Skip to content

Monthly Archives: September 2017

On a Facebook Alternative

Over the weekend I was at a family event. There were a lot of folk snapping pictures and I (once again) asked that no one post and pictures to social media, especially not on Facebook. (Followers of this blog, if any, will know my opinion on Facebook). In the ensuing discussion, I floated an idea of a non-profit Facebook like site that was not supported by advertising, was invite only as a default, did not track/sell/mine user data, had real unfiltered non propaganda injected news feeds, and several other items that are opposite Facebook’s (and other similiar social media sites) modus operandi. It did not get too far. The business “minds” did not like the non profit public/private contribution funding model. The Facebook drones just dismissed it as a rant.

My idea is not to eradicate Facebook and their ilk, but provide an alternative and educate by establishing a platform that has both the social media aspects that people enjoy, e.g., ease of staying connected and sharing social info, coupled with news feeds that are not filtered and not based on a readers likes/dislikes and not injected by propaganda outlets of dubious sources.

I think articles and online training on critical thinking and how to evaluate the medias manipulation of emotion and other tricks would be an additional good feature. Such training works as IREX Learn to Discern Program which …”helps citizens detect and decode misinformation and propaganda.” are a good model.

At the moment 45% of Americans get their news from Facebook. News from all social media categories is even higher (source Pew Research Center News Use Across Social Media Platforms 2017.  With the Facebook allowing targeted news feeds, targeted fake advertising, direct propaganda feeds, all based on user data mining, these statistics should stand as a loud wake-up call.

Facebook and their ilk are in business to make money. Civic responsibility is simply not in their financial interest. They offer services for free to attract their prey. The only way to counter them to is offer alternative “attractions” that are free from the Venus flytrap profit motivators of these companies.

Downloaded CCleaner lately? Oooops..malware laden


Antivirus firm Avast has admitted inadvertently distributing a trojanised version of CCleaner, a popular PC tune-up tool, for nearly a month, infecting an estimated 2.27 million users….Cisco Talos discovered that servers distributing the program were leveraged to deliver malware to unsuspecting victims.

“For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner,” researchers explained. “On September 13, 2017, Cisco Talos immediately notified Avast of our findings so that they could initiate appropriate response activities.”

CCleaner has been downloaded over 2 billion times, with 5 million additional downloads a week.

We estimate that 2.27 million users had the v5.33.6162 software, and 5,010 users had the v1.07.3191 of CCleaner Cloud installed on 32-bit Windows machines. We believe that these users are safe now as our investigation indicates we were able to disarm the threat before it was able to do any harm.

There is no indication or evidence that any additional malware has been delivered through the backdoor. In the case of CCleaner Cloud, the software was automatically updated. For users of the desktop version of CCleaner, we encourage them to download and install the latest version of the software.

Equifax TrustID – Only Old Insecure IE8 Works!

So this afternoon I was told by email I had an account with Equifax TrustedID when I went to check on the status of the report lock. My password did not work. I tried to use the password reset. The page worked but when you enter all the information and hit the continue button, it does not go anywhere. I called the support telephone and that rings busy. Gave up on that.

Clearly more buggy code.

I finally got it to work using an old Windows Explorer 8 Browser on an old XP machine instead of Firefox. I even tried ieExplorer 11 and that did not work. But old insecure ie8 works fine with no out of date browser warnings.

Next – Then using the same Firefox Browser, I was able to login. And guess what, despite signing up, my report was still unlocked! When I tried to lock it, no dice, lock button not working. No go on ie11, but old insecure ie8 worked just fine.

What royal cock up Equifax. Totally incompetent!

(off topic: I also notice that uBlock Origin identified 147 trackers on And they look out for my privacy and security. Bullshit!)

Another malware outbreak in Google’s Play Store

Regular readers (are their any?) will note that I often rail against Google not policing their Good Play Store. Users think that since it has Google’s name on it, it is safe. Not in the least bit. In addition to the fact that the majority of apps have built in spyware, there are even more serious malware laden apps as the following article delineates.


50 apps get pulled as ExpensiveWall malware runs riot in the store

Google has had to pull 50 malware-laden apps from its Play Store after researchers found that virus writers had once again managed to fool the Chocolate Factory’s code checking system.

The malware was dubbed ExpensiveWall by Check Point security researchers because it was found in the Lovely Wallpaper app. It carries a payload that registers victims for paid online services and sends premium SMS messages from a user’s phone and leaves them to pick up the bill. It was found in 50 apps on the Play Store and downloaded by between 1 million and 4.2 million users.

Once downloaded, the malware asks for permission to access the internet and send and receive SMS messages. It then pings its command and control server with information on the infected handset, including its location and unique identifiers, such as MAC and IP addresses, IMSI, and IMEI numbers.

The servers then send the malware a URL, which it opens in an embedded WebView window. It then downloads the attack JavaScript code and begins to clock up bills for the victim. The researchers think the malware came from a software development kit called GTK.

“Check Point notified Google about ExpensiveWall on August 7, 2017, and Google promptly removed the reported samples from its store,” the researchers note. “However, even after the affected Apps were removed, within days another sample infiltrated Google Play, infecting more than 5,000 devices before it was removed four days later.”

It appears that Google missed warnings about the malware infection. The user comments section of at least one of the infected apps was filled with outraged users noting that it was carrying a malicious payload and it appears that the apps were being promoted on Instagram.

Cases of malware infecting Google’s Play Store are becoming depressingly common. Just last month it was banking malware and a botnet controller, in July commercial spyware made it in, advertising spamming code popped up in May (preceded by similar cases in March and April), and there was a ransomware outbreak in January.

By contrast, Apple’s App Store appears to do a much better job at checking code, and malware is a rarity in Cupertino’s app bazaar. While some developers complain that it can take a long time to get code cleared by Apple, at least the firm is protecting its customers by doing a thorough job, although Apple’s small market share also means malware writers tend not to use iOS for their apps.

By contrast, Google’s Bouncer automated code-checking software appears to be very easily fooled. Google advised users to only download apps from its Store, since many third-party marketplaces are riddled with dodgy apps, but that advice is getting increasingly untenable.

It’s clear something’s going to have to change down at the Chocolate Factory to rectify this. A big outbreak of seriously damaging malware could wreak havoc, given Android’s current market share, and permanently link the reputation of the operating system with malware, in the same way as Windows in the 90s and noughties. ®

Why Equifax & others will Fail at Self Policing

The simple answer is they will not do anything to hurt their own business. They sell your information and rake in too money doing so. A credit freeze prevents that. I finally found a good article to share on this by Brice Schneider.


This happened because your personal information is valuable, and Equifax is in the business of selling it. The company is much more than a credit reporting agency. It’s a data broker. It collects information about all of us, analyzes it all, and then sells those insights.

Its customers are people and organizations who want to buy information: banks looking to lend you money, landlords deciding whether to rent you an apartment, employers deciding whether to hire you, companies trying to figure out whether you’d be a profitable customer — everyone who wants to sell you something, even governments.

It’s not just Equifax. It might be one of the biggest, but there are 2,500 to 4,000 other data brokers that are collecting, storing, and selling information about you — almost all of them companies you’ve never heard of and have no business relationship with.

Surveillance capitalism fuels the Internet, and sometimes it seems that everyone is spying on you. You’re secretly tracked on pretty much every commercial website you visit. Facebook is the largest surveillance organization mankind has created; collecting data on you is its business model. I don’t have a Facebook account, but Facebook still keeps a surprisingly complete dossier on me and my associations — just in case I ever decide to join.

The companies that collect and sell our data don’t need to keep it secure in order to maintain their market share. They don’t have to answer to us, their products. They know it’s more profitable to save money on security and weather the occasional bout of bad press after a data loss. Yes, we are the ones who suffer when criminals get our data, or when our private information is exposed to the public, but ultimately why should Equifax care?

This market failure isn’t unique to data security. There is little improvement in safety and security in any industry until government steps in. Think of food, pharmaceuticals, cars, airplanes, restaurants, workplace conditions, and flame-retardant pajamas.

Market failures like this can only be solved through government intervention. By regulating the security practices of companies that store our data, and fining companies that fail to comply, governments can raise the cost of insecurity high enough that security becomes a cheaper alternative. They can do the same thing by giving individuals affected by these breaches the ability to sue successfully, citing the exposure of personal data itself as a harm.

If you don’t like how careless Equifax was with your data, don’t waste your breath complaining to Equifax. Complain to your government.

FireEye pulls Equifax boasts as it tries to handle hack fallout

Oh well, we all new FireEye was more bluster than solid security


“Brandan Schondorfer of Mandiant registered the domain on Tuesday (5 September), two days before the breach was publicly disclosed”

FireEye removed an Equifax case study* from its website in response to a recently disclosed mega-breach at the credit reference agency.

Equifax’s endorsement that FireEye’s tech protected it against zero-day and targeted attacks had more than the whiff of hubris about it once it emerged hackers had successfully pwned the credit reference agency’s systems and accessed all manner of sensitive information.


Equifax has reportedly hired incident response experts at FireEye Mandiant to investigate the breach. These experts have also been helping with PR aspects of damage limitation, it seems. Brandan Schondorfer of Mandiant registered the domain on Tuesday (5 September), two days before the breach was publicly disclosed, thereby preventing anyone else intent on poking fun at Equifax – or perhaps worse, run phishing attacks – from getting their hands on the domain.

Other aspects of Equifax’s overall incident response (analysed in depth in a post by security blogger Guise Bule here) have been less assured. For example, security experts at Sophos have criticised Equifax’s use of PINs – based on the date and time of when a request was made – to freeze consumer credit files. Crooks have a far better chance of determining these PINs and unfreezing credit files than if they were randomly generated. Worse yet, compromised server logs might be used to determine PINs

D-Link Router Riddled with Zero-Day Flaws

A pity the poor home internet user. The crap they buy or are given by their ISP makes them think they are protected. Not. Oh wait, the average small business has these also. Ooops.


A security researcher has shamed D‑Link by publicly disclosing 10 serious, as-yet unpatched vulnerabilities in a line of consumer-grade routers without notifying the vendor first.

Security researcher Pierre Kim went public on a series of flaws in D‑Link DIR 850L wireless AC1200 dual-band gigabit cloud routers without disclosing the issue to D‑Link beforehand because of a previous negative experience with the firm. He disclosed nine vulnerabilities to D‑Link back in February, but only one of them resulted in a patch from the manufacturer.

“The D‑Link 850L is a router overall badly designed with a lot of vulnerabilities,” Kim offers in a somewhat dismissive summary seemingly borne out of exasperation with the networking kit maker.


Kim concludes by referencing his previous negative experiences with D‑Link in explaining why he had gone public this time before advising punters of the vulnerable equipment and to use other kit instead:

Due to difficulties in previous exchange with D‑Link, full disclosure is applied. Their previous lack of consideration about security made me publish this research without coordinated disclosure. I advise to IMMEDIATELY DISCONNECT vulnerable routers from the internet.

dumb hurricane ideas


“Hurricanes are fake news” guy Rush Limbaugh deservedly took a lot of heat for his comments on Hurricane Irma last week when he essentially accused the media of hyping up the storm as “fake news.” That’s not to say the conservative talk host was entirely wrong. He was correct that it is in the media’s interest to sell hurricanes as huge, whopping threats (be honest, do you watch The Weather Channel at any other time than during a tropical cyclone landfall?). But “the media” doesn’t do this because of some global warming conspiracy theory, Rush; they do it for ratings and clicks.

But what else would you expect from this mindless fat blowhard?

Ten-day forecast” guy Among the most frustrating things during the lead-up to Hurricane Irma’s landfall were the newfound “experts” who seized upon the widespread anxiety to promote the next big threat. During this time, Hurricane Jose represented such a threat. I can’t count how many times I saw someone on social media share a 10-day model forecast for Jose that looped around the Atlantic Ocean before striking the US East Coast. I’m going to pick on Justin Miller below because the national editor of The Daily Beast ought to know better. It is true that the operational run of the European model on Saturday (12z) did show a looping Jose returning to near the East Coast around September 20. And yet… this was a single-track forecast at 10 days, when the average error can often be measured in thousands of kilometers. Moreover, there was little support for a US landfall in the ensemble forecast of the same run (this is the 50 or so additional runs of a model, with slightly different initial conditions, at a lower resolution than the operational model).

This is important because, whereas forecasters use the operational model for five-day forecasts, ensembles become more useful after that time due to increasing uncertainty. In the image below, you can see almost no ensemble members bringing Jose to shore. The operational model, therefore, was a huge outlier to be discounted. The problem with “10-day forecast” guy is that he or she doesn’t have any real interest in being correct. The primary motivation is “look at me.” Having lived through Harvey and writing for shellshocked people in Houston, I can tell you that their greatest fear is that another storm is coming soon, when they are most vulnerable. Constantly, I got questions about Irma—what if it doesn’t turn and comes to Texas? This kind of irresponsible social sharing plays on those fears. Jose may ultimately come to the United States, but there is no truth to be found from “10-day forecast” guy.

So why did Irma miss Miami? About 48 hours before Irma made landfall along the southwestern Florida coast near Marco Island, hurricane forecasts began closing in on that track. At that time frame before landfall, the official forecast from the National Hurricane Center has an average error of about 70 miles.

As a sailor, I follow models closely. Anything over 3 days has such a huge margin of error that I notate it, but discount these when route planning. Of course, I am not motivated by advertising revenue, just my own and my crew’s safety.

“It wasn’t that bad” guy.. Oh, Ann Coulter. Why must you be so horrible? Coulter, who lives in Palm Beach, Florida, tweeted on Sunday morning at about the time that Irma was covering the Florida Keys in water and bearing down on the southwestern coast of Florida.

Ann Coulter @AnnCoulter HURRICANE UPDATE FROM MIAMI: LIGHT RAIN; RESIDENTS AT RISK OF DYING FROM BOREDOM…I wish cables would mention the hurricane. There is a decidedly heavier-than-average morning dew in Miami; Palm Beach bordering on breezy.

First of all, conditions were pretty grim in Miami on Sunday. Secondly, by Friday evening, it was clear that Irma was going to move further west than expected and, instead of hitting southeastern Florida—including the Miami area—it was going to strike the southwestern part of the state. But instead of being inwardly grateful about being spared by Irma or having some empathy for her fellow Floridians, Coulter went full Coulter.

Rush clone Ann – you are a disgrace to your Cornell and University of Michigan Alma Maters.

Facebook Wins, Democracy Loses


Another reason (among many many) why no one with any shred of intelligence should use Facebook.

On Wednesday, Facebook revealed that hundreds of Russia-based accounts had run anti-Hillary Clinton ads precisely aimed at Facebook users whose demographic profiles implied a vulnerability to political propaganda. It will take time to prove whether the account owners had any relationship with the Russian government, but one thing is clear: Facebook has contributed to, and profited from, the erosion of democratic norms in the United States and elsewhere.

The audacity of a hostile foreign power trying to influence American voters rightly troubles us. But it should trouble us more that Facebook makes such manipulation so easy, and renders political ads exempt from the basic accountability and transparency that healthy democracy demands.

The ads — about 3,000 placed by 470 accounts and pages spending about $100,000 — were what the advertising industry calls “dark posts,” seen only by a very specific audience, obscured by the flow of posts within a Facebook News Feed and ephemeral. Facebook calls its “dark post” service “unpublished page post ads.”

This should not surprise us. Anyone can deploy Facebook ads. They are affordable and easy. That’s one reason that Facebook has grown so quickly, taking in $27.6 billion in revenue in 2016, virtually all of it from advertisers, by serving up the attention of two billion Facebook users across the globe.

[Emphasis added] A core principle in political advertising is transparency — political ads are supposed to be easily visible to everyone, and everyone is supposed to understand that they are political ads, and where they come from. And it’s expensive to run even one version of an ad in traditional outlets, let alone a dozen different versions. Moreover, in the case of federal campaigns in the United States, the 2002 McCain-Feingold campaign-finance act requires candidates to state they approve of an ad and thus take responsibility for its content.

None of that transparency matters to Facebook. Ads on the site meant for, say, 20- to 30-year-old home-owning Latino men in Northern Virginia would not be viewed by anyone else, and would run only briefly before vanishing. The potential for abuse is vast. An ad could falsely accuse a candidate of the worst malfeasance a day before Election Day, and the victim would have no way of even knowing it happened. Ads could stoke ethnic hatred and no one could prepare or respond before serious harm occurs.

Facebook has no incentive to change its ways. The money is too great. The issue is too nebulous to alienate more than a few Facebook users. The more that Facebook saturates our lives, families and communities, the harder it is to live without it.


Our best hopes sit in Brussels and London. European regulators have been watching Facebook and Google for years. They have taken strong actions against both companies for violating European consumer data protection standards and business competition laws. The British government is investigating the role Facebook and its use of citizens’ data played in the 2016 Brexit referendum and 2017 national elections.

We are in the midst of a worldwide, internet-based assault on democracy. Scholars at the Oxford Internet Institute have tracked armies of volunteers and bots as they move propaganda across Facebook and Twitter in efforts to undermine trust in democracy or to elect their preferred candidates in the Philippines, India, France, the Netherlands, Britain and elsewhere. We now know that agents in Russia are exploiting the powerful Facebook advertising system directly.

In the 21st-century social media information war, faith in democracy is the first casualty.

Equifax Fails – Results of trying to put on credit freeze – 11 Sep 2017

This morning I went to the Equifax site and check both my and my wife’s SSN for potential impact. For both I was told we were impacted. For my wife when I clicked enroll, I got

“Your enrollment date for TrustedID Premier is: 09/14/2017

Please be sure to mark your calendar as you will not receive additional reminders. On or after your enrollment date, please return to and click the link to continue through the enrollment process.”

What? Today is 11 Sept and you will not freeze till the 14th? — Outrageous incompetence Equifax! The FAQ page is just a link back to the original check impact page

For myself, after being told I was impacted, I was instead sent to a form which I filled out. I was then told I would receive an email with further instructions. That email was never received (and not in spam either!) — More Incompetence.

Regulators need to force this company to offer life credit freeze for all those affected for free. Lawyers then need to sue this company into oblivion.

Update 12:44 EDT 11 Sep 2017

So I received the link and went through the steps and it ended with

An error has occurred

We are experiencing heavy traffic right now. Please check back later to resume the enrollment process. Thank you for your patience.

Next I pulled my annual credit report. Transunion OK, but Equifax

System Temporarily Down

The system is currently down for maintenance. We expect to be back up shortly. Thank you for your patience.

Return to