• Hackers breached the payroll system for the South Australian government and got all of everyone's data.  (Bleeping Computer)
  
  Name, date of birth, tax file number, address, bank account details, employment, payment and tax data, everything, for up to 80,000 people.

  "Having the bank account details doesn't give you access to the bank account, but it's the first step in trying to crack a code in terms of passwords."

  In theory, sure.  In practice, not so much.  One YouTuber - I don't remember who it was - showed his bank account details on screen because you need the password to actually do anything.
  
  His account got cleaned out.
  
  The breach was at a commercial payroll provider, not the government itself, which means that the other 1700 organisations using the same payroll provider suddenly have a major headache.
  
  
  
• A security breach at Volvo resulted in the loss of their R&D data.  (Bleeping Computer)
  
  It's boxy, but good.
  
  
  
• Hackers also hit multiple government systems in Brazil, including those tracking vaccination programs.  (Reuters)
  
  The systems are currently offline, and it's not clear yet how extensive the breach was, or whether any data was stolen or deleted.

• I've been looking for some compact shelves for my new lab, which is made up of laptops and possibly some NUCs but probably not (see below).  I haven't been able to find quite what I want: Bookshelves are too bulky and most desk storage systems are for paper and will fit a 14" laptop but not a 16" one.
  
  Browsing around storage on Amazon I saw something that looked like what I needed and was cheap and shipped free in 48 hours, so I clicked through to it and then realised what it actually was: A shoe rack.
  
  Well, fine.  By Monday I'll have storage for 40 pairs of shoes or four laptops and the associated power supplies, external drives, switches, routers, USB hubs, audio mixers, speakers, and so on, whichever comes first.
  
  And, uh, another six bags of gluten free jelly beans, because I forgot I had those in my cart.  They have a shelf life of a year; there's no way they won't get eaten.
  
  
  
• Intel just EOLed Panther Canyon.  (Tom's Hardware)
  
  Panther Canyon is the regular range of Tiger Lake NUCs.  Tiger Lake is Intel's 1th generation, and there aren't any low power 12th generation chips yet, so that's the entire current lineup.
  
  I was originally looking to get three of the slim-line i5 NUCs, but then those disappeared.  Now the entire lineup has been cancelled.
  
  Asus makes an alternative with AMD CPUs, but I expect that will become hard to find once retail stock of the Intel model sells out.  So I'm looking at getting a third Inspiron 16 Plus.  It's twice as fast as the Intel NUC - eight cores rather than four - but since it also comes with an RTX 3060 and a 16" 3k screen it's more than twice as expensive.
  
  
  
• What happened at AWS US-East-1.  (Amazon)
  
  The control network used behind the scenes to manage all the other AWS services got overloaded.  Since the control network is used to manage the control network, that not only caused problems all over the place, it prevented engineers immediately fixing the problem.
  
  They had to find a way to redirect some of the traffic when the usual mechanisms for redirecting traffic weren't working, so that they could redirect more of the traffic using the usual mechanisms, so that they could fix the management network, so that they could fix AWS itself.
  
  That's why it took six hours.  There's a button to fix all this, but the button broke.
  
  
  
• Imagor is an image processing server written in Go.  (GitHub)
  
  I've written these things half a dozen times at this point, but it's nice to have one that I can just take off the shelf and deploy.
  
  It takes an image from somewhere (not sure yet if it only reads from upstream HTTP servers or can also read from the filesystem), and can resize, reformat, crop, rotate, blur, sharpen, adjust hue, brightness, and contrast, and overlay other images.
  
  The system we built at my day job does even more - it has its own scripting language to run arbitrary sequences of operations over tens of thousands of files - but for many applications Imagor will provide everything you need.
  
  
  
• An unfortunate alignment of bugs in Android and Microsoft Teams meant one user couldn't dial 911.  (Medium)
  
  They were calling on behalf of their grandmother and the grandmother had a landline phone so immediate crisis averted, but there's a fundamental problem with burying a very simple function in a ever-growing nightmare of complexity.
  
  
  
• An exploit of the Log4j Java library is an enterprise nightmare.  (Bleeping Computer)
  
  The library is developed by Apache an used by many Java-based Apache applications like Struts2, Solr, Druid, Flink - yes, these are all real - none of which I use, though Solr is interesting.  They are commonly used by small companies like Apple, Amazon, Cloudflare, Twitter, and Steam, so there are many, many sysadmins having a bad day yet again, because the bug is being actively exploited right now.
  
  
  
• And Minecraft.  (Bleeping Computer)
  
  If you run a public Minecraft server, update it right now.  The Java edition of the Minecraft client has also been updated but it's not clear if it's directly vulnerable.
  
  
  
• Elasticsearch, for once, is not vulnerable.  (Elastic)
  
  They use the Java Security Manager which prevents this attack.
  
  
  
• Here's the Apache announcement of the vulnerability.  (Apache)
  
  Note that I do not refer to this a bug.  It's not a bug.  It's a feature.  The Apache Log4j library is DESIGNED to allow the execution of arbitrary code.
  
  Good work there, guys.  Top notch.
  
  
  
• A new bill in the US Senate would force social networks to open their data to researchers.  (The Verge)
  
  Whereupon it would get hacked, but that's not the key point here.
  
  The key point is the penalty involved: If networks fail to provide this access, the bill would revoke their CDMA 230 protections.
  
  And once the idea is out there that those protections are contingent rather than fundamental, all the social networks are screwed.  I don't think the Democrats understand what they are doing; the social networks are their best - possibly their only - friends, but the they treat them as enemies.
  
  

Posted by: PatBuckman at Sunday, December 12 2021 01:03 AM (r9O5h)

Posted by: PatBuckman at Sunday, December 12 2021 01:07 AM (r9O5h)

Posted by: Pixy Misa at Sunday, December 12 2021 01:51 AM (PiXy!)

Posted by: StargazerA5 at Sunday, December 12 2021 03:01 AM (gJ4RY)

Hide Comments | Add Comment