Mince pies and the IT Privacy and Security Weekly update for the week ending December 20th., 2022


In perhaps our juiciest update yet we sink our taste buds into this week’s Holiday cornucopia of flavors.

From the North Pole to the South, but mostly in the US, we have a great new way for Santa to check on the condition of his elves, lots of coal to deliver, and one city that might not even make the delivery logistics planning list this year.


In the US the Feds are regaling hackers with copious quantities of gifts this year, while the UK goes full Green, Grinching on those nice people who share their Netflix account details with half the neighborhood.

Michael Dell and crew whip up the closest thing to a Lego snap-together endpoint we’ve ever heard of but stop short of sharing the tech so that everything that breaks could be mended as easily.

And finally, we suggest that the Missing Cryptoqueen might have had plastic surgery and be working with S Claus. How else would he be financing gifting for 8 billion of us globally?

This week’s Update may raise more questions than it answers, and sometimes it works that way. Grab those snowshoes, let’s go Arctic* and get to the bottom of what’s going on up top!

*Backstory: ‘Arctic’ comes from the Greek word ‘arktos’, meaning ‘bear’ – the northern polar region is the sacred land of the polar bear.

Global: GitHub To Offer Coders Free Scanning For Leaked Keys, Tokens, and Other Secrets

Every developer knows that it’s a bad idea to hardcode security credentials into source code.

Yet it happens and when it does, the consequences can be dire.

Until now, GitHub only made its secret scanning service available to paying enterprise users who paid for GitHub Advanced Security, but from last Thursday, the Microsoft-owned company has been making its secrets scanning service available for all public GitHub repos for free.

In 2022 alone, the company notified partners in its secret scanning partner program of more than 1.7 million potential secrets that were exposed in public repositories.

The service scans repositories for over 200 known token formats and then alerts partners of potential leaks — and you can define your own regex patterns, too…

So what’s the upshot for you? The rollout of the service will be so gradual that it will not be available to all users until the end of January 2023. Kick back and have another mince pie.

Global: Google Debuts OSV-Scanner, a Go Tool For Finding Security Holes in Open Source

Google has released OSV-Scanner – an open-source vulnerability scanner linked to the OSV.dev database that debuted last year.

Written in the Go programming language, OSV-Scanner is designed to scan open-source applications to assess the security of any incorporated dependencies – software libraries that get added to projects to provide pre-built functions so developers don’t have to recreate those functions on their own.

Modern applications can have a lot of dependencies.

For example, researchers from Mozilla and Concordia University in Canada recently created a single-page web application with the React framework using the create-react-app command.

The result was a project with seven runtime dependencies and nine development dependencies.

But each of these direct dependencies had other dependencies, known as transitive dependencies.

The react package includes loose-envify as a transitive dependency – one that itself depends on other libraries. All told, this basic single-page “Hello world” app required a total of 1,764 dependencies.

As Rex Pan, a software engineer on Google’s Open Source Security Team, observed last Tuesday in a blog post, vetting thousands of dependences isn’t something developers can do on their own.

So what’s the upshot for you? This is a HUGE help to anyone writing anything, well, apart from those letters to the North Pole.

US: US Air Force Launches Wearable Biosensor Program to Track Airmen’s Health

The US Air Force Research Laboratory (AFRL) has begun a program to create a wearable biomolecular capability to track airmen’s health.

The device uses sensors to read and analyze the molecular and physiological information of personnel who are “overly fatigued, stressed, or hyperstimulated” during critical missions.

Future applications of the capability include weight loss and mood disorder management.

“We are looking to equip them with more advanced human monitoring capabilities so mission commanders can integrate that information and make more rapid decisions,” BioSIS Technical Lead Dr. Lawrence Drummy said.

“These sensors will be integrated into a network, not just used as stand-alone, so that a global picture of performance can be generated.”

So what’s the upshot for you? Apparently Santa’s kitting the Elves out with these this year too.

Global: Dell Concept Laptop Has Pop-Out Components, Disassembles Screwdriver-Free

Dell continues tinkering with what it hopes to be a repairable laptop like the Framework Laptop.

Last year, it showed off Concept Luna, a clamshell designed to easily disassemble for easy repairs, upgrades, and harvested components.

This year, Dell showed the press an updated Concept Luna that could support more power while being even simpler to dismantle.

The vendor is also exploring how to automate the process, from disassembly to parts diagnostics, on a broad scale.

Dell’s Concept Luna laptop is comparable in size to a Latitude with some Dell XPS 13 Plus-like stylings.

In person, it looked similar to the Concept Luna demoed last year, including appearing to be a functioning PC.

But Dell’s representative was able to open this year’s version up and pull out internal parts much more rapidly – well under 60 seconds.

Dell’s rep simply stuck a pin (it could be anything that fits, they said) into a hole in the security lock slot on the right side of the system’s deck.

That allowed Dell’s rep to pull off the keystone north of the keyboard and then slide the keyboard up and out.

Once the system was open, the speakers, fan, motherboard, and battery were removed instantly thanks to pop-out modules, which, Dell said, are recyclable.

The concept laptop also got rid of the cable connecting the battery, so there are no cables, adhesives, or other types of connectors.

Dell built Concept Luna with simple display upgrades and repairs in mind as well.

Last year’s version used passive cooling, while the new one has a fan.

In addition to advancing the laptop’s design this year, Dell also looked into automation techniques that could further this concept on a scale that could extend beyond a single product.

So what’s the upshot for you? OK Michael Dell, we need this for our phones, our cars, and even our pushbikes. Have a word with Santa. We understand he’s got a bunch of elves that will have nothing to do in about a week.

US: Senate Passes Legislation To Ban TikTok From US Government Devices

The U.S. Senate has passed legislation to ban TikTok from US government devices, in a move designed to limit perceived information-security risks stemming from the social media app.

The vote by unanimous consent approved the No TikTok on Government Devices Act, a bill authored by Missouri Republican Sen. Josh Hawley.

The move marks lawmakers’ latest step against the short-form video app that has become popular with over a billion users worldwide.

US officials fear that TikTok’s user data could end up in the hands of the Chinese government due to that country’s influence over TikTok’s parent, ByteDance.

A companion bill was introduced in the House last year by Colorado Republican Rep. Ken Buck.

It has yet to be approved by members of the House Oversight Committee.

House Speaker Nancy Pelosi said Thursday it isn’t yet clear whether the chamber will take up the TikTok bill in light of its Senate passage, saying lawmakers were consulting with White House officials on its language.

So what’s the upshot for you? Tik Tok could be getting a big bag of coal for the holiday season and if they do, we suggest forwarding it on to Ukraine.

US: You could not make this up: IRS Accidentally Releases 112,000 Taxpayers’ Private Data … Again.

Confidential data of about 112,000 taxpayers inadvertently published by the IRS over the summer was mistakenly republished in late November and remained online until early December, the IRS disclosed last week.

Form 990-T data that was supposed to stay private had been taken offline but made its way back to the IRS site when a contractor uploaded an old file that still included most of the private information, a letter sent Thursday to congressional leaders said.

The agency is required to make Form 990-Ts filed by nonprofit groups available online but is supposed to keep the form filed by individuals private; in both cases, the agency made that information available too.

An internal programming error caused the September release of private forms along with the ones filed by nonprofit groups, the letter said.

This time, the contractor tasked with managing the database reuploaded the older file with the original data instead of a new file that filtered out the forms that needed to be kept private.

The IRS shared corrected data with the contractor on Nov. 23, but the old files had not been purged from their system.

A third-party researcher alerted the IRS the files were back online on Dec. 1, and the IRS ordered the contractor to take them down immediately.

Roughly 104,000 of the 106,000 forms disclosed in September were redisclosed this time.

So what’s the upshot for you? The agency is reconsidering its relationship with the contractor Accenture on this project, the report added, citing a person familiar with the matter.

Global: Epic Games, Maker of ‘Fortnite,’ To Pay $520 Million To Resolve FTC Allegations

Epic Games has agreed to pay $520 million to resolve Federal Trade Commission allegations that the “Fortnite” video game developer violated online privacy protections for children and tricked players into making unintended purchases.

The FTC said the agreement consisted of two record-breaking settlements that resolved a pair of civil complaints it filed against Epic.

One, filed in federal court, alleged the company violated the federal Children’s Online Privacy Protection Act by collecting personal information from “Fortnite” players under the age of 13 without notifying their parents or obtaining verifiable parental consent.

That lawsuit also accused the company of illegally enabling real-time voice and text chat communications for children and teens in the game by default.

Further, the FTC said Epic put those users at risk by connecting them with strangers, and as a result, some were “bullied, threatened, harassed and exposed to dangerous and psychologically traumatizing issues such as suicide.”

Epic will pay a $275 million civil penalty for the alleged COPPA violations, the FTC said, the largest assessed in the commission’s enforcement of the privacy law.

Epic didn’t admit or deny the FTC’s allegations as part of the settlements.

The commission also said the company agreed to pay $245 million in consumer refunds to resolve the second complaint, which was filed in administrative court.

It is the FTC’s largest settlement that bars the use of so-called dark patterns, tactics that trap customers into paying for goods and services and create obstacles to canceling.

The agency alleged that Epic deployed a variety of tactics to drive unintended purchases of virtual perks such as outfits and dance moves in “Fortnite,” including the use of counterintuitive, inconsistent and confusing button configurations.

“These tactics led to hundreds of millions of dollars in unauthorized charges for consumers,” it said.

So what’s the upshot for you? This is just so wrong and every kid knows it, so we are bricking over the chimney and installing a “detour” sign at Epic in preparation for the holidaze. These guys won’t even be getting a bag of coal this year.

US: T-Mobile Carrier Scammer Gets a Decade in the Slammer

Phishing emails and social engineering scams were all it took for mobile phone store owner Argishti Khudaverdyan to breach the mobile provisioning systems of T-Mobile, AT&T, and Sprint to “unlock” phones from their network constraints — earning him more than $25 million in the process.

Khudaverdyan stole the credentials of more than 50 T-Mobile employees across the US, allowing him to unblock hundreds of thousands of phones, according to the Department of Justice.

“From August 2014 to June 2019, Khudaverdyan fraudulently unlocked, and unblocked mobile phones on T-Mobile’s network, as well as the networks of Sprint, AT&T, and other carriers,” the DOJ explained.

“Removing the unlock allowed the phones to be sold on the black market and enabled T-Mobile customers to stop using T-Mobile’s services and thereby deprive T-Mobile of revenue generated from customers’ service contracts and equipment installment plans.”

So what’s the upshot for you? Wait, what? That unlock code was illegal?

US: Swatters Used Ring Cameras To Livestream Attacks, Taunt Police.

Federal prosecutors have charged two men with allegedly taking part in a spree of swatting attacks against more than a dozen owners of compromised Ring home security cameras and using that access to live stream the police response on social media.

Kya Christian Nelson, 21, of Racine, Wisconsin, and James Thomas Andrew McCarty, 20, of Charlotte, North Carolina, gained access to 12 Ring cameras after compromising the Yahoo Mail accounts of each owner, prosecutors alleged in an indictment filed Friday in the Central District of California.

In a single week starting on November 7, 2020, prosecutors said, the men placed hoax emergency calls to the local police departments of each owner that were intended to draw an armed response, a crime known as swatting.

On November 8, for instance, local police in West Covina, California, received an emergency call purporting to come from a minor child reporting that her parents had been drinking and shooting guns inside the minor’s home.

When police arrived at the residence, Nelson allegedly accessed the residence’s Ring doorbell and used it to verbally threaten and taunt the responding officers.

The indictment alleges the men helped carry out 11 similar swatting incidents during the same week, occurring in Flat Rock, Michigan; Redding, California; Billings, Montana; Decatur, Georgia; Chesapeake, Virginia; Rosenberg, Texas; Oxnard, California; Darien, Illinois; Huntsville, Alabama; North Port, Florida; and Katy, Texas.

So what’s the upshot for you? The two men and a third unnamed accomplice would first obtain the login credentials of Yahoo accounts and then determine if each account owner had a Ring account that could control a doorbell camera.

The men would then use their access to gather the names and other information of the account holders.

The defendants then placed the hoax emergency calls and waited for armed officers to respond.

Nelson is looking at 5 to 12 years in the clink if convicted.

US: If IT Workers Stay Home, What Happens to ‘the Most Empty Downtown in America’?

“Today San Francisco has what is perhaps the most deserted major downtown in America,” reports the New York Times.

“On any given week, office buildings are at about 40 percent of their pre-pandemic occupancy…”

The vacancy rate has jumped to 24 percent from 5 percent since 2019. Occupancy of the city’s offices is roughly 7 percentage points below that of those in the average major American city, according to Kastle, the building security firm.

More ominous for the city is that its downtown business district — the bedrock of its economy and tax base — revolves around a technology industry that is uniquely equipped and enthusiastic about letting workers stay home indefinitely.

In the space of a few months, Jeremy Stoppelman, the chief executive of Yelp, went from running a company that was rooted in the city to vacating Yelp’s longtime headquarters and allowing its roughly 4,400 employees to work from anywhere in their country.

“I feel like I’ve seen the future,” he said.

Decisions like that played out across thousands of remote and hybrid work arrangements, have forced office owners and the businesses that rely on them to figure out what’s next.

This has made the San Francisco area something of a test case in the multibillion-dollar question of what the nation’s central business districts will look like when an increased amount of business is done at home…

The city’s chief economist, Ted Egan, has warned about a looming loss of tax revenue as vacancies pile up. Brokers have tried to counter that narrative by talking up a “flight to quality” in which companies upgrade to higher-end space.

Business groups and city leaders hope to recast the urban core as a more residential neighborhood built around people as well as businesses but leave out that office rents would probably have to plunge for those plans to be viable.

Below the surface of spin is a downtown that is trying to adapt to what amounts to a three-day workweek… On Wednesdays, offices in San Francisco are at roughly 50 percent of their pre-pandemic levels; on Fridays, they’re not even at 30 percent…

So what’s the upshot for you? In a typical downturn, the turnaround is a fairly simple equation of rents falling far enough to attract new tenants and the economy improving fast enough to stimulate new demand.

But now there’s a more existential question of what the point of a city’s downtown even is. We have seen the future and the future is… barren.

Of course the upside is that Santa can skip another major metropolitan city which helps his delivery logistics.

UK: UK Govt: Netflix Password Sharing Is Illegal and Potentially Criminal Fraud

The UK Government’s Intellectual Property Office published new piracy guidance yesterday, and it contains a small, easily missed detail. People who share their Netflix, Amazon Prime, or Disney+ passwords are violators of copyright law.

And it gets worse. The IPO informs TorrentFreak that password sharing could also mean criminal liability for fraud. […] In a low-key announcement yesterday, the UK Government’s Intellectual Property Office announced a new campaign in partnership with Meta, aiming to help people avoid piracy and counterfeit goods online.

Other than in the headline, there is zero mention of Meta in the accompanying advice, and almost no advice that hasn’t been issued before.

But then this appears: "Piracy is a major issue for the entertainment and creative industries.

Pasting internet images into your social media, password sharing on streaming services, and accessing the latest films, tv series, or live sports events through Kodi boxes, fire sticks, or Apps without paying a subscription all break copyright laws.

Not only are you breaking the law but stopping someone earning a living from their hard work."

So what’s the upshot for you? Using the “services of a members’ club without paying and without being a member” is cited as an example of fraud in the UK, so the bar for criminality is set very low. You’re a mean one Mister Grinch.

EU: Follow the drama of the Missing CryptoQueen

The “Missing Cryptoqueen” saga has made long-term headlines since co-founders Ruja Ignatova and Karl Sebastian Greenwood started a cryptocurrency scam known as OneCoin, way back in 2014.

Ignatova, who hails from Bulgaria, and who apparently liked to be known as The Cryptoqueen (her charge sheet even shows that name as an alias), has been wanted in the US on various wire fraud, money laundering, and securities fraud charges since October 2017.

According to the US Department of Justice (DOJ), about two weeks after charges were filed against her in the US, Ignatova flew from Sofia in Bulgaria to Athens in Greece…

…and hasn’t been heard of since thus her updated nickname of Missing Cryptoqueen.

In mid-2022, Ignatova was considered criminally significant enough – her scam is said to have pulled in more than $4 billion in “investments” from more than 3,000,000 people around the world – that she was added to the FBI’s Ten Most Wanted Fugitives list, with a $100,000 reward for her capture:

Greenwood, however, went to live in Thailand, where he was arrested by the Royal Thai Police on the tropical island of Koh Samui in June 2018, extradited to the US, and remanded in custody.

He’s been incarcerated ever since, and he looks set to stay locked up for many years to come, having just pleaded guilty to three criminal charges, including wire fraud and money laundering.

OneCoin made billions by not actually having a product at all.

The OneCoin cryptocurrency token that the company “sold” didn’t actually exist, had no so-called blockchain or ledger to prove its existence and activity, and couldn’t actually be traded at all.

As the DOJ’s report explains:

OneCoin falsely claimed that the value of OneCoin was based on market supply and demand, when in fact, the value of the cryptocurrency was set by OneCoin itself.

[Ignatova stated in emails to Greenwood that:] “We can manipulate the exchange by simulating some volatility and intraday pricing,” [… and:] “Goal 6: Trading coin, stable exchange, always close on a high price end of day open day with a high price, build confidence – better manipulation so they are happy.”

So what’s the upshot for you? This Podcast is perfect for long holiday car journeys and there are rumors that Ignatova might be masquerading as an elf…

This week we’re pausing the Quote of the week and gifting you some really bad jokes. You may need to sit down.

If girls are made of sugar, spice, and everything nice, and boys are made of slime, snails, and puppy-dog tails, what’s the cloud made from? Linux servers, mostly.
What did the moderator say to kick off the IT speed dating session? “Singles, sign on!”
What do you call a group of math and science geeks at a party? Social engineers.
What do you call an excavated pyramid? Unencrypted.
What’s the best way to catch a runaway robot? Use a botnet.
Where does a MySQL database go to relax on a hot day? A buffer pool.
Why did the band never get a gig? It was called 1023MB.
After a life of cybercrime, how did the hacker get to heaven? The password hadn’t been changed in 2000 years.

santa's burned bottom

That’s it for this week. Stay safe, stay secure, please ensure the fire’s out and the chimney cool on the eve of the 24th., and see you in se7en.