SiliconANGLE: That Chinese attack on Microsoft’s Azure cloud? It’s worse than it first looked

The revelations last week that Chinese hackers had breached a number of U.S. government email accounts indicate the problem is a lot worse than was initially thought, according to new research today by Wiz Inc. Indeed, this hack could turn out to be as damaging and as far-reaching as the SolarWinds supply chain compromises of last year.

In my post for SiliconANGLE, I summarize what Wiz learned about the attack, what you have to do to scan and fix any potential problems, and why people who choose “login with Microsoft” are playing with fire.

A new foe of card skimmer crooks: Target Corp.

The war on credit card skimmers continues, this time from an unexpected source: Target Corp. Yes, the retailer. Cyber criminals attach skimmers to the outside of ATMs, gas pumps and other credit/debit card readers. When you insert your card into the machine, these skimmers capture your account number and PIN, which will be used later to clean out your account.

Brian Krebs has written about card skimmers for years, and I quoted him in this piece that I referenced when I last wrote about the topic in 2015.  Last year, he documented some of the ultra-thin skimmers that ATM vendors found inside their machines. It is pretty amazing how the crooks continue to innovate in smaller and smaller devices to steal our data.

Skimming is sadly on the rise: 161,000 cards were stolen annually, up more than four times the rate from 2021. Now they have a new nemesis — Target Corp. They recently blogged about their approach, which uses a piece of plastic called EasySweep to ferret out the skimmers. There isn’t any electronics on this card — it is just thick enough to see if something else is already inserted in the slot, and is sheer genius. Their cybersecurity group took the rather unusual step of 3-D printing the plastic that measures the thickness of the card reading slot. Target staffers can quickly swipe the thing in each of their 20 or so terminals in a typical store in a few minutes. And it is simple: if the card fits, the reader is clean. If it jams, it could indicate the presence of a skimmer. Each store now checks their readers daily. They have sent 60,000 of the cards to their stores, and they offer the design to other retailers free of charge.

Granted, the war on skimmers is a cat and mouse game: originally, many IT folks thought they could find them by scanning for unknown Bluetooth devices, because many of them sent out their collected data via that frequency. Then the crooks developed skimmers that had to be removed and the data downloaded. While there is a limit to how thin they can be made, so far the EasySweep cards are still a valid testing tool.

Still, consumers should be on the lookout, as the cops say. Check your machine for obvious signs of tampering, such as a loose part or something odd either with the card slot or the keyboard (which might have an overlay to capture your keystrokes). If you are at a bank of machines, compare the one you intend to use with its neighbor to see if there are any physical differences. And cover your hand as you enter your PIN number. If you can, use an embedded EMV chip card, which are harder to skim. And also consider more advanced cards, such as from Apple/Goldman Sachs, that can create virtual CVV numbers on the fly to make it more difficult to skim.

SiliconANGLE: The WeChat app is anything but private

What if we had an app on our phones that combined the functions of Facebook Messenger, Venmo payments, MyPatientChart health records and WhatsApp for making voice calls, and also allowed us to download all sorts of mobile apps and games like Apple Inc.’s App Store?

Furthermore, what if such an app had absolutely no privacy controls, so the federal government could monitor, censor and track users, conversations and all activities?

Well, such an app exists. It’s called WeChat and it has 1.2 billion monthly active users. But it is a threat to our privacy, and I explain why in this post for SiliconANGLE.

 

Solving the last mile of package delivery

You no doubt have had a package stolen from your front porch or know someone who has experienced this. And thanks to Covid, we are all using delivery services more often, which just increases the market size for porch pirates, as they are called.

The pirates are getting some pushback thanks to tech. First came the video-streaming door cameras (like Ring, now part of Amazon) that could capture them and report them to authorities. That made a small dent in their operations. But a better solution is happening in Singapore.

If you live there, for the last several years you can have your packages delivered to one of now 1,000 public lockers that are all over the island. If you have ever used the lockers that Amazon has at Whole Foods or one of its other storefronts, you get the idea. It is a wall of lockers of various sizes with a computer controlling access. Once you authenticate yourself, a door opens and the package is revealed. The lockers are built and operated by Pick Network and are called the Locker Alliance Network (which sounds vaguely Terminator-ish but let’s move on). You choose the locker installation nearest to your home or office or wherever you happen to be, and the delivery company will get the package there. On the company’s website, you can locate the nearest locker and you can see by the map how dense they are spread around the country.

To give you some sense of scale, Singapore is a very densely settled area about half the size of Rhode Island but with five times its population. I spoke at a conference there back in 1998, and was amazed at its diversity of languages and culture: fortunately for me, almost everyone these days is educated in English. It is very modern and apart from the signs in Chinese characters, you could have been in any major downtown city. Back then their freeways had one of the first open road toll collectors (meaning no booths that were designed for variable congestion pricing and no slowing down), something that took a while to show up elsewhere in the world.

It isn’t completely one humongous city like Hong Kong, but the density it does have makes something like the locker network functional. Pick claims lockers are within walking distance for most people. You can also drop off packages at the lockers, again like what we can do at Whole Foods.

Having a “last mile” solution is significant in that it has other benefits: there are fewer delivery vans tying up the roads, and less carbon consumption too. BTW, don’t you hate that term? How else should we refer to the contact with customers — maybe “first mile!” You get my point. And it is an open network, meaning (unlike Amazon), any delivery company can integrate with their own systems.

According to this article in the local newspaper, usage was initially slow but seems to have caught on, at least given by the increasing size of the locker network. It helps that Pick is federally funded. The delivery companies saw major increases in their own productivity, the story reported, although not clear how this was calculated.

In the meantime, watch out for those porch pirates on your own deliveries.

How to be more curious

I am by nature a curious person. I spend a lot of time trying to answer questions, which is why I love my job and what has contributed to my success as a tech journalist. One term that was popular was “life-long learner” (as I wrote about this term in relation to my non-retirement strategy back in 2021) but I think curiosity is a better description. I noticed that many analysts looking at our AI-enabled future have called attention to this skill as something we will need to cultivate and develop. So in this post, I want to examine what it will take to train folks to become more curious.

Before you do any formal training, it helps to understand what type of learner that you are. We all learn in different ways: some of us have to go through the actual experience — these people respond better to tactile situations. Others learn better through more visual or auditory cues and need materials specializing in these methods.

How do you figure this out? One way is to take this short online quiz to find out which style you are. Once armed with this data, you should focus your attention on situations that offer those types of materials so you can learn things your way and retain it better. For example, if you are an auditory learner, you may wish to listen to recorded lectures or presentations. This is a boon for online webinars, where you can stop, rewind, and replay the key portions. In some cases, you might want to take notes, or recite what was just said to fix the concepts in your mind.

If you are more of a visual learner, then by all means be sure that you look carefully at the study materials. Use charts, maps, movies, notes and flashcards. Practice visualizing or picturing words/concepts in your mind. Finally, if you are a tactile learner, think about ways that you can involve more of your senses besides just watching a particular lecture. Make study sheets and refer to them often.

But knowing how you learn is just one part of your journey. Next comes having the right motivations. I have been lucky to be a self-starter and get myself motivated, whether that involves writing one of these essays or tackling a more in-depth project. Sometimes, just seeking knowledge isn’t enough. If you’re not that motivated to learn, find someone who’s also interested in becoming more curious. That link will take you to other suggestions on how to become more curious. Here is another resource, posted on the site Natural Training, which describes the ten most common habits of curious people. Things like listening without judging, willing to be wrong, and staying in the moment are all important skills to acquire.

I was thinking about this when I read something that Naomi Wu, a Chinese maker, said recently about how the education of Asian students has to change. “The key skill- prompting, asking questions. Is something our kids are generally not taught and are often quite poor at. I’d even say it’s discouraged. The ability to ask good questions becomes incredibly important with AI.” I saw this first-hand when I gave lectures in Singapore and Japan years ago: I had to seed the audience with someone who was willing to ask the first question to break the ice.

ChatGPT For DummiesLongtime freelancing colleague Pam Baker’s forthcoming book on ChatGPT, has more tips on how to become an expert at using these tools. She told me, “Many worry that ChatGPT will erode the critical thinking skills of users. But that’s not likely because the most successful users will employ advanced critical thinking skills in forming prompts. The key is not in what you say to the machine, but in how you say it.” She tells me she is also putting together classes on LinkedIn Learning on the topic too.

I was thinking how fortunate I have been in my job as a freelance journalist. I have been able to to call up all sorts of people and ask them questions about their lives and jobs, as I wrote about ten years ago when I described two of my sources in this blog post on how to question everything. The two people had an insatiable curiosity for the unknown, to be constantly learning something new, and figuring out how the world works. While that extreme case of hyper-curiosity might not be your cup of tea, it might make you more motivated to become more curious about something.

Facing tough choices on TikTok

Last week Shou Chew, the CEO of the American TikTok, was called on the US House hearing room carpet. Combining the current anti-China paranoia with social media crimes against teenagers was a potent political mix that brought a tremendous amount of bipartisan angst. The five hour hearing was attended by seemingly the entire House membership, and for me it was noteworthy in that almost none of the members were folks that I have ever heard of, but all managed to ask unanswerable questions that they demanded simple yes or no answers so they could save time for their own take.

The best commentary was Jimmy Kimmel who simulated what the app does on his show (shown here at right). More insights from Casey Newton here.

Also last week, Utah became the first state to place legal restrictions on social media usage by children (<18).  This law goes into effect in a year; we’ll see how they will enforce it, which will be difficult. TikTok seems to be included in its framework, although Google might not be (there is an exemption for online emails, so Gmail might not apply but YouTube might be covered).

The hearing wasn’t a total time waster. In addition to getting acquainted with our Congress (a couple of whom actually have had tech jobs, interestingly), it also brought to the public’s attention a few reports that I will highlight here. But what I saw was that America will probably join others in some form of ban, whether it be just for the government employees (as the US has done, as have the UK and France did last week) or something that is contemplated by other bills that are making their way through Congress.

Second best commentary was by security maven Bruce Schneier, who wrote last month  “There’s no doubt that TikTok and ByteDance, the company that owns it, are shady. If we want to address the real problem, we need to enact serious privacy laws, not security theater, to stop our data from being collected, analyzed, and sold—by anyone.” He explored on the blog various kinds of bans, all of which would be ineffective or place Chinese-style restrictions across our internet. That message was lost on Congress, sadly. The UK ban is ineffective if you use your own Wifi or data provider, for example.

Who is Shou Zi Chew, TikTok's chief executive? | The EconomistThe relationship between TikTok and its parent company was explored in detail in this report done for the Australian Senate and released earlier this month. This was cited several times by various Congress members. The research found that ByteDance should be considered as a hybrid state/private entity, collaborating closely with the government on its operations. Chew made an effort to show TikTok’s independence from its parent and the Chinese Communist Party (CCP), an effort that fell on deaf ears and “didn’t pass the smell test” as one member said. The report looked closely at two days’ worth of content last November and compared the depictions of the CCP across TikTok when compared with what was posted on Twitter, Instagram and YouTube. While the researchers couldn’t assess the cause, they did find both Twitter and TikTok had more pro-CCP content than YouTube or Instagram.

Another issue is how TikTok tracks users across the internet. Consumer Reports did a report last fall that found hundreds of organizations sharing data with TikTok using tracking pixels and other canvas fingerprinting techniques. Before you sound any alarms, these are common for Facebook, Google, and numerous commercial websites, and TikTok’s tracking efforts are a small fraction of what these other companies do. Still Chew’s answers were less than satisfying in this area.

Much was made about the differences between the TikTok app we use in the USA versus the ByteDance app called Douyin that is only available in China. The excellent Citizen Lab issued a report last year that examined what data leaks from both apps. Not surprisingly, the Chinese app had more potential security and privacy issues, although the researchers said neither app had any noticeable malware characteristics.

So let’s answer some questions.

Is the TikTok app spying on its users? Not according to Citizen Lab and other security analysts. Could it become weaponized? Sure. But so could any other phone app.

What else should the government ban on its own phones? Well, if you are going to ban TikTok, how about deleting dozens of other apps that collect private data too? That is what France just did, or is trying to do. Good luck with that.

Will selling the company accomplish anything? Not really, other than improved optics. Look no further than Facebook to show misuse of data by a wholly-owned American company. Ownership doesn’t mean total control.

What about the Oracle Cloud migration? TikTok is making a big effort towards migrating its servers to the Oracle Cloud, and promises to keep all US data on these servers eventually. That clearly comes under the heading of “security theater,” since these servers can still transmit anything back to their Chinese parent company. Chew made a big deal about the Oracle project, but what he neglected to say is that any third-party code audit would be nearly impossible, since the servers started out in a pristine “bare metal” state and TikTok could put anything on them. I am not sure what is accomplished here other than having better app latency for US users. Again, a lot of effort to improve optics, but not much else.

How to know when you are ready to expand your career

“There may be nothing I’ve seen wreck the careers of high-performing, hardworking people more commonly than stepping into a manager role the person isn’t ready for,” tweeted Kieran Snyder earlier this month. The CEO of linguistic analysis firm Textio then follows up this with some very cogent remarks about knowing when to take that leap into management that really resonated with me.

This is because I faced a similar circumstance in my own career back in 1990, when I took the job to run Network Computing, a brand new computer publication. I have often mentioned that decision as a pivot point in my professional life in these essays, At that time, I was managing a group of about a dozen editors for PC Week — and this would be a big promotion to running an entire publication, hiring its entire staff, and learning how to get the magazine from words to a coherent whole. It shaped the rest of my career, to be sure.

I also addressed this topic a couple of years ago in this post about whether super coders should take the next step into management. It is worth reviewing that piece and listening to a discussion with Jaya Baloo and Troy Hunt on the subject.

Snyder lays out four important questions you need to ask yourself whether or not you are ready:

  1. Can you communicate complex expectations clearly? And behind this question is also holding people accountable — and avoiding eventual disappointments — for these expectations too. Even when you know this, it is still hard to achieve. “This is an issue I have faced, and often management fails to set clear expectations,” said Alan Elmont, who has been a recruiter and staffing professional for decades. “This has been particularly an issue with small companies or mid-sized companies that are growing too quickly.”
  2. Can you engage and mange conflicts well? Being fair in these fights is more important that being well-liked.
  3. Where do you fit in the scale between being a hero and being predictable? “Managers mostly do hero work to compensate when their team isn’t delivering,” she says. That could be caused by a variety of failures, such as unclear feedback or expectations or poor solutions delivery — or a combination.
  4. Finally, do you have the right combination of technical skills and a solid functional foundation to properly lead your team? That is a tough one to dispassionately assess, either by yourself or with your prospective hiring manager.

Now let me take another moment from my career when I got a job to run another publication. It was a major failure, and because I couldn’t do any of the first three things that Snyder mentioned above. I barely lasted a year there before being fired. I should have spent more time understanding the lay of the landscape and the management style of my eventual boss. Now, this happened years after my Network Computing anecdote, so you would think being older and more experienced I would have spotted the danger signs. But no, I was too caught up in the thrill of being chased for a new job. Live and learn.

While on the topic of career development, I had an opportunity to talk to a group of mid-career folks who are considering jobs in cybersecurity this week. You can see my slides below, and some of the issues that we discussed.

 

 

How is that right to be forgotten going?

Right To Be Forgotten – Chicago PlaysThe right to be forgotten isn’t part of the US Constitution, or for that matter in any other country’s founding documents. But it is part of the more recent regulations, which define how this data is collected, how it is processed, and mostly importantly, how and when it is erased. The phrase refers to where individuals can ask to have their personal data removed from various digital repositories under certain circumstances.

It is not a new term. Indeed, the EU got going on this almost ten years ago, eventually enshrining rules in its General Data Protection Regulation (GDPR), which have been around now for almost five years. This motivated a few (and I emphasize very few — so far that number is five) states here in the US to enact their own privacy laws, including California’s Consumer Privacy Act (CCPA) and others that mention the “forgotten” rights. Here is a handy comparison chart of what the five states have passed so far.

Security blogger David Froud also wrote about the issue more than four years ago. He pointed out then that the term forgotten doesn’t necessarily mean total erasure of your data, such as the hypothetical case of a convicted criminal in applying for a job. But then, should the stain of that conviction follow someone for the rest of their life? Hard to say. And this is the problem with this right: the subtleties are significant, hard to define, and harder still to create a solid legal framework.

What got me thinking about this issue is a recent survey by Surfshark of the actual progress of the forgotten actions across European countries. They found that residents of France alone accounted for a quarter of the actions recorded by both Google and Microsoft’s search portals, with England and Germany residents together accounted for another quarter of cases. These requests are on the rise since the onset of Covid, and both Cyprus and Portugal have seen a 300% increase in requests since 2020. Interestingly, Estonia (which is a leader in implementing all sorts of other digital tech across the board) had the largest proportion of cases with 53 per 10,000 residents. Compare that to Bulgaria, which had 5.6 requests per 10,000 residents. At the bottom of the page linked above, you can see references to the various search portals’ request removal forms, and yes, you have to submit separate requests for each vendor (here is Google’s link). The EU “suggests” that the process from request to its fulfillment should take about a month, but the way they word it means there is no legal response time encoded in the GDPR. According to the Surfshark report, millions of requests have been filed since the law went into effect.

As the authors of the survey say, “Time will only tell which countries will join the fight for online privacy and to what ends our data is private online. Is the right to be forgotten a universal truth or a way to hide the past indefinitely?” I don’t honestly know.

Temper the Surfshark report with the results of a Spanish university research study that looked at the 500 most-visited websites in that country. They found a huge collection of tracking technologies that were hidden from any user consent, with less than nine percent of the sites actually obtaining any user consent.

But tech doesn’t stand still, and the right to be forgotten has taken on new meaning as the rise of AI chatbots such as ChatGPT that can seek out and find your personal data as a way to train their machine learning models. As my colleague Emma McGowen mentions in her Avast blog from last month, there is no simple mechanism to request removal of your data once the AI has found it online. You don’t know where your data is online, and even if you do there isn’t any simple form that you can fill out to request deletion.

Note: OpenAI released this opt-out form after I wrote this essay.

If you have ever tried to put a credit freeze on your accounts at the four major credit bureaus, you have some idea of the chore involved here. At least there are only four places that process your credit data. There are hundreds if not thousands of potential data collections that you would have seek out and try to get any action. Chances are your data is out there somewhere, and not just in Google’s clutches but on some hard drive running in some darker corner. Good luck tracking this down.

So where does that leave this right to privacy? It is a good sign that more countries and some US states are taking this seriously. But, each state has slightly different takes on what the right means and what consumers can do to remove their data. And for those you happily chatting up your AI bots, be careful about what private info you have them go searching for, lest you unwittingly add more data that you don’t want others to find about you.

25 years of ecommerce

In today’s post, I look back on the developments of ecommerce and my role in covering this technology. I was recently reminded of this history after writing last week about Paypal — this motivated one of you to recall events that happened in the early 2000s, back when the “internet bubble” was rising and then bursting.

I last took a long look back at ecommerce in 2014 with this blog post. In it I highlighted a series of other works:

While the web came of age in the 1990s, it took a while for ecommerce to get into gear. The technologies were bare-bones: back then, you could learn basic HTML coding in a couple of days and easily put together a static series of web pages. The key operative words in that sentence were “static” and “basic.” The 1990s era of HTML was waiting for the language to catch up with what we wanted to do with it, but eventually the standards process got there. The real stumbling block was making a site dynamic and being able to support online inventories that were accurate, checkout pages that were secure, and having access to software interfaces that were pretty crude and simplistic. All of that required other tools outside of HTML, which is somewhat ironic. Now if you look at the code behind the average webpage, it is almost impossible to parse its logic at first glance.

Yet, here we are today with ecommerce being a very sophisticated beast. HTML is no longer as important as the accompanying and supporting constellation of web programming languages and development frameworks that require lots of study to be competent and useful. Connecting various databases and using a web front-end is both easier and more complex: the APIs are richer, but how they are implemented will require a deft touch to pull off successfully. Payment processing has numerous vendors that occupy sub-markets. (Stripe, Bill.com, and Klarna are three such examples of companies that are all involved in payments but have taken different pieces of the market.)

You might not have heard about Klarna: they are one of more than a dozen “buy now, pay later” services that pop up at checkout. No purchase is too small to be spread across a payment plan. Back in the pre-internet times, we had layaway plans that had one important aspect: you didn’t get the item until you completely paid for it. Now items arrive in days, but attached to a stream of loan payments stretching out several months. The downside is that there are potential late fees and 30% annualized interest charges too.

And then there is Amazon and Google. The former has both made it easier and more complex to do online shopping. It used to be both free and easy to return merchandise purchased on Amazon. Now it is neither. If you don’t pay attention when you are purchasing something, you could end up using one of their contract sellers, which complicates the returns process. And the cost of Prime continues to climb.

Google’s Lens technology has also transformed online shopping. If you have a picture of what you want to buy, you can quickly view what websites are selling the product with a couple of clicks on any Android or iPhone. My interior designer wife uses this tech all the time for her clients.

Before I go, I want to mention that Cris Thomas, known by his hacker handle Space Rogue, has a new book out that chronicles his rise into infosec security, including his time as one of the founders of the hacking collective L0pht. Its early days were wild by today’s standards: the members would often prowl the streets of Boston and dumpster dive in search of used computer parts. They would then clean them up and sell them at the monthly MIT electronics flea market. Dead hard drives were one of their specialties — “guaranteed to be dead or your money back if you could get them working.” None of their customers took them up on this offer, however. There are other chapters about the purchase of L0pht by @stake and Thomas’ eventual firing from the company, then taking eight years to get a college degree at age 40, along with the temporary rebirth of the Hacker News Network and going to work for Tenable and now at IBM. I review the book in this post, and highly recommend it if you are looking at reliving those early infosec days.

Time to say goodbye to Paypal

PayPal Phishing Scam Uses Invoices Sent Via PayPal – Krebs on SecurityI have been a user of Paypal ever since, well, forever, but certainly for at least 25 years by my guess. Today I closed my account, thanks to having gotten several invoices from fraudsters. Today I got an invoice that I couldn’t delete. {“An error has occurred” … no kidding. I felt a great disturbance in the force.) Brian Krebs wrote about this trend last year.
This isn’t the first time I have written about Paypal security and scams. Check out here for 2010, here for 2007, and here for 2006.
Last year, after getting another fake invoice, I took precautions by eliminating my checking account as a payment method, and left my account using a credit card as the sole source of funds. This comes after not having had any actual funds in my PP account for years, just using it as a transfer mechanism from some vendors that still paid me that way. Money would come in, and it would go out quickly.
It made me sad to close my PP account — the process which is very easy and just took seconds online, so thanks Paypal for making that simple. And I realize, as one of my friends remarked, that I am not really addressing the problem — any online payment vendor could become the next darling of the fraudsters and give me grief down the road. But I guess I feel that enough is enough. I already use Venmo (which is owned by PayPal), Apple Pay and Google Pay. Do I really need anything else? My son-in-law will start working at Melio, which looks interesting, but I really don’t need another service for my back office accounting.
A few months ago I wrote this piece for CNN’s Underscored about using mobile payment apps. I rated Apple Pay the best of the bunch — if you have an iPhone. But what about web-based apps? There is Google Pay, of course.
I would recommend reading my CNN piece for the caveats about how to stay safe using online payment products. But there is one thing that I didn’t mention — this concept of how to firewall your banking infrastructure. The bank account that was formerly connected to my now-gone Paypal account was my main corporate checking account. That wasn’t a good idea: some hacker could have gained access to those funds. Given the current state of fraudulent invoices, you should have a separate bank account that is just used as a repository for your online transactions. Ideally, it should be at a different bank than your “real” accounts. Just keep a small balance there when you need it. Or use credit cards (and accept the 3% processing fees are the cost of using them.
I just feel like the bad guys have won, and I hate that. I guess it could have been worse: I could have inadvertently paid that fake invoice. Keep sharp out there. Now if I could just stop those nearly daily phone calls from scammers trying to get me to sign up for various Covid cash schemes.