Posted in Commentary with tags Twitter on September 30, 2024 by itnerd
Can someone remind me why people think that Elon Musk is a great businessman? I am asking because of this:
Elon Musk’s X is now worth less than a quarter of its $44 billion purchase price, according to a new estimate from investor Fidelity.
The asset manager’s Blue Chip Growth Fund now values its stake in X, formerly known as Twitter, at approximately $4.19 million, based on newly released disclosures from Fidelity’s Blue Chip Growth Fund. The firm’s unit has reduced the value of its holding in X by a total of 78.7% as of August end.
For context, Fidelity had initially invested $19.66 million in X through the Blue Chip Fund, as per regulatory filings. This isn’t the first time Fidelity has cut the value of its holding in X. As of July’s end, Fidelity had valued its shares in X at about $5.5 million.
This 78.7% markdown implies that Fidelity is currently valuing X at about $9.4 billion overall. (TechCrunch’s assessment assumes that Fidelity’s investment in X was made at a $44 billion valuation. The acquisition was financed through a combination of equity and debt.)
Perhaps I am looking at this wrong. But if I buy a business and it is worth substantially less than what I bought it for, then that means that I really screwed up because the whole point is to make money rather than bleed money. Given that, you have to wonder how long before Elon taps out because he either has to put his own money into Twitter to keep it afloat, or he has to tap out and look like a loser by doing so.
Let’s see what he’s going to do as I suspect the clock is ticking.
Posted in Commentary with tags Twitter on September 30, 2024 by itnerd
The last time I checked, Elon Musk folded up like a cheap suit when it came to his fight with Brazil by complying with everything they wanted him to comply with. But apparently its not quite over as Elon is going to have to write another cheque to Brazil:
Reuters and other publications have reported on an order from the country’s Supreme Court Judge Alexandre de Moraesstating that the Elon Musk-owned social network could “immediately return to its activities in national territory” if it pays a fine of 10 million reais (around $1.9 million).
That’s on top of the 18.3 million reais ($3.4 million) X had already been fined. Brazil froze accounts belonging to X and Musk’s satellite internet company Starlink in order to pay the fine, but to move forward, Moraes said Starlink needs to drop its appeal against the payments.
Well, this could be interesting. The Brazilians are clearly making Elon tap-dance to their tune. And Elon, at least for now, seems to be dancing away. Thus you have to wonder if he will continue this dance in order to get Twitter back into Brazil, or if at some point he will go back to the Elon that we all love to hate.
Posted in Commentary with tags Hacked on September 30, 2024 by itnerd
On Thursday, the University Medical Center Health System in Lubbock, Texas, confirmed a ransomware attack that led to an IT outage which forced the hospital to divert emergency and non-emergency patients via ambulance to nearby health facilities.
UMC is the only level 1 trauma center within 400 miles.
The health system is operating under its downtime procedures while phone systems are down and its unable to view messages in the patient portal.
“This is a national security issue.”
“When hospitals are attacked, lives are threatened. When you have the only level 1 trauma center in the region shut down by foreign bad guys, ambulances on diversion, the next level 1 trauma center I understand is hundreds of miles away, you are putting people’s lives in jeopardy,” said John Riggi, National Advisor for Cybersecurity and Risk at the American Hospital Association and a 30-year FBI veteran.”
According to UMC’s latest statement, its healthcare facilities, urgent care clinics and UMC physician clinics remain open. At this stage, it is not possible to tell to what extent, if any, patient data has been compromised.
This past January, UMC notified 127,000 individuals of a data breach compromising their names, dates of birth, mailing addresses, Social Security numbers, diagnosis, and treatment information.
“The ubiquity of ransomware attacks on healthcare entities highlights the critical need for collective defense and intelligence-driven security processes to proactively defend against these attacks. When healthcare institutions—especially those providing essential services to large regions—are targeted, the consequences go beyond financial loss. Ransomware not only cripples operations but endangers lives, as seen when vital emergency services are forced to divert patients. We must move beyond reactive strategies. Proactively harnessing shared threat intelligence and automation will empower organizations to detect and neutralize attacks before they disrupt essential services. Collaboration between private and public sectors is essential in building a unified defense against this growing threat.”
Stephen Gates, Principal Security SME, Horizon3.ai follows with this comment:
“Hearing the news about this healthcare system, my heart goes out to the families and individuals affected. There was a time when healthcare organizations were off-limits to attackers because they focus on saving lives. But that unwritten code of ethics no longer applies. This reality is what drove me to write the whitepaper, A Preemptive Approach to Defeat Ransomware in Healthcare. I’m sharing it not to sell anything, but because it offers a solution that healthcare organizations should seriously consider.”
Evan Dornbush, former NSA cybersecurity expert had this to add:
“Unfortunately, down time is just as damaging to data disclosure, putting the victim here in a very tough spot. The economics of ransomware currently favor the attacker. As long as it more expensive to be a defender, stories like this will continue to line our newsfeeds.”
I’m not being hyperbolic here. It’s only a matter of time before someone dies because of an attack like this. This is why action needs to be taken now so that never becomes a headline.
Posted in Products with tags OWC on September 30, 2024 by itnerd
When my MacBook Pro is set up at my desk, I use a dock to create a “1 cable solution” to charge and provide extra ports like USB ports and card reader ports. I do that because it’s a lot easier to access the dock’s ports rather than the ones on the MacBook Pro. And a dock often adds additional ports that I didn’t have before. With that background out of the way, I was intrigued by the OWC Thunderbolt Go Dock that OWC sent over for me to review. And after using it for the last few days, I can conclude that it is a dock that you should go out and buy if you want a dock that provides a load of functionality.
Let’s look at the dock:
The dock is 1.4″ x 9.5″ x 3.6″ and has some heft to it. But not so much heft that it would deter you from tossing it into a backpack to take it someplace. It’s made of aluminum which when in use gets warm to the touch. I point that out because I’ve tried docks that get outright hot to the touch which doesn’t exactly give me a good feeling as I wonder if the dock in question will die at some point because of the heat, or if it will have some other issue that would be a problem. I don’t have that feeling with this dock as clearly the heat is being managed well given that it is warm and not hot.
On one side you get a Thunderbolt 4 port that does 90W power delivery. You also get a Kensington slot to make sure that the dock doesn’t grow legs and walk away. This is the Thunderbolt 4 port that you use to connect to your laptop. In my case an M1 MacBook Pro. 90W of power delivery is a win because any laptop that requires a lot of power is going to be able to be charged quickly with this dock. Now if you look just above the Thunderbolt 4 port, there’s a hole there. That’s actually for a cable stabilizer that you can buy separately that makes sure that the Thunderbolt 4 port doesn’t disconnect by accident.
On the back you get two Thunderbolt 4 ports that do 15W of power delivery, a HDMI port with the ability to drive an 8K display at 60Hz, a 2.5 Gigabit Ethernet port which is handy if you have a network that supports that speed. Two USB-A 3.2 10 Gb/s ports that do 1.5A of power for bus-powered drives and device charging, and a plug for a power cable. Here’s why that power plug is cool. The power adapter that’s built into the dock. And that means no ugly power brick to deal with. It also means that you can use this dock worldwide. As in it covers 100~240V. And the plug itself is a 2 prong power cable. That’s important because if I want to travel with this dock, I simply have to figure out what cable I need for the country that I am going to and buy it off Amazon as a 2 prong power cable is very common and easy to find. Above each Thunderbolt 4 port are cable stabilizer ports.
On the front you get an UHS-II SD card slot, a 1/8″ audio jack (it’s a combo port by the way), a USB 2.0 port and a USB-C 3.2 10Gb/s port. The other thing that I note is that there’s a fair amount of ventilation on this dock. Clearly that helps in terms of keeping it cool. Above the USB-C port is another cable stabilizer port.
I am going to flip over the dock to point out two things that I thought were cool. The first is that there are lights that tell you what’s going on from a power and Thunderbolt perspective are on the bottom. Because they’re on the bottom, it means that they will not light up a dark room. But will still be noticeable if you’re looking for them. People who work in dark rooms who don’t want the LED’s from their devices glowing all the time and bothering them rejoice!
To encourage you to RTFM, OWC has a sticker with a QR code that takes you to online versions of the manuals for the dock and a piece of software called Dock Ejector. More on the latter in a moment.
Also included in the box is a power cable and a Thunderbolt 4 cable. Both should be long enough for any use case that you might have. I should also note that the Thunderbolt 4 cable is a high quality cable that I would expect to last a long time.
So right off the bat, there’s a lot of good things here. Starting with the fact that it does 90W of power delivery to your laptop which means that you won’t be waiting for it to charge. And you have more than a healthy selection of ports to cover pretty much any use case. In terms of speed, from my testing you seem only to be limited to the speed of the devices that you connect to this dock to a point. For example, I connected an OWC Envoy SSD to do some testing with it and this is what I got:
If you compare these results to what I got when I reviewed it, having the OWC Envoy SSD connected to this dock results in roughly a 10% speed hit versus connecting it directly to my Mac. So while there is a a bit of a speed penalty, it’s a minor penalty that I am not going to lose any sleep over as you likely won’t notice it or care over the long term as this is still plenty fast.
OWC has a unique use case for this dock that allows you to use the Apple SuperDrive USB-A CD/DVD burner with this dock. Typically, docks don’t play nice with the Apple SuperDrive because of the power that they require. That usually means that you have to connect them directly to a Mac and that defeats the purpose of having a dock. To exploit this use case, you need to install a piece of software from OWC called OWC Dock Ejector. That does two things, it installs a driver that allows the SuperDive to run with this dock and consume more power, and it gives you a menu bar icon that allows you to eject discs easily. But to use this software, you need to change security modes on your Mac as per this YouTube video.
Now after watching this video, some of you might have an issue with this as lowering the security of anything is bad in 2024. So let’s go into the weeds for a bit to illustrate why this isn’t an issue.
Macs can have three possible security polices to choose from:
Full Security: This is the default and safest boot policy, with no security downgrades permitted. Your Mac ensures that only actively signed versions of macOS can be installed. (Fun fact: On iOS, this is used to prevent downgrades to previous versions.)
Reduced Security: Any compatible macOS version can be installed, as long as it was previously signed by Apple. You can also permit the following:
Allow third-party kernel extensions to run
Allow MDM (Mobile Device Management) to manage kernel extensions and software updates
Permissive Security: This is the most dangerous level and is hidden for safety reasons. Any compatible operating system can be installed, such as custom macOS builds or Linux. You can also permit the following:
Allow third-party kernel extensions to run
Allow MDM (Mobile Device Management) to manage kernel extensions and software updates
If you really want to go into the weeds on this, Apple has this document for Apple Silicon Macs, and this document for Intel Macs that can help you with that. But here’s where I’m going with this. Reduced Security which is what OWC needs you to set your Mac to in order to install Dock Ejector, or more specifically the driver that allows the SuperDrive to work with your Mac via the dock. And using Reduced Security could introduce a theoretical risk that you could get pwned by something because the security level is reduced from the default level that your Mac ships with. But the reality is that the chances of getting pwned in while you’re in this mode are somewhere between slim and none. I should also note that OWC’s driver is notarized by Apple. So it’s not some sort or rogue piece of software. And all of that is on top of the fact that anything else that runs in that mode has to be notarized by Apple. That in effect means that no rogue piece of code should be able to pwn your Mac.
Now having said all of that, I am going to go out on a limb and say that a few of you will still have a problem with this. Let me help you with that. I was able to hop onto a Zoom call with OWC and they explained two things to me:
The current driver that is part of Dock Ejector was was written in IOKit . Long story short, as macOS security tightened up around the kernel with every iteration of macOS, it forced OWC into a position where they had to ask users to do what I described above because this driver is a kernel driver which lives in layman’s terms in the core of the operating system.
There is an upcoming version of Dock Ejector that should ship by the end of the year that includes a driver that has been rewritten in DriverKit. By using DriverKit, the driver runs not in the kernel, but in the user space. Which means that you don’t have to do what I described above to install it. Or put another way, you can use this new version of Dock Ejector to get your SuperDrive working without having to do anything that affects what I will call your “perceived level of security”. That’s a total win as far as I am concerned.
Let me point out one more thing. What the above illustrates is that OWC is a top shelf company to deal with. I highlighted a concern to OWC about something that their product did. They hopped onto a Zoom call with me and gave me their side of the story. They were completely transparent and open and I walked away with the feeling that I could confidently recommend this dock to those who find this to be a non-issue, and to those who might have a concern as that concern has been fully addressed from where I sit. I’m pointing this out because I rarely get this level of response and transparency from a company whose products that I review. And I am someone who among other things reviews products for a living. So you would think that because of that, companies would want to talk to me. But that’s not the case. I’ve had situations where companies have blown me off in similar situations. OWC didn’t do that which suggests to me that if you buy one of these docks, which you should if you have a use case that this dock can address, you’re going to be taken care of over the long term.
Now with that out of the way, Dock Ejector has a handy feature where if you try to eject a volume that has a file open by an application for example, it will not only tell you that is the case, but it will tell you what application is keeping it open. Thus allowing you to take action as you will be presented with the option to force eject the volume. That’s very cool. And makes it totally worth running if you have this dock.
I will end this review by saying that I really like this dock and I highly recommend it. During my week of testing it, I found zero issues with it and it is solid. Not to mention that it is well designed and thought out to make sure that it appeals to the broadest set of users possible. And at a cost of $299.99 USD, this dock is an excellent value given what OWC has brought to the table feature wise. And if that Dock Ejector thing bothers you, when the new version ships I’ll update this review with a download link to that new version in order to address your unease. If you need a dock for your desk setup, there’s really no reason why the OWC Thunderbolt Go shouldn’t be your first choice.
UPDATE: Dock Ejector 2.0 has launched. More details here.
Posted in Commentary on September 30, 2024 by itnerd
I swear, companies really don’t care about treating their users with enough respect so that they and not the companies are in control of their data. The latest case of this is PayPal. The company is updating their Terms of Service so that starting in November, you’re automatically opted into giving merchants access to your data.
All together now…. Whiskey – Tango – Foxtrot?
But there is some good news. Unlike some companies…. Ahem… Strava… You can opt out of this. Here’s how via the PayPal app or via your browser:
Go to Settings
Data & Privacy
Look for something either called PayPal Shopping or Personalized Deals & Offers. I had the latter and it looks like this.
I turned this off. You should too because being opted into anything which forces you to opt out out of it is unacceptable. Companies need to understand that and not partake in this sort of behaviour. At the same time, users need to be aware of, and looking out for this sort of behaviour and send a clear message to companies who partake in this sort of behaviour and send a clear message that this sort of behaviour will not be tolerated.
Posted in Commentary with tags Strava on September 30, 2024 by itnerd
Because I am a very athletic person, I post my bike rides as well as my walks, hikes and cross country skiing to Strava. And so do my friends who do similar activities. But I have to admit that I am rethinking that at the moment as this thread on Strava’s Community Forums says this:
I spent some time looking at the settings within Strava and found no way to opt out. So when this goes into effect today, every Strava user is opted into having their data shoved into some AI whether they want to have that happen or not.
That my friends is a complete and total #fail. Users should always have the choice to opt into something and not to be forced to opt out of it. And it’s worse when users have no choice to opt out as is the case here. So it leaves me wondering if I should be taking my data, deleting it, and finding another place to post my athletic activities. Because clearly Strava doesn’t care enough about their user base to give them the choice as to how their data is handed.
Oh, by the way, I suspect that once the EU finds out about this, they’ll be having a word with Strava. And it won’t be nice…. For Strava.
Posted in Commentary with tags Scam on September 29, 2024 by itnerd
Here’s your second scam of the day. And this one is using Canadian airline Air Canada to make you more likely to fall for it. The scam starts via this email:
I find it extremely unlikely that any Canadian airline, never mind any airline period would just willingly hand over cash to anyone for deposit into their bank account or onto their credit card. On top of that, I haven’t flown Air Canada in over six years. So I know that there’s zero chance that this is real.
On top of all of that, this pretty much confirms that Air Canada didn’t send me this:
That’s not Aircanada.com so game over scammer. You lose and people should just delete this email. Except that I didn’t do that and clicked on the “Claim Now” link where I was pleasantly surprised with what I saw:
It looks like the hosting company that was hosting the threat actor’s scam website took it out. That’s good as I find that even when I report scams like this to hosting companies, they either take a long time to take out the website, or they never do. And that leaves people who fall for emails like this vulnerable to getting scammed. So kudos to Bluehost for nuking this website within 24 hours of this scam email hitting my inbox.
That doesn’t change the fact that you still need to be on your toes so that you don’t fall for a scam. Because you can’t depend on others to keep you safe. You have to take action by looking at the details of anything that you get to keep yourself safe.
Posted in Commentary with tags Scam on September 29, 2024 by itnerd
When it comes to finding out about the latest scams, readers of this blog or my clients will sometimes bring them to me. But sometimes they just drop into my lap. Take this one that popped into my inbox that uses Canadian bank CIBC to try and scam you:
Now this leverages a couple of methods to try and get you to fall for the scam. The first is that the mail claims that CIBC has a new “verification method”. That’s something that will get people’s attention because banks are trying to move away from text message based two factor authentication because of SIM swap attacks where a threat actor swaps your cell phone number onto a SIM that they control so that they can then take over your bank account and drain it. So people may assume that this email is legitimate based on that. The second reason why people might fall for this scam is that there’s a sense of urgency around it based on the fact that you have a deadline to do what the threat actor wants you to do. Because nobody wants to be separated from their money. But this of course isn’t coming from CIBC and there’s three ways to tell in this case:
The first is the fact that this email address in the from field isn’t from cibc.com. In fact it’s not even close. So CIBC didn’t send this email.
Looking at the to field shows the same email address. That indicates that this is an email that is being sent to thousands of people hoping that 1 or 2 percent of them fall for this. That’s further reinforced by the fact that the body of the email doesn’t reference me by name and only says “sir or madam.”
The final part are the words “Click To againe Access”. Clearly the threat actor wasn’t smart enough to spell check this before sending this out. #Fail.
So if you get this email, you should instantly delete it and not click on any links. But by now you know that this isn’t how I roll. So I clicked the link and got this:
This is a pretty basic replication of the CIBC website. And if you look at the address bar, it’s clearly not CIBC.com. Which should be two more things to send you screaming in the other direction. But what this website is after is pretty clear to me. The threat actors want your debit card number and your password so that they steal your money. I entered a fake card number and a password that told the threat actor where to go and how to get there, and I was then dumped to the actual CIBC website. Now I can only conclude two things based on that. Either the threat actors had code in the website that detected that I entered invalid information and punted me to the real CIBC website as a result. Or this is a very basic scam website that snatched what I entered so that the threat actors can potentially go to town at someone else’s expense.
So even though this is a very basic, bordering on primitive scam, it’s still a scam. Which means that you need to be on your toes so as to not fall victim to it. Because a scam doesn’t have to be well executed to be effective.
Posted in Commentary with tags CISA on September 28, 2024 by itnerd
The CISA put out an alert that caught my eye yesterday:
CISA continues to respond to active exploitation of internet-accessible operational technology (OT) and industrial control systems (ICS) devices, including those in the Water and Wastewater Systems (WWS) Sector. Exposed and vulnerable OT/ICS systems may allow cyber threat actors to use default credentials, conduct brute force attacks, or use other unsophisticated methods to access these devices and cause harm.
The City of Arkansas City revealed that its water treatment facility had been breached on September 22. The city notified relevant authorities and moved the water plant to manual control to ensure safe operations.
Evan Dornbush, former NSA cybersecurity expert had this comment:
“CISA’s guidance of recommended practices may be ideal for defenders who are well staffed or are perhaps building out new networks.
“In terms of overall practicality, changing default passwords and patching and moving HMI devices behind firewalls or hardened VNC can be laborious.
“Keeping with defense in depth philosophy, it may be more efficient for established OT/ICS operators to add a network detection capability to their existing infrastructure. Using modern advancements in computation, the market is full of quality options for those looking to glean intelligence from their network data.
“Subscribing to a cyber threat intelligence platform is another low-friction avenue. Those purport to increase awareness of known exploited vulnerabilities (KEV) which can help steer defenders towards highest priority infrastructure.”
I truly hope that organizations take these warnings seriously. There’s enough evidence out there that should suggest that not doing so will end badly for all concerned.
Posted in Commentary with tags Hacked on September 28, 2024 by itnerd
A malicious app impersonating the legitimate ‘WalletConnect’ project was available on Google Play for five months, amassing over 10,000 downloads. The fraudulent app, designed to drain cryptocurrency from unsuspecting web3 users, managed to steal approximately $70,000 from victims before being taken down.
The app posed as an official WalletConnect application, despite no such app existing on the Play Store. WalletConnect, a widely-used protocol that allows users to connect decentralized applications to their crypto wallets, does not offer a dedicated app.
George McGregor, VP, Approov Mobile Security had this to say:
“This is an example of a massive issue. Both iOS and Android are affected by fake apps. HarmonyOS and the Samsung Galaxy Store are not immune to the issue. The problem is significant enough that it impacts users of all major mobile operating systems. Despite security measures, and claims to the contrary, fake apps can slip through on all mobile platforms. Official app stores like Google Play and the Apple App Store are overwhelmed struggling to address this issue, despite having extensive app review processes in place.
“Some scammers have found ways to exploit the Apple App Store process by initially submitting apps in specific languages for certain countries, then gradually expanding to other markets.
“So, fake and unauthorized apps are a significant and growing problem. Common advice is that USERS should protect themselves: remain vigilant, carefully review app permissions, be wary of suspicious reviews or download numbers. But the reality is that all platforms face challenges with fake reviews and artificially inflated app rankings, which can make it difficult for users to identify legitimate apps. It is unrealistic to expect users to protect themselves from fake apps.
“In fact it is critical that app developers must put solid security in place – this means a zero trust runtime security solution that immediately identifies and blocks fake apps before they even try to access an API. “
This highlights the fact that users need to be vigilant about what they download. And that’s on top of app marketplaces needing to tighten up on their security to avoid this scenario from happening.
Fidelity Says That Twitter Is Worth Only 21% Of What Elon Musk Bought It For… What A Loser
Posted in Commentary with tags Twitter on September 30, 2024 by itnerdCan someone remind me why people think that Elon Musk is a great businessman? I am asking because of this:
Elon Musk’s X is now worth less than a quarter of its $44 billion purchase price, according to a new estimate from investor Fidelity.
The asset manager’s Blue Chip Growth Fund now values its stake in X, formerly known as Twitter, at approximately $4.19 million, based on newly released disclosures from Fidelity’s Blue Chip Growth Fund. The firm’s unit has reduced the value of its holding in X by a total of 78.7% as of August end.
For context, Fidelity had initially invested $19.66 million in X through the Blue Chip Fund, as per regulatory filings. This isn’t the first time Fidelity has cut the value of its holding in X. As of July’s end, Fidelity had valued its shares in X at about $5.5 million.
This 78.7% markdown implies that Fidelity is currently valuing X at about $9.4 billion overall. (TechCrunch’s assessment assumes that Fidelity’s investment in X was made at a $44 billion valuation. The acquisition was financed through a combination of equity and debt.)
Perhaps I am looking at this wrong. But if I buy a business and it is worth substantially less than what I bought it for, then that means that I really screwed up because the whole point is to make money rather than bleed money. Given that, you have to wonder how long before Elon taps out because he either has to put his own money into Twitter to keep it afloat, or he has to tap out and look like a loser by doing so.
Let’s see what he’s going to do as I suspect the clock is ticking.
Leave a comment »