Posted in Commentary with tags Reddit on July 31, 2023 by itnerd
Fredrick “Flee” Lee has been announced as Reddit’s new Chief Information Security Officer, reporting to CTO Chris Slowe. Flee has over 20 years of experience leading global information security and privacy efforts at major financial services companies and technology startups, including as Chief Security Officer at Square and most recently as Chief Security Officer and Head of IT at Gusto. Flee will oversee the Privacy and Security teams at Reddit responsible for identifying and mitigating risks and challenges around information security, privacy, and compliance.
The security of Reddit platform and Reddit continues to be one of their core trust pillars, and over the past several years, they have continued to bolster their Safety and Security efforts, expanding teams focused on these areas and reinforcing existing measures that protect the platform. As part of their commitment to transparency with their users, they launched a new Transparency Center on RedditInc.com and regularly share their practices, updates, and findings with their community, including in r/redditsecurity. These efforts are central to Reddit’s goals of bringing community and belonging to users around the world.
Flee is a proud Southerner, raised in Mississippi, and holds a bachelor’s degree in computer engineering from the University of Oklahoma. In his spare time, Flee enjoys rock climbing, snowboarding, mountain biking, road cycling, and powerlifting, and is a passionate Redditor, lurking in r/MMA, r/Awwducational, r/selfhosted, and r/netsec.
Mark Hamill who is better known as Jedi Master Luke Skywalker from the Star Wars movie franchise has surfaced a move to boycott Twitter tomorrow in order to send a message to Elon Musk. Here’s the Tweet that surfaced this move:
This will only be effective if EVERYONE refrains from tweeting (X-ing?) on August 1st a/k/a #TweetlessTuesday. Let's show the owner the POWER OF THE PEOPLE. Honestly, would it kill you to keep your thoughts to yourself for 1 damn day? Read a book! 👀 #August1stTweetOutDayhttps://t.co/0apu2XsbAC
Hamill is known to be outspoken and his followers like him for that. Thus I suspect that by him getting behind this move, it will gain a lot of attention. And chances are a lot of hate from Elon Musk. Which I’m sure he’s fine with. After all he’s taken on the Dark Side of the Force and emerged victorious. Thus I’ll be watching closely tomorrow to see if #August1stTweetOutDay gains the traction that it deserves.
X Corp., the parent company of the social media company, sent a letter on July 20 to the Center for Countering Digital Hate, a nonprofit that conducts research on social media, accusing the organization of making “a series of troubling and baseless claims that appear calculated to harm Twitter generally, and its digital advertising business specifically” and threatening to sue.
The letter cited research published by the Center for Countering Digital Hate in June examining hate speech on Twitter, which Mr. Musk has renamed X.com. The research consisted of eight papers, including one that found that Twitter had taken no action against 99 percent of the 100 Twitter Blue accounts the center reported for “tweeting hate.” The letter called the research “false, misleading or both” and said the organization had used improper methodology.
The letter added that the center was funded by Twitter’s competitors or foreign governments “in support of an ulterior agenda.”
What this is really about is that Elon has been called out in public for not only having hate speech on Twitter, but doing nothing to stop it. What Elon really needs to do is to change course on that. But he’s not going to do that as he’s fine with hate speech being on Twitter. And I suspect that he’s not actually going to sue as he has a track record of threatening to sue, but not actually doing so. Thus Elon can be as mad as he wants. His latest outburst is not going to change the fact that Twitter is a cesspool of hate under the watch of Elon Musk.
Cado Security will publish a new blog revealing that Cado Security Labs has discovered a novel malware campaign.
Cado Security Labs researchers recently encountered a novel malware campaign targeting publicly-accessible deployments of the Redis data store. The malware, named “P2Pinfect” by the developer, is written in Rust and acts as a botnet agent. The sample analyzed by Cado researchers includes an embedded Portable Executable and an additional ELF executable, suggesting cross-platform compatibility between Windows and Linux.
In the time between encountering P2Pinfect and publishing this blog, Unit42 researchers also published an in-depth analysis of the Windows variant of the malware. According to their findings, the variant they encountered was delivered via exploitation of CVE-2022-0543, an LUA sandbox escape vulnerability present in specific versions of Redis. Cado researchers witnessed a different initial access vector, which will be detailed further in this blog. Which you can read here.
Posted in Commentary with tags Scam on July 31, 2023 by itnerd
Having just returned from vacation, I see that a number of scams have entered my inbox. The one that I will speak about today is a Spotify scam that claims that they can’t bill you for using Spotify:
As usual the quality of the English in this email is suspect. Which should be the first hint that this is a scam. The second sign that this is a scam is this:
This isn’t sent from Spotify as the email domain is “app.mail.com” rather than Spotify.com.
But if you take those two things out of the mix, the look of the email mostly fits the style that Spotify uses in their communications. Thus I can see how someone might fall for it.
Now, if you don’t have a Spotify account, and you get this email, the correct response should be to delete it and move on with your day. And even if you do use Spotify, those two things that I pointed out should make you delete this email anyway. But what do the threat actors want? I’m betting that this is a phishing email to steal your personal information or financial details. So let’s find out if that’s true (which by the way you should never, ever do).
This is a pretty good copy of the Spotify page. There are some errors but I can see if someone isn’t looking closely enough that they could fall for this. And by closely enough, I mean this:
This should be Spotify.com. But it isn’t. Which means that this is a phishing page.
And as I expected, here’s where the threat actors try to steal your credit card details. I typed in a bogus credit card number and it let me get to this page:
This makes you think that it’s doing something. But it’s not. If you’ve typed in your actual credit card details, you’ve been pwned. I believe that this and the next page are just for show to keep you on the hook:
You’re supposed to get a text message via the “Verified By Visa” service that Visa has. And this is where things get interesting. I entered a bogus credit card number earlier in this process which the website identified as being a Visa card. And that would be correct as the number that I entered was a Visa card. But I found it interesting that they didn’t validate that the credit card number was valid up front. I am guessing that they are doing the validation on the back end of this scam by using the “Verified By Visa” service to do that. I assume that they has similar checks for MasterCard, Discover, and AMEX.
Crafty.
So now that we know what the threat actors in this scam are up to, my usual advice applies. If you see this email or one like it, look for the things that I pointed out earlier in this article to confirm that it’s a scam, and then delete the email and move on with your day.
UPDATE: The same threat actor has put out a new version of this email. It looks like this:
They also made one other change to the email. Which is the email address that it was sent from:
Clearly they made that adjustment to make the scam more convincing. The rest of the scam remains the same.
Posted in Commentary with tags Rogers on July 31, 2023 by itnerd
Here’s a quick update to the Rogers email issues which have been ongoing for months with seemingly no resolution. But before I get to that, here’s a quick refresher in case you’re new to this fiasco that Rogers has inflicted upon their customers:
I first reported on issues with Rogers email, and the inability to generate app specific passwords to allow users of Rogers email to use email clients like Outlook and Thunderbird on March 7th.
This issue dragged on for months. There is a workaround, but that workaround is sub optimal to say the least. And as this issue dragged on into April, I was left with no other option than to recommend to my many clients who are affected by this to dump Rogers as their email provider.
Rogers has sort of admitted that there is an issue. But it took them a very long time to do that.
That last update was in the middle May. We’re now in July and I still have a number of clients who have been suffering from this issue. Some of them just got fed up and stopped using Rogers email. Or they got fed up and stopped using Rogers entirely. But some have hung on using Rogers Webmail which is the only way they can get email from Rogers.
However this might be changing. At this point I have only tested this once so I need a bigger sample size to confirm the this is a workable and reliable solution. But here’s what I did with a client yesterday.
Using Microsoft Outlook, I walked through the wizard to create a new email account. Instructions for using that wizard can be found here. As part of that process, this popped up:
Now the credentials that they are asking for are your email address (yournamehere@rogers.com for example), and your password. Specifically the same password that you would use for Rogers webmail. If you enter those credentials, it will do some work in the background and set up an IMAP email account that works perfectly. Though I will note that I had to try this three times before I got to that point, which implies that this does not work perfectly. But based on the sample size of one, it did work.
I would like to hear from others who have issues Rogers email. Does the above instructions work for you? Or has your email just “magically” started to work again? I encourage you to leave a comment below with your feedback as I would like to enhance the above instructions and get a better idea of how well this works for users of Rogers Email.
Alarm bells are ringing in the US with fears that the Chinese have planted a “ticking time bomb” inside key US infrastructure according to the New York Times:
The Biden administration is hunting for malicious computer code it believes China has hidden deep inside the networks controlling power grids, communications systems and water supplies that feed military bases in the United States and around the world, according to American military, intelligence and national security officials.
The discovery of the malware has raised fears that Chinese hackers, probably working for the People’s Liberation Army, have inserted code designed to disrupt U.S. military operations in the event of a conflict, including if Beijing moves against Taiwan in coming years.
The malware, one congressional official said, was essentially “a ticking time bomb” that could give China the power to interrupt or slow American military deployments or resupply operations by cutting off power, water and communications to U.S. military bases. But its impact could be far broader, because that same infrastructure often supplies the houses and businesses of ordinary Americans, according to U.S. officials.
That’s not good if that’s actually true. Joe Saunders, CEO, RunSafe Security had this comment:
The threat of a ticking time bomb like this malware means we need to double-down our efforts to achieve not just memory safety in software in the long term, but memory protection in software immediately. Otherwise we take the risk of losing our ability to support our warfighters and maintain a normal sense of operation in society.
Hopefully this “ticking time bomb” is identified and countermeasures are created to stop it. Because a “ticking time bomb” like this cannot be allowed to go off. Period.
I have to admit that this is pretty obnoxious. And The City Of San Fransisco sees things that way as this happened next:
San Francisco’s Department of Building Inspection launched a complaint against the company on Friday, saying the sign had been installed without a permit. The city agency said that an inspector “spoke with Tweeter [sic] representatives and Building maintenance engineer representatives,” who declined access to the sign but said that it’s “a temporary lighted sign for an event.”
The city inspector said they explained to the company representatives that the structure had to be taken down or legalized to be allowed to remain up.
The inspector returned to the site on Saturday in an attempt to regain access to the sign.”However, upon arrival access was denied again by the tenant,” the city complaint says.
And anyone living in the area isn’t happy about this either:
Video from San Francisco resident and digital journalist Christopher Beale shows the lights in the sign pulsing brightly across the street of his home, saying, “this is my life now.” At another point, the lights of the giant “X” were seen strobing.
“It’s hard to describe how bright it made this intersection,” he said in a video shared by CBS News Bay Area reporter Betty Yu. “But it’s way up off the street and it’s still just like a flash of lightning going off. We came home and tried to watch a movie and it was flashing through this window so bright that even with the shades down, it was so distracting that we had to leave the room and go to the side of the apartment that doesn’t face their building.”
This highlights what an inconsiderate, narcissistic twit Elon is. I’m expecting that the city is going to force him to take the “X” down which will continue to highlight that his “ready, fire, aim” style of doing things doesn’t help his cause.
Posted in Commentary with tags Travel on July 30, 2023 by itnerd
With our trip to France over, it was time for our journey home. And it turned out to be almost like the trip to France. I’ll get to the similarities in a moment. But first we had to drive from Gilhoc-sur-Ormèze to Lyon and we decided to do that the day before our flight as the distance was a 2.5 hour drive and we didn’t want to rushed by having to drive that distance and return the car before our flight from Lyon to Paris. If we were thinking, we would have taken a detour to see stage one of the Tour de France Femmes which started and finished at Clermont-Ferrand which is a short “ish” drive from Lyon. But we were too focused on hitting the hotel that we were spending the night in Lyon which was right across from Lyon airport. That hotel was the NH Lyon Airport and it was a great hotel to stay in. A queen sized room cost us $167 Euros which was way less than the hotel that we stayed at when we saw the start of the Tour de France stage. Plus it had this handy feature:
If you look at the right side of this outlet, there’s a USB-C and USB-A port. Neither was a fast charging port, but they charged our Apple Watches and iPhones just fine. The food was great and priced well as well. My wife and I had a great meal at the hotel for 85 Euros plus tip. This is a hotel that I would highly recommend.
Returning the car was a bit interesting. The Lyon airport has a gas station on the property. But oddly it was out of fuel. To be fair, the rental car company warned us that this might happen, and that we’d have to drive to a nearby town to fill up the car before returning it. Which is what we ended up doing. Since the rental car company that we used was on the airport property, we decided to walk back to the hotel as that was a great way to close our rings on our respective Apple Watches. In the process of doing that we saw this:
The Lyon airport has a stop for the TGV which is the high speed rail line that runs throughout France. While we would have loved to have taken this mode of transport, it didn’t work for us on this trip. Perhaps on a future trip we will do so.
The next day we packed up and walked across the street to Lyon airport. After checking in and boarding our flight on Air France to Paris Charles De Gaulle airport. From there, we would catch another Air France flight to Toronto Pearson. Now the flight to Charles De Gaulle airport was late, but we tracked our luggage being loaded onto that flight, and unloaded off the flight using the AirTags that were inside them. And that’s when things went off the rails so to speak. The luggage never got loaded onto our flight to Toronto as evidenced by this picture:
The luggage just sat there right up to the time we took off. Now there was the slim possibility that when we landed, the luggage would be there. But when we made our way through customs and got to the luggage carousels at Toronto Pearson airport, our luggage wasn’t there. And checking the FindMy app confirmed that they were still in France. And that was further bolstered by my wife and I being paged by Air France to head to the lost luggage desk. There we filled out paperwork to get our luggage back. That’s when they said it would take three days to get our luggage back as they had to find it first. That’s when I took out my iPhone 14 Pro and showed them the location it was in. That’s when their tune changed and said that they would have it on the next flight out. Which to their credit they did as it arrived in Toronto later that night and was delivered to our home the next day. And for the record, unlike the flight to France where there was 20 Euros of compensation, there was no compensation for this incident.
What I took from this interaction is the same thing that I took from the first time that this happened to us on this trip. Air France and sister airline KLM won’t do anything to get your lost luggage back to you in a rapid manner until you shove a phone in their face showing them that you can live track your luggage using an AirTag. The second that you do that, their tune changes and they will make sure that you get your luggage back quickly. And because of that, I’d strongly recommend that anyone in the Apple ecosystem who travels should use AirTags in all their luggage to hold airlines accountable for their luggage. Not only that, my wife suggests that if your luggage is lost, you need to push them to act quickly and force them to deliver on what they promise. Otherwise she believes (and she’s not wrong in my opinion) that airlines will do whatever they want whenever they want.
Another thing that I’d like to say is the fact that this happened twice on the same trip when flying with KLM/Air France doesn’t put KLM/Air France in the best light. Now it is possible that because we took a route that had connecting flights, maybe there wasn’t enough time to move the bags between flights. Or that perhaps the grounds crews at the airports in question have some issues that played into this such as not enough staff, or the staff simply don’t care. But at the end of the day it’s KLM/Air France that is responsible for making sure that the checked luggage of their passengers makes it from point a to b on time as close to 100% of the time as possible. This experience makes me wonder if the next time we fly to France, if avoiding KLM/Air France and flying on another airline is a good idea. I’m not sure about that at present. But if KLM/Air France happens to read this, they are free to reach out to me and tell me why I should consider them for a future flight to France (or Holland for that matter seeing as KLM is the national airline for Holland).
In closing, I’d like to say that other than our luggage issues, our trip to France was spectacular. It’s left us with a lot of good memories and we’d love to do it again. I would also suggest that you take your own trip to France as we only scratched the surface of what this country has to offer, and create your own memories in the process of doing so.
Posted in Commentary with tags Travel on July 29, 2023 by itnerd
After our trip to the start of the Tour de France stage, my wife and I relaxed for a couple of days. For starters, we walked the kilometre from where we were staying to Gilhoc-sur-Ormèze to get freshly baked bread every morning. Something that I highly recommend as fresh from the oven bread in France is next level as far as we are concerned.
Here’s some pictures of the walk:
We also had to take our recycling to a designated location as there is no trash and recycling pickup. So we did a couple of walks over the last couple of days to do that as well. Here’s the location that we took it to:
We placed glass, plastics, and paper in the right bins. And we’re told that these bins are emptied once a week.
Gilhoc-sur-Ormèze is pretty rural where the main industry is farming as evidenced by these photos that my wife and I took on one of our walks:
Fun fact: On our first day here, we had a herd of cows walk by our front door. That was interesting to watch as we were not expecting that. But our hosts said it happens “all the time”.
These are sheep that are raised for their wool as well as for food.
These walks were a great way to close our rings on our respective Apple Watches. Speaking of tech, here’s what we brought with us to France:
I also decided to take this along as an experiment to see if it would work for international travel:
This is a power converter that is said to handle up to 2300W. The ideal is that you plug this into the wall using the supplied adapters, and it will step down the voltage from 220V/240V to 110V/120V. You then plug the devices that you have, computers or iPhones for example, into the USB-A or USB-C ports or the three outlets on the top. My thought was that this would create a single place to charge everything. Great plan. But I noticed a bunch of issues. For example, when both 140W power adapters were plugged into this device, one of the MacBooks would charge fine. The other would stop and stop charging every 30 seconds. And near the end of our stay, we were finding that our iPhones would have difficulty charging from the USB ports. Now it is possible that I have a defective unit which explains all of this. Regardless, I will likely not be using this again and I’ll be going back to using adapters for all the tech things when I travel.
As for the car, I drove the Peugeot 2008 that I have pictures of here. My driving impressions go something like this. It handles really well as it was more than capable of dealing the narrow, twisty roads in the area around Gilhoc-sur-Ormèze. While I did feel that it was capable of more, I never pushed it that hard. In terms of room, it fit 5 people (driver, front passenger, three adult rear passengers) in it. Though I suspect that you don’t want to put three people in the rear seats too often. If I had to compare it to a car that I’ve reviewed, it’s around the size of a Mazda CX-30. It also handles just as well.
Here’s a couple of extra things that I noticed:
It has a fully digital display that uses some sort of trickery to make your eyes think it’s 3D. It’s kind of neat. Though my wife thought it was a gimmick.
It had just enough room to fit both suitcases in the cargo area. But our computer bags needed to go on the floor behind the second row feet. There’s storage below the false floor.
The screen was easy to read. But this car didn’t have Apple CarPlay or Android Auto in it. Which is odd as a Google search indicates that it is in theory a standard feature in this car. I ended up using my iPhone to navigate when required as I didn’t trust the built in navigation system. The reason being that some of the roads that we were on said “area not mapped” which you can see at the bottom left of the screen in the picture above.
One thing that took some getting used to was this gear shifter. It’s electronic and it took me a couple of days to get used to shifting into revers from drive and vice-versa. Also you have to press the “P” to put it into park. Different for sure. But like I said, I got used to it.
That’s all from France. The final post from this series will cover the trip back to Toronto. Stay tuned for that.
Reddit Announces New CISO
Posted in Commentary with tags Reddit on July 31, 2023 by itnerdFredrick “Flee” Lee has been announced as Reddit’s new Chief Information Security Officer, reporting to CTO Chris Slowe. Flee has over 20 years of experience leading global information security and privacy efforts at major financial services companies and technology startups, including as Chief Security Officer at Square and most recently as Chief Security Officer and Head of IT at Gusto. Flee will oversee the Privacy and Security teams at Reddit responsible for identifying and mitigating risks and challenges around information security, privacy, and compliance.
The security of Reddit platform and Reddit continues to be one of their core trust pillars, and over the past several years, they have continued to bolster their Safety and Security efforts, expanding teams focused on these areas and reinforcing existing measures that protect the platform. As part of their commitment to transparency with their users, they launched a new Transparency Center on RedditInc.com and regularly share their practices, updates, and findings with their community, including in r/redditsecurity. These efforts are central to Reddit’s goals of bringing community and belonging to users around the world.
Flee is a proud Southerner, raised in Mississippi, and holds a bachelor’s degree in computer engineering from the University of Oklahoma. In his spare time, Flee enjoys rock climbing, snowboarding, mountain biking, road cycling, and powerlifting, and is a passionate Redditor, lurking in r/MMA, r/Awwducational, r/selfhosted, and r/netsec.
Leave a comment »