!Signalboost: CCleaner's been hacked

Sep. 19th, 2017 04:18 am
marahmarie: my initials (MM) (Default)
[personal profile] marahmarie

I'm uh, still reading about it, and even just as I was reading and trying to find out which version I have - without actually opening the program because holy crappola - Windows Defender displayed behind-the-scenes scan results saying it found an infection...in CCleaner. I'm not sure what to tell anyone as far as "what to do" because I don't know the answer to that.

*curses*

It's a backdoor called Backdoor:Win32/Floxif that's been in the wild since CCleaner v.5.33 released in August of 2017.

Signalbost: CCleaner has been hacked

Time to reinstall my OS, if the fucking backdoor hasn't already destroyed our ability to do so...

marahmarie: my initials (MM) (Default)
[personal profile] marahmarie

Amount of posts to add new image links to: 89 (some of these are imgur photo swaps because I don't trust them, either, and some are to edit out links to an image because it was lost or is no longer being made available) so say there are still around 80 posts to swap Photobucket images out of.

Dreamwidth's uploader lets you beam the server as many images as you like, so I fed it a bit north of 260 of them. At once. After deleting under 20 images and noting that another 20 won't be included in my posts, that still leaves about 220 image links to replace across 80 entries I've written.

And it's taken me the better part of a few weeks just to get this far because a) I don't feel like it, b) I got too busy on eBay up until I had to end all my sales early because of the fucking storm, 3) the storm, plus d) see a).

We don't have a link rewriter to automate this mess, so before I do anything I might campaign for it via Support request*, after checking to see if anyone else put in for one besides Steve from LJ (whose request was summarily rejected a few months ago), then check the web for any scripts that might help me get anything done here.

*ETA, 9-15-17: I put this into a Suggestion rather than a support request, since Support isn't set up to handle feature requests, and that's all this really is.

ETA2, 9-16-17: I've since posted two more (closely related) Suggestions. Considering the parent suggestion's topic matter, if one gets tossed they probably all will, yippee.

ETA3, 9-16-17: I've been trying (as I mentioned in my last Suggestion) to find a screen scraper to grab links to images I downloaded from Photobucket and uploaded last night to Dreamwidth, but there's not a one that's gonna work, or at least not without getting me ToSed, mostly because Dreamwidth doesn't make a public-facing, per-user image directory available for this (or any other) purpose. I'd almost hire someone to do what I'll have to do instead, but 1) my privacy and 2) that'd probably also get me ToSed. I just aaaarrggh.

ETA4, 9-16-17: Minutes after my last ETAs it hit me why, above all, I can't use Dreamwidth to host my Photobucket images: because DW changes the original file name on every image to a random number, so there's no pattern-matching/find-and-replace to either find the image in Dreamwidth's Manage Images interface nor to easily find its match to swap out with in the entry. So I'll just upload my Photobucket album to Anti-AOL on Wordpress (my Plan B to begin with) and do this whole thing from there.

Because I've got to get it done.

I could post yet another Suggestion at this point saying more or less, "Oh and btw can DW plz stop swapping out image names for like, random numbers because it's messing up my project" but it's too late now (for me, not for others who might be affected by this issue in the future) plus I think I've about used up my Suggestion-fu for the month week day. I need to just get my ransomed images fixed already, then maybe...

ETA5, 9-16-17: after taking a break to make tuna pasta salad from scratch, because yum, I decided to roll "don't rename image files" - along with "add a search box" - into an existing Suggestion (my second one, with a request my rewrite be released from queue instead of its predecessor). And I'm not trying to stay up all night (yeah, for once, right) so I'll pick up again on this tomorrow, maybe.

In retrospect, I'm sort of glad I waited this long to look into moving my images, because I either never had the time or else the presence of mind before to dive this deep into why DW's image hosting is or isn't workable for moving images from another host. It really isn't, but it seems most of its issues could easily be remedied...problem is, there are so many ways to fix various issues or shortcomings in the service I really had a hard time choosing which to give preference to, so I just submitted all of them. :/

marahmarie: my initials (MM) (Default)
[personal profile] marahmarie

I can't imagine how else they'll sell the base on auditing everyone eligible for the EITC (Earned Income Tax Credit) except to tell them:

"There they are, cruising 'round in their Cadillacs with those heavy Gucci bags back to their McMansions to rest on their big, fancy couches with their 104 inch, 4000K TVs blasting away in their faces, eating some crab legs. Meanwhile, hard-working people like YOU are just scraping by!"

I could see this as the thing that makes the plug-and-play "base" stomp and howl and chant, "Lock 'em up!" at Trumpanado's next barnstorming. Of course, half the people at the rally would have be locked up, too, but whatever; never let facts get in the way of a good hate-in, is what I say.


Before anyone asks, it rained for about 14 hours. We're at a slight elevation so it wasn't too bad. Wind held steady between "blowing branches off trees" and "knocking them over" (including one down the road that took our power out around 6:30am, so at least it wasn't like we were in the pitch black dark while debris made terrifying landings on the roof all night). I jammed earplugs in and slept through most of it, because I didn't want to know.

I made my own ice blocks using gallon ziploc bags the day before, and today we found a store with some ice, then the power cut back on a few hours later, so food loss was pretty minimal.

The hardest part was not knowing: as of 9pm last night Irma was supposed to hit as a Cat 3 or 4, so I was fairly anxious, even apologizing to Bowie, who's even more terrified of debris hitting the roof than I am, which by then it already was.

But Irma was downgraded via push notification to a tropical storm shortly thereafter. I could not believe my eyes, so I spent another hour checking my radar app, my news app, NOAA, weather.gov, the latest on the Post, the Times and the local news, then, satisfied this was probably not End Times In My Neighborhood, just tried to get some sleep.

marahmarie: my initials (MM) (Default)
[personal profile] marahmarie

The Equifax data breach is turning into a complete disaster because the very thing they're offering to "protect" us - free credit monitoring for one year - has so many "gotchas" built in you might be better off not signing up, or even using their website to check if you were affected by the breach.

For starters, checking your name for breach status or signing up for Equifax's credit monitoring could prevent you from joining the class action lawsuit which arose from it.

ETA, 9-12-17: Not to mention the website appears to be broken, which sounds about right, because the first time I checked I got no answer on whether I was "impacted" or not, while the second time (same session, same cookies) I was told I was "impacted" and encouraged to sign up for free credit monitoring - after I already had.

And opting out by snail mail from the arbitration clause which prevents you from joining requires submitting an "Equifax User ID" that people who merely check their status or sign up for protection will not have, so opt-out for us isn't actually possible.

But signing up for "free-for-now" monitoring will result in getting billed for service after just one year if you don't cancel ahead of time (just like AOL's so-called "free" trial, if you do nothing they'll start charging for service whether you like it or not). Signing up also requires internet access and a credit or debit card because of course it does, so your connectionless grandma who still uses a landline, has no credit or debit card, does everything by snail mail and just writes checks for whatever she wants is SOL, because Equifax has to minimize their losses, somehow.

If all of this isn't bad enough, it's been said that:

  • Kaspersky Antivirus flags Equifax's breach-status website as a "phishing site"
  • Entering Qwerty as your last name and 12-3456 as the last six of your Social indicates your information was stolen
  • Equifax insiders sold off stocks before the breach was announced - but they've known about it since May, so obviously they were locking in profit ahead of the stock collapsing

I still feel "hackers gonna hack" and haven't wanted to hold Equifax responsible, but it's getting increasingly difficult to maintain that position when Equifax is doing nothing to show they're being "responsible" or "transparent" about this, or to adequately compensate anyone who might be affected (which, let's be honest, could be almost all of us).

ETA2, 9-12-17: since posting it's become not just "increasingly difficult" but impossible to sympathize when it's not a case of hackers finding a novel way around their backend security, but their own failure to patch an Apache Struts vulnerability that they've been able to fix since last March. So they're as at fault as they could possibly be for this entire mess.

Hell to the...

Sep. 8th, 2017 03:00 am
marahmarie: my initials (MM) (Default)
[personal profile] marahmarie

She called herself a master negotiator and "worth the trouble" when the Democratic Party tried with all its might to pitch her overboard, preferably head-first.

Boy-howdy, she wasn't kidding. She stood her ground and so she stayed. She did it again this week, and in doing so saved the day (the week, the month, the year, and possibly all of 2018).

Nancy Pelosi, hell to the...

YES!!! An MSN poll shows 65 percent currently approve of Trump accepting the Democratic proposal to avoid federal government shutdown
marahmarie: my initials (MM) (Default)
[personal profile] marahmarie

ETA, 9-9-17 PLEASE READ FIRST: Things got hairy here real fast: a class action was recently filed against Equifax (which I didn't learn of until shortly after posting) and signing up at Equifax for credit protection (or even entering your name to check if you were affected by this breach) using the steps below could legally prevent you from becoming a member.

I'd signed up before writing this, but because I don't hold Equifax responsible (hackers gonna hack, and they're getting sort of good at it, lemme tell you!) I'm not worried about joining. It would be nice if I could, especially if this breach winds up costing me money and/or my privacy down the road, but if I can't I can't.

I just wish I'd known of the lawsuit before signing up for protection. In light of that, I want others to be aware of any possible trade-offs they'll be making.

The Verge reports on what to do if you've already entered your name or signed up for protection (emphasis mine):

For now, the one existing loophole is Equifax’s opt-out provision — another common element of arbitration clauses. Within 30 days of agreeing to the terms of the enrollment, you can deliver a written notice to this address:

Equifax Consumer Services LLC, Attn.: Arbitration Opt-Out P.O. Box 105496
Atlanta, GA 30348

It needs to include your name, address, and Equifax User ID, as well as “a clear statement that you do not wish to resolve disputes with Equifax through arbitration.”

ETA2: the above opt-out information is useless for anyone who isn't a paying Equifax customer, as the rest of us didn't get "Equifax User IDs" just by checking our names on the website or signing up for credit protection.

ETA3: More updates are in a separate post.


It's been a banner week for this sort of thing, hasn't it? And I'm in the affected users pile, so I'll be signing up for protection (they put you on a waiting list because apparently they wish to not imitate healthcare.gov with a disastrous rollout, so signup looks to be ongoing in slow waves).

In five steps, because apparently they feel a bit awkward about putting us through all this

  • Read the blah blah blah
  • Click here, more blah blah blah. Now click the button (it takes you here: Check Potential Impact)
  • See if you were in the affected user pile by typing your last name and last six numbers of your Social Security number into boxes on this screen
  • Take the "I'm not a robot" vision tests (I hate these fucking things; anyone else?)
  • Sign up for protection

marahmarie: my initials (MM) (Default)
[personal profile] marahmarie

With a hat tip to [personal profile] andrewducker for including https://haveibeenpwned.com/ in a recent linklist

The results of my scan? Well, I've got seven email addresses (it's a not-putting-all-my-eggs-in-one-basket thing), and 6 out of 7 were good. Real good. The seventh - my most important - got pwned ("pwned", for anyone not familiar, is l33tsp3ak for "owned", pronounced "owned". It's an ancient term. I'm surprised the website owner uses it).

I haven't looked very hard into why I'm on the list but more or less, Russian hackers. I turned up on three exploits (with no pastes). If I were to guess, my mailing lists and at least one of the survey websites I use (I have a strong hunch it's Opinion Outpost and/or sister sites, but just a hunch) got hacked and because of that, my info got scraped into various database dumps that were published/sold/given away online/stolen.

I'm able to guess this because all four GMail accounts came up clear and only one Outlook account was compromised. That account was tripling as my Spam Me and survey-taking account.

And surveys...I don't know if you all know this, but sites like OpinionOutpost and Pinecone Research (in it's new incarnation) farm you out from dozens (Pinecone) to hundreds (OpinionOutpost) of survey sites per session, and those websites could've been compromised. The amount of cookie tossing and redirects that goes on in one survey-taking session (sometimes over less than secure pipes, to this day) is a bit hair-raising.

But like I said, that was my most important account, and I can't afford to share it with Russia nor with hackers in general, so I binned it. Goodbye four-year old (or maybe even older) email address.

That made a fun night of getting a new email address (the name-picking alone took me an hour), changing my address across all heavily used websites - and on my computer, which uses the same address to sign me in and out and sync my files to the cloud - and my phone, which again, is hooked into the same ecosystem using the same email address (and which refused to cooperate; it was actually using both email address at once, so eventually I had to hard-reset it, not the easiest or fastest thing to do on my Nokia), then exporting/importing my contact list, letting others know of my new address, and all those other not-so-fun related tasks.

There are still companies I have to call and write (that is, email(!)) because functionality to change your email address is literally MIA from their interfaces. In 2017. Go figure.

One of them is my bank (in case [personal profile] darkoshi asks, not BOA, the other one. But still!)

PRICE GOUGING

Sep. 7th, 2017 01:03 am
marahmarie: my initials (MM) (Default)
[personal profile] marahmarie

My area...*rolls eyes*

As you might know, my area might or might not be in the path of an oncoming storm. The crap that's going on, not just in my town or county, but in the entire bi-state area, is perfectly unreal: all the stores from here to Georgia were sold out on water...by MONDAY. Generators are going for well over $1,000 for just ~1000-4000 watts (many of which do not/cannot power a fridge).

A few kind souls had listed used 4000-6000 watt generators for $150-500 but until later on today I didn't have the money for even the lower end. By this afternoon they were gone. I've been on eBay, Amazon, Craigslist, Facebook (scrounging every local swap-n-shop and garage sale) and can't find anything I'd actually buy. There are a few 3000-4000 watt models still available on Amazon in my price range ($100-300) but now Amazon's tacked on a message: "May take an extra 1-2 days to ship" in grass-green letters below the price, so even with Prime, that means 4-5 days goes to 6-7 days to await shipping, and I think we might need it (if we do, at all) by Monday, but my thought is if conditions turn bad enough delivery services won't be out risking their lives by then just to deliver people's goods.

I mean, I wouldn't go out in a hellacious storm if I didn't have to, but who's to say if UPS/FedEx/USPS would or not...

But that's not the end of the price gouging, oh not by any means. A few examples: a manual for some generator is listed at over $200 on Amazon that still costs just $12 on the manufacturer's website. Some UPS battery backups are going for over $300. I have the identical UPS to one I saw at that price on Amazon - just a different brand - sitting on the back corner of my kitchen counter running our kitchen laptop, a lamp, some of our phone and tablet chargers, and I know the damn thing's not worth more than $50 (got it for free off the curb, because as I've said under lock, my neighbors throw away stuff because...like, *in a high-pitched voice*, "It's Tuesday, Harold - time to toss the UPS!". I don't know what's wrong with these people, but I'm not complaining).

But I'm desperate for a generator. I threw away at least $300 worth of food last fall with Hurricane Motherfucking Still Cannot Say Its Name, and spent another $150-200 just so we could buy more during the extended power outage - that's upward of $500 - and between that and the storm putting us out of work for over a week, that turned into such a spiral there was no getting out of it. So I want a generator at least powerful enough to run the fridge so I can keep the food, which will pretty much help it pay for itself, especially if it comes in at or under my $300ish-max budget. But because I can't guarantee we'll even need it, I don't want to spend more than that.

Then again, I could just do like so many people are doing...buy one for $400, then flip it to someone desperate for $1,200 before the next big storm... *eyeroll*

I'm sort of regretful I didn't look sooner, but I didn't have money sooner, and couldn't know I needed it until it finally hit me in the middle of the night that we've got to get a generator. A lot of people had the same thought I did, to judge by Facebook where everything more affordable was marked sold by today.

I just...*gggrrrrrrrrr*

Page generated Sep. 20th, 2017 09:03 am
Powered by Dreamwidth Studios