Boxed with the IT Privacy and Security Weekly Update for the week ending January 31st., 2023


This is probably one of the most entertaining updates yet, so join us as we take you from the coolest ride to the hottest trend in outsmarting AI CCTV cameras.

And then, apparently we have some bad news if you are Austrian, Italian, Dutch or Columbian.

We go on to “reasons to be cheerful part 3” with a great LINUX distro that will take care of your updates for years!

From the US Government another shameful shaming to after an investigation remoting into machines proves far too successful.

We close out the week with cameras: How many are pointed at us, how to pose for them, and how to avoid them.

This “boxed” edition of the IT Privacy and Security Weekly Update is already a hit, so grab those hand wraps, put on your headgear, and let’s jump into the ring.
boxing glove in a box

US: One-upping Ye. Hollywood’s Favorite Cars Are Armored and REALLY Electrified.

Hollywood’s fav. cars may be armored and somewhat electrified, but we want to start this week by turning up the amperage.

When you want to go for enhanced privacy and security you have to add one of these to your current platform: Lockheed Martin’s Directed Energy Interceptor for Maneuver Short-Range Air Defense System (DEIMOS).

A recent demonstration verified the tactical laser weapon’s expected optical performance according to the company’s Spectral Beam Combination architecture by blasting two missiles out of the air.

“DEIMOS has been tailored from our prior laser weapon successes to affordably meet the Army’s larger modernization strategy for air and missile defense and to improve mission success with 21st Century Security solutions.”

So what’s the upshot for you? Honestly now, would you even consider being seen in the Hollywood hills in a dusty old M1 Abrams, or some sort of fortified Jeep when you could tool to the corner shops for a liter of milk with one of these on your ride?

US/EU: US and EU To Launch First-Of-Its-Kind AI Agreement

The United States and European Union on Friday announced an agreement to speed up and enhance the use of artificial intelligence to improve agriculture, healthcare, emergency response, climate forecasting and the electric grid.

A senior U.S. administration official, discussing the initiative shortly before the official announcement, called it the first sweeping AI agreement between the United States and Europe.

Previously, agreements on the issue had been limited to specific areas such as enhancing privacy, the official said.

AI modeling, which refers to machine-learning algorithms that use data to make logical decisions, could be used to improve the speed and efficiency of government operations and services.

“The magic here is in building joint models (while) leaving data where it is,” the senior administration official said.

“The U.S. data stays in the U.S. and European data stays there, but we can build a model that talks to the European and the U.S. data because the more data and the more diverse data, the better the model.”

The initiative will give governments greater access to more detailed and data-rich AI models, leading to more efficient emergency responses and electric grid management, and other benefits, the administration official said.

The partnership is currently between just the White House and the European Commission, the executive arm of the 27-member European Union.

The senior administration official said other countries will be invited to join in the coming months.

So what’s the upshot for you? We are impressed. Getting the US and EU to agree on anything up until a year or so was virtually unheard of.

NL/AU/IT/CO: Dutch hacker obtained virtually all Austrians’ personal data, police say

A Dutch hacker arrested in November obtained and offered for sale the full name, address and date of birth of virtually everyone in Austria, the Alpine nation’s police said on Wednesday.

A user believed to be the hacker offered the data for sale in an online forum in May 2020, presenting it as “the full name, gender, complete address and date of birth of presumably every citizen” in Austria, police said in a statement, adding that investigators had confirmed its authenticity.

The trove comprised close to nine million sets of data, police said. Austria’s population is roughly 9.1 million.

So what’s the upshot for you? The hacker had also put “similar data sets” from Italy, the Netherlands and Colombia up for sale, Austrian police said, adding (frustratingly) that they did not have further details.

CA: Home Depot Canada found sharing customer personal data with Meta - privacy regulator

Home Depot’s Canadian arm was found to be sharing details from e-receipts related to in-store purchases with Facebook owner Meta Platforms without the knowledge or consent of its customers, according to Canada’s privacy regulator.

An investigation by the Office of the Privacy Commissioner of Canada (OPC) found that by participating in Meta’s offline conversions program Home Depot shared the e-receipts that included encoded email addresses and purchase information.

The regulator added that the home goods chain stopped sharing customer information with Meta in October 2022, which was among the recommendations made by OPC, until the company is able to implement measures to ensure valid consent.

So what’s the upshot for you? We think this one deserves a big fine as the ultimate invasion of privacy and probably the last thing about us that has not already been leaked. Imagine. Now Mark Zuckerberg knows what grit sandpaper we buy!

Global: A network of knockoff apparel stores exposed 330,000 customer credit cards

If you recently made a purchase from an overseas online store selling knockoff clothes and goods, there’s a chance your credit card number and personal information were exposed.

Since January 6, a database containing hundreds of thousands of unencrypted credit card numbers and corresponding cardholders’ information was spilling onto the open web.

At the time it was pulled offline on Tuesday, the database had about 330,000 credit card numbers, cardholder names, and full billing addresses – and rising in real-time as customers placed new orders.

The data contained all the information that a criminal would need to make fraudulent transactions and purchases using a cardholder’s information.

The credit card numbers belong to customers who made purchases through a network of near-identical online stores claiming to sell designer goods and apparel.

But the stores had the same security problem in common: Any time a customer made a purchase, their credit card data and billing information was saved in a database, which was left exposed to the internet without a password.

Anyone who knew the IP address of the database could access reams of unencrypted financial data. Anurag Sen, a good-faith security researcher, found the exposed credit card records and asked TechCrunch for help in reporting it to its owner.

Sen has a respectable track record of scanning the internet looking for exposed servers and inadvertently published data and reporting it to companies to get their systems secured.

But in this case, Sen wasn’t the first person to discover the spilling data.

According to a ransom note left behind on the exposed database, someone else had found the spilling data and, instead of trying to identify the owner and responsibly reporting the spill, the unnamed person instead claimed to have taken a copy of the entire database’s contents of credit card data and would return it in exchange for a small sum of cryptocurrency.

A review of the data shows most of the credit card numbers are owned by cardholders in the United States.

Internet records showed that the database was operated by a customer of Tencent, whose cloud services were used to host the database.

TechCrunch contacted Tencent about its customer’s database leaking credit card information, and the company responded quickly.

The customer’s database went offline a short time later.

Many of the stores leaking customers’ information claim to operate out of Hong Kong and were set up in the past few weeks.

Some of the websites include:,,,,,,,,, and

So what’s the upshot for you? Just what you needed, you buy clothes with stolen designs and now “they’ve” stolen your credit card details.

Global: JD Sports admits intruder accessed 10 million customers’ data

Sports fashion retailer JD Sports has confirmed miscreants broke into a system that contained data on a whopping 10 million customers, but no payment information was among the mix.

In a post to investors this morning, the London Stock Exchange-listed business said the intrusion was related to infrastructure that housed data for online orders from sub-brands including JD, Size? Millets, Blacks, Scotts, and MilletSport between November 2018 and October 2020.

The data accessed consisted of customer name, billing address, delivery address, phone number, order details, and the final four digits of payment cards “of approximately 10 million unique customers.”

The company does “not hold full payment card details” and said that it has “no reason to believe that account passwords were accessed.”

As is customary in such incidents, JD Sports has contacted the relevant authorities such as the Information Commissioner’s Office, and says it has enlisted the help of “leading cyber security experts.”

The chain has stores across Europe, with some operating in North America and Canada. It also operates some footwear brands including Go Outdoors and Shoe Palace.

“We want to apologize to those customers who may have been affected by this incident,” said Neil Greenhalgh, chief financial officer at JD Sports.

“We are advising them to be vigilant about potential scam emails, calls, and texts and providing details on how to report these.”

He added: "We are continuing with a full review of our cyber security in partnership with external specialists following this incident.

Protecting that data of our customers is an absolute priority for JS."

So what’s the upshot for you? That’s what you need. Your sporting goods shop gives away all your PII and everything but the first few digits of your credit card and then tells you to be vigilant.

RU: Massive Yandex Code Leak Reveals Russian Search Engine’s Ranking Factors

Nearly 45GB of source code files, allegedly stolen by a former employee, have revealed the underpinnings of Russian tech giant Yandex’s many apps and services.

It also revealed key ranking factors for Yandex’s search engine, the kind almost never revealed in public.

While it’s not clear whether there are security or structural implications of Yandex’s source code revelation, the leak of 1,922 ranking factors in Yandex’s search algorithm is certainly making waves.

In a thread detailing some of the more notable factors, researcher Alex Buraks suggests that “there is a lot of useful information for Google SEO as well.”

Yandex, the fourth-ranked search engine by volume, purportedly employs several ex-Google employees.

Yandex tracks many of Google’s ranking factors, identifiable in its code, and competes heavily with Google.

Buraks notes that the first factor in Yandex’s list of ranking factors is “PAGE_RANK,” which is seemingly tied to the foundational algorithm created by Google’s co-founders.

So what’s the upshot for you? So what we have learned from this Yandex breach is that the great Russian search engine uses Google too!

Global: Canonical Announces General Availability of LINUX Ubuntu Pro, Free for Up to 5 PCs

Reduce your average CVE exposure time from 98 days to 1 day… maker Canonical announced Thursday the general availability of its Ubuntu Pro comprehensive subscription for Ubuntu users who want to expand the security updates and compliance of their systems.

First released in a beta version in October 2022 with free subscriptions for personal and small-scale commercial use on up to 5 machines, Ubuntu Pro is only available for Ubuntu LTS (Long-Term Support) releases, starting with Ubuntu 16.04, and promises up to 10 years of security updates, as well as access to exclusive tools.

These include Ansible, Apache Tomcat, Apache Zookeeper, Docker, Drupal, Nagios, Node.js, phpMyAdmin, Puppet, PowerDNS, Python 2, Redis, Rust, WordPress, ROS, and many others.

The Ubuntu Pro subscription promises patches for critical CVEs in less than 24 hours and expands the optional technical support to an additional 23,000 open-source packages and toolchains beyond the main operating system, not just for Ubuntu’s main software repository.

Canonical says that if you need Ubuntu Pro for more than five PCs, you will have to purchase a paid plan, which is currently priced at $25 USD per year for workstations or $500 USD per year for servers with a 30-day free trial.

Official Ubuntu Community members get free support for up to 50 machines.

So what’s the upshot for you? We think this is pretty amazing and will be building a Linux machine over the weekend to test it out.

US: Oops! US federal agencies hacked using legitimate remote desktop tools.

The U.S. government’s cybersecurity agency has warned that criminal financially motivated hackers compromised federal agencies using legitimate remote desktop software.

CISA said in a joint advisory with the National Security Agency on Wednesday that it had identified a “widespread cyber campaign involving the malicious use of legitimate remote monitoring and management (RMM) software” that had targeted multiple federal civilian executive branch agencies – known as FCEBs – a list that includes Homeland Security, the Treasury, and the Justice Department.

CISA said it first identified suspected malicious activity on two FCEB systems in October while conducting a retrospective analysis using Einstein, a government-operated intrusion detection system used for protecting federal civilian agency networks.

Further analysis led to the conclusion that many other government networks were also affected.

So what’s the upshot for you? This, and the previous exercise where they discovered 14,000 US Gov’t passwords within 90 minutes, and you have to wonder if some U.S. government departments are taking security seriously at all.

US: A bear in Colorado took 400 selfies. Fashion pros say they’re a star.

Concerned about all the CCTV cameras pointed at you as you walk around outside? Someone isn’t.

“Recently, a bear discovered a wildlife camera that we use to monitor wildlife across #Boulder open space,” they said in a tweet. “Of the 580 photos captured, about 400 were bear selfies.”

Shannon Aulabaugh, a spokesperson for Boulder Open Space and Mountain Parks (OSMP), says most of the time, wildlife pass the camera without stopping. But for whatever reason, this bear paused for an extensive photo shoot.

The bear’s work is a master class in vacation photos.

Chin tilts, smoldering eyes, a coy look over the shoulder.

“The engagement is iconic, the confidence really comes through,” said Andrew Matecki, a Los Angeles talent casting, and art director, adding that the bear could work in the industry (should it like to) for a long time, given its versatility.

“She definitely knows her angles,” said Los Angeles fashion photographer Amanda Sophia Rose. “She’s really catching you, bringing you in, having direct eye contact with the camera … like she’s done it before.”

So what’s the upshot for you? We hope Boulder Open Space and Mountain Parks got a signed model release form before sharing all these amazing selfies.

Global:How Many Surveillance Cameras Are in Your City?

Technology advancements have certainly helped society. But they no doubt have their downsides.

One gray area is the increased use of CCTV or closed-circuit television cameras in most major cities around the world.

Of course, surveillance cameras have their benefits. They help deter and solve crimes and even mitigate traffic.

While some aspects of CCTVs are intended to make the world a safer place, privacy activists worry about allowing police unfettered access to footage of our daily lives feels invasive.

Whether you’re of the opinion that increased surveillance keeps us safe or you’re against the watchful eye of CCTVs, you should know where your city stands on the matter.

A couple of cities have nearly three million surveillance cameras while others have significantly fewer CCTVs—just 40 cameras or so.

So what’s the upshot for you? With a great context-sensitive map, you can check the numbers on cameras in a particular city. They might not have your hometown, but there are bound to be a couple of cities in the list that you have been to … or are going to.

US: U.S. Marines Outsmart AI Security Cameras by Hiding in a Cardboard Box

United States Marines outsmarted artificially intelligent (AI) security cameras by hiding in a cardboard box and standing behind trees.

Former Pentagon policy analyst Paul Scharre has recalled the story in his upcoming book Four Battlegrounds: Power in the Age of Artificial Intelligence.

In the book, Scharre recounts how the U.S. Army was testing AI monitoring systems and decided to use the Marines to help build the algorithms that the security cameras would use.

They then attempted to put the AI system to the test and see if the squad of Marines could find new ways to avoid detection and evade the cameras.

To train the AI, the security cameras, which were developed by Defense Advanced Research Projects Agency’s (DARPA) Squad X program, required data in the form of a squad of Marines spending six days walking around in front of them.

After six days spent training the algorithm, the Marines decided to put the AI security cameras to the test.

“If any Marines could get all the way in and touch this robot without being detected, they would win. I wanted to see, game on, what would happen,” DARPA deputy director Phil Root tells Scharre in the book.

Within a single day, the Marines had worked out the best way to sneak around an AI monitoring system and avoid detection by the cameras.

Root says: “Eight Marines – not a single one got detected.”

According to Scharre’s book, a pair of marines “somersaulted for 300 meters” to approach the sensor and “never got detected” by the camera.

So what’s the upshot for you? Now you have to remember to pack an extra box if you want to travel incognito!


Our Quote of the week: “Privacy is not about hiding bad things, it’s about protecting the good things in life.” - Chat GPT

That’s it for this week. Stay safe, stay secure, help yourself to a couple of extra boxes on your way out, and see you in se7en.