment, my trust level with them is zero.

Leave a comment »

Adobe Tries Again To Clarify Their Terms Of Use…. Does This Make You Feel Better About Adobe?

Posted in Commentary with tags on June 7, 2024 by itnerd

Yesterday, a C level executive tried to put out the fire surrounding the firestorm that Adobe created when changes to their terms of use came to light and made it look like Adobe products were basically spyware. And that Adobe were intent on using customer data to train their AI models.

It now Adobe is taking another crack at trying to make this issue go away via this blog post. I encourage you to read it in full. But here’s the part of it that is most relevant to this discussion:

The focus of this update was to be clearer about the improvements to our moderation processes that we have in place. Given the explosion of Generative AI and our commitment to responsible innovation, we have added more human moderation to our content submissions review processes.

And they also say this:

To be clear, Adobe requires a limited license to access content solely for the purpose of operating or improving the services and software and to enforce our terms and comply with law, such as to protect against abusive content.

Finally they say this:

  • Adobe does not train Firefly Gen AI models on customer content. Firefly generative AI models are trained on a dataset of licensed content, such as Adobe Stock, and public domain content where copyright has expired. Read more here: https://helpx.adobe.com/firefly/faq.html#training-data
  • Adobe will never assume ownership of a customer’s work. Adobe hosts content to enable customers to use our applications and services. Customers own their content and Adobe does not assume any ownership of customer work.

Now if this blog post came out at the same time the terms of use were updated, we may not be here talking about it now. And if they didn’t do any of the following, this absolutely would not have been such a huge issue:

  • To request support to clarify the terms of use, you had to agree to these terms
  • To uninstall the apps because you didn’t like these terms of use, you had to agree to these terms of use anyway.

The fact is Adobe to borrow a U.K. phrase, stuffed this whole thing. They really screwed up how they handled it and burned a whole lot of goodwill in the process. I guarantee that because of how this was handled, a lot of creative professionals are now either looking for alternatives to Adobe products, or have already switched. Will Adobe care about that? They might if it hits their bank account hard enough. I guess the central question is does this make you feel better about Adobe, and will you feel comfortable enough to use their products? Sound off in the comments below with your thoughts.

Leave a comment »