Information Technology

Microsoft has uncovered another piece of malware used by the attackers who were behind the SolarWinds software supply chain attack discovered in December.   Security researchers have discovered numerous modules used by the attack group, which Microsoft calls Nobelium. The US and UK in April officially blamed the attack on the hacking unit of the Russian Foreign Intelligence Service (SVR), which are also known as APT29, Cozy Bear, and The Dukes.  

Microsoft in March uncovered the GoldMax, GoldFinder, and Sibot components from Nobelium, building on other malware from the group including Sunburst/Solarigate, Teardrop and Sunspot.  SEE: Four months on from a sophisticated cyberattack, Alaska’s health department is still recoveringThe newly discovered malware, called FoggyWeb by Microsoft, is a backdoor used by the attackers after a targeted server has already been compromised. In this case, the group uses several tactics to steal network usernames and passwords to gain admin-level access to Active Directory Federation Services (AD FS) servers, which gives them access to identity and access management infrastructure for controlling user access to apps and resources. This allows the attackers to stay inside a network even after a clean up. FoggyWeb has been used in the wild since as early as April 2021, according to Microsoft.  “Nobelium uses FoggyWeb to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token-signing certificate, and token-decryption certificate, as well as to download and execute additional components,” explains Ramin Nafisi of the Microsoft Threat Intelligence Center. 

“FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server. It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server,” Nafisi adds. The backdoor allows abuse of the Security Assertion Markup Language (SAML) token, which is used to help users authenticate to applications more easily.SEE: Don’t want to get hacked? Then avoid these three ‘exceptionally dangerous’ cybersecurity mistakesMicrosoft recommends potentially affected customers take three key steps: auditing on-premise and cloud infrastructure for configurations, and per-user and per-app settings; removing user and app access, review configurations, and re-issue new, strong credentials; and using a hardware security module to prevent FoggyWeb from stealing secrets from AD FS servers. Microsoft in May uncovered more Noeblium infection tools, including EnvyScout, BoomBox, NativeZone, and VaporRage, as well as a spear-phishing campaign that piggy-backed on a legitimate US email-marketing service. More

When you think of automatic bots, it may be that the first thing that springs to mind is the annoyance of getting up early and waiting in anticipation for concert tickets to go on sale for your favorite band — only to have them all slurped up within seconds. 

It’s a well-known practice. Set up a bot to purchase a coveted item or service and then sell them on the market with a steep mark-up. Generate profit, move on to the next in-demand product.  Reselling online is big business, and when individuals lost their jobs due to the COVID-19 pandemic, some turned to bot operations to make ends meet.   Others simply work this business to make a profit on hot ticket items. One group, for example, claimed to have secured 3,500 PlayStation 5 consoles in the Europe and UK, contributing to an almost immediate sell-out of the next-generation gaming system.  An issue surrounding the supply of PS5s is a global shortage of chips, made worse by the pandemic and natural disasters. Graphics cards, for example, are in high demand not only by tech vendors but also gamers and cryptocurrency miners — and in response to this demand, scalper bots have made their presence known.   On Tuesday, bot mitigation platform Netacea published its Top Five Scalper Bots Quarterly Index, a tracking report that identifies the hottest products most often targeted by scalper bots.  Covering April to June this year, the company says that the most popular item were the $110 Air Jordan Retro 1 High OG sneakers, which once scalped and resold, have gone for up to seven times — or more — their original price tag. 

The second most coveted item was the PS5. One bot observed by Netacea made “one million purchase attempts” in only six hours. In third place were graphics cards suitable for gaming purposes. The most popular product scalpers tried to secure was the NVIDIA RTX 3000 series. In fourth was another fashion item, Yeezy Boost 700 MNVN sneakers, and in fifth, chips made a comeback — graphics cards marketed for cryptocurrency mining purposes.”It’s an especially difficult time for retailers,” commented Andy Still, chief technology officer at Netacea. “In addition to supply chain issues adding to the challenges of the last two years, they increasingly face the risk of bots buying their most popular items before their customers — a trend that negatively impacts prices and a brand’s reputation.”  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

An “incident” is defined as unplanned downtime, or interruption, that either partially or fully disrupts a service by offering a lesser quality of service to the users. If the Incident is major, then it is a “crisis.”When it starts to affect the quality of service delivered to the customers, it becomes an issue, as most service provides have service level agreements with the consumers that often have penalties built in.As I continue my research in these areas, and after talking to multiple clients, I have come to the realization that most enterprises are not set up to handle IT-related incidents or crises in real time. The classic legacy enterprises are set up to deal with crises in old-fashioned ways, without considering the Cloud or the SaaS model, and social media venting brings another quirk. Newer digital native companies do not put much emphasis on crisis management, from what I have seen.Especially with the need and demand for “always-on,” incidents do not wait for a convenient time. Problems can, and often do, happen on weekends, holidays, or weeknights when no one is paying attention. When an incident happens, a properly prepared enterprise must be in a situation to identify, assess, manage, solve, and effectively communicate it to the customers.Another key issue to note here is the difference between security and service incidents. A security incident is when either data leakage or data breach happens. The mitigation and crisis management there involves a different set of procedures, from disabling the accounts to notifying stakeholders and account owners and escalating the issue to security and identity teams. A service incident is when a service disruption happens, either partially or fully. It needs to be escalated to DevOps, developers and Ops teams. Since they are similar, some of the crisis management procedures might overlap. But if your support teams are not aware of the right escalation process, then they might be sending critical alerts up the wrong channel when minutes matter in a critical situation. For the sake of this article, I am going to be discussing only service interruptions, though a lot of parallels can be drawn to a security incident as well.Avoid incidents when possibleAvoidance is better than fixing issues in any situation. There are many things an enterprise can do to avoid situations, such as vulnerability audits, early warning monitoring, code profile audits, release review committees, anomaly detection, etc. One should also invest in proper observability, monitoring, logging, and tracing solutions. I have written many articles on those areas as well; they are too complex to cover in detail here.

Prepare for the unexpectedWith most enterprises, there is no preparation or plan of action when an incident happens. In the digital world, incidents do not wait around for days to be solved or managed. If you let social media take over, it will. Sometimes it can even have a mind of its own. When you are not telling the story, the social media pundits will be telling your story for you.Identify the incident before others doI wrote a few articles on this topic. In my latest article, “In the digital economy, you should fail fast, but you also must recover fast,” I discuss the need for speed to find issues faster than your customers or partners can. Software development has fully adopted the DevOps and agile principles, but the Ops teams have not fully embraced the DevOps methodologies. For example, the older monitoring systems, whether they are application performance monitoring (APM), infrastructure monitoring, or digital experience monitoring (DEM) systems, can also find if there is a service interruption fairly quickly. However, identifying the micro service that is causing the problem, or the changes that went into effect that caused this issue, is complex in the current landscape. I have written about the need for observability and for finding the issues faster at the speed of failure repeatedly.Act quickly and decisivelyWhen major incidents happen, it should be an all-hands on deck situation. As soon as a critical incident (Sev. 1) is identified, an incident commander should be assigned to the incident, a collaborative war room (virtual or physical) must be immediately opened, and proper service owners must be invited. If possible, the issue must be escalated immediately to the right owner who can solve the problem rather than going through the workflow process of L1 through L3, etc. In the collaborative war room, often finger-pointing and blaming someone else is quite common, but that will delay the process further. In addition, if too many people are invited to these collaborative war rooms, there has to be a mechanism to identify mean-time-to-innocence (MTTI) so anyone who is invited can continue their productive work by leaving if they are not directly related and cannot assist in solving the issue.Own your story on your digital channels.When a Sev. 1 or a major service interruption happens, your users need to know, your service owners need to know, and your executives need to know. In other words, everyone who has skin in the game should know. Part of it would be external communication. At the very minimum, there has to be a status page that will display the status and quality of service, so everyone is aware of the service status all the time. In addition, an initial explanation of what went wrong, what are you doing to fix it, and a possible ETA should be posted either as a status update or on regular posts on LinkedIn, Twitter, Facebook, and other social media platforms where your enterprise brand is present. Going dark on social media will only add fuel to the fire. Your users know your services are down. If they get no updates from you, speculators, or even competitors, will spread rumors to ruin your brand.This is where most digital companies are weak as they are not prepared, which can make or break an SMB enterprise. Real-time crisis and reputation management are crucial in those critical moments while engineers and support teams are trying to solve the problem. It is also a good idea to use sentiment analysis and reputation tools to figure out who is saying extremely negative things and to try to either take them offline to deal with them directly or respond in kind to avoid further escalation.Do a blameless post-mortemA common pattern I see across organizations is after the crisis is solved and the incident is fixed, everyone seems to move on to the next issue quickly. It could be because there are too many issues that the support, DevOps, and Ops teams are overwhelmed, or they do not think it is necessary to analyze what or why this happened. An especially important part of crisis/incident management is to figure out what went wrong, why it went wrong, and more importantly, how can you fix this once and for all, so this will not happen ever again. After figuring out a solution, document it properly. You also need to have a repository to store these solutions so in the unfortunate incident that it happens again, you know how to solve this quickly and decisively.Follow-upIn addition, discuss the situation with your top customers who were affected by it; explain what you did to solve the issue and how you fixed it so it will not repeat. More importantly, discuss how you were prepared for the incident before it happened. This instills huge confidence in your brand. Not only will you not lose customers, but you will gain more because of how you handled it.In addition, the general advice from crisis management firms would be to cancel any extravagant events that are planned in the immediate future. If your critical services were down for days, but your executives were having a huge conference in Vegas, the social media world would be at it for days. Monitor social media platforms (LinkedIn, Twitter, Facebook at a minimum or whatever other social media platforms your company has a presence on, including negative comments on your own blog sites) for tone; you can even use AI-based sentiment analysis tools to identify still unsatisfied customers to discuss their concerns and how you can address them. Until these concerns are addressed, your incident is not completely solved.Another best practice would be to avoid hype content or marketing buzz for a while after a major incident happens. I have seen companies go on with the plan and get a backlash from customers that they are all talk and nothing really works.ConclusionLet’s face it: every enterprise is going to face this sooner than later. No one is invincible. The question is, are you ready to deal with it when it happens to you? The ones who handle it properly can win the customers’ confidence, showing they are prepared to handle future incidents if they were to happen again.Do you earn your customers’ trust by doing this the right way, or do you lose it by botching and covering this up? That will define you going forward.At Constellation research, we advise companies on tool selection, best practices, trends, and proper IT incident/crisis management setup for the cloud era so you can be ready when it happens to you. We also advise the customers in the RFP, POC, and vendor contract negotiation process as needed.   More

Cryptocurrency expert Virgil Griffiths has pleaded guilty to helping North Korean officials evade sanctions using blockchain and cryptocurrency in 2019. Griffiths is now facing up to 20 years in prison and will be sentenced on January 18, 2022.  Griffiths was arrested in November 2019 after he flew to North Korea in April 2019 and gave a technical talk at the Pyongyang Blockchain and Cryptocurrency Conference. Griffiths was allegedly warned by US State Department officials not to go ahead of his trip but went anyway. The 38-year-old, who was a resident of Singapore before his arrest, pled guilty to conspiring to violate the International Emergency Economic Powers Act in US District Court on Monday. “As he admitted in court today, Virgil Griffith agreed to help one of our nation’s most dangerous foreign adversaries, North Korea. Griffith worked with others to provide cryptocurrency services to North Korea and assist North Korea in evading sanctions, and traveled to North Korea to do so,” US Attorney Audrey Strauss said. “In the process, Griffith jeopardized the national security of the United States by undermining the sanctions that both Congress and the President have enacted to place maximum pressure on the threat posed by North Korea’s treacherous regime.” 

US citizens are banned from “exporting any goods, services, or technology” to North Korea without a license from the Department of the Treasury’s Office of Foreign Assets Control.The Justice Department claimed Griffith began planning his assistance to the North Korea government in 2018 by “developing and funding cryptocurrency infrastructure there, including to mine cryptocurrency.”

He allegedly knew that the tools he was creating would be used to evade US sanctions and fund government activities that include the North Korean nuclear weapons program and “other illicit activities.” His presentation at the conference was “tailored to the DPRK audience,” according to a statement from the Justice Department.”At the DPRK Cryptocurrency Conference, Griffiths and his co-conspirators provided instruction on how the DPRK could use blockchain and cryptocurrency technology to launder money and evade sanctions,” the Justice Department explained.   “Griffiths’s presentations at the DPRK Cryptocurrency Conference had been approved by DPRK officials and focused on, among other things, how blockchain technology such as ‘smart contracts’ could be used to benefit the DPRK, including in nuclear weapons negotiations with the United States.”  Griffiths and others also helped answer questions about blockchain from North Korean government officials and worked to set up ways for cryptocurrency to be exchanged between North Korea and South Korea. The original criminal complaint says Griffith was working on “plans to facilitate the exchange of Cryptocurrency-1 [Ether] between the DPRK and South Korea.”The Justice Department accused Griffiths of going even further, pledging to recruit other experts to travel to North Korea for blockchain projects and set up connections between government officials and cryptocurrency service providers. Griffith was a member of the Ethereum Foundation’s Special Projects group before his arrest. He also operated a Tor-to-Web (Tor2Web) service called Onion.city, according to previous reporting from ZDNet. 

Blockchain in the news More

In 2021, digital transformation no longer counts as innovative; it’s a baseline expectation for every enterprise. The trust imperative is the next major shift enterprises will encounter. New market leaders will not solely arise from technology platforms, sophisticated analytics, or sophisticated capital allocations. Instead, consumers and business leaders will increasingly turn to companies they can trust. And trust will move markets. 

At Forrester’s upcoming Security & Risk event on November 9–10, I’ll deliver a keynote on the CISO’s role in the trust imperative. Security leaders will learn why and how the trust imperative requires their full participation. There is no executive role that better aligns with the trust imperative than the CISO. As culture, market, and technology shifts bring more disruption and chaos, CISOs will go from being an often ignored role to one of the most crucial people in their organizations. In the keynote, CISOs And The Trust Imperative, I’ll explain why that will happen, how to handle it, and what to do about it. Here’s a spoiler-filled preview of what I’ll discuss in my keynote: Wait for the trust imperative to arrive with open arms. CISOs, for the entirety of their cybersecurity careers, defended the data employees, customers, and partners entrusted to them. They have lived in a world of trusted users, unauthorized access, and intrusions. Forrester created Zero Trust security — one of the featured tracks at our event — more than a decade ago to reinvent programs and architectures poorly designed to address the challenges we face. Add to the bottom line by leading trust imperative initiatives. Our sessions in the products and applications security track will highlight how product security helps CISOs link themselves to their firm’s revenue goals, but the trust imperative takes that up a notch. Customers will buy from companies that they trust the most. Part of that trust is your company behaving according to the values it espouses. Still, ethical behavior and preventing breaches also factor in to elevate cybersecurity’s importance to new levels. Expect to see “Trust” formally added to your job description. Click around LinkedIn or browse job requirements, and a new trend emerges. Trust stealthily — and formally — snuck into job requirements and became part of your responsibilities. Your peers agree that CISOs should own this.  And for those who want to know if we’ll address the elephant in the room — how the trust imperative and Zero Trust work together and exist simultaneously — well, that’s my opener. Challenge accepted! To learn more, register for Forrester’s Security & Risk event here. This post was written by Vice President and Principal Analyst Jeff Pollard, and it originally appeared here.    More

Singapore will next link up its national real-time payment system, PayNow, to Malaysia’s equivalent infrastructure DuitNow, just weeks after announcing similar plans with India. The latest tieup will enable residents in the two neighbouring nations to make fund transfers via their mobile numbers. The Monetary Authority of Singapore (MAS) and Bank Negara Malaysia (BNM) said in a joint statement Monday that efforts to link their payment systems would be rolled out in stages, with the first phase to kick off in the fourth quarter of 2022. Apart from transferring funds using a mobile number, consumers in either countries would be able to pay for their purchases by scanning Singapore’s NETS or Malaysia’s DuitNow QR codes displayed at merchants’ stores. 

According to the two central banks, the integration would facilitate more seamless payments between both countries, where remittances hit SG$1.3 billion ($959.85 million) last year. There also was high traffic between the two neighbouring nations, which averaged at 12 million arrivals yearly before the pandemic. After the initial launch, MAS and BNM would look to expand the connectivity to include more features and partnerships. Both central banks would explore the possibility of introducing features such as blockchain-based services to drive greater efficiencies in payments clearing and settlement between participating banks.They further noted that the connectivity between PayNow and DuitNow was in line with the G20’s efforts to drive “faster, cheaper, more inclusive, and more transparent” cross-border payments. It also would put Asean nearer its goal of building a network of linked real-time payment systems.  MAS’ chief fintech officer Sopnendu Mohanty said: “Singapore’s remittance corridor with Malaysia is our largest remittance corridor; hence, the PayNow-DuitNow linkage will be an important infrastructure to support cross-border payment needs of individuals and businesses, as well as the growing digital economic activity between both countries. The linkage also offers MAS and BNM a valuable opportunity to incorporate the use of distributed ledger and smart contract technologies in the wholesale cross-border payments space.”

BNM’s assistant governor Fraziali Ismail added: “By bringing the efficiencies observed in domestic payments to cross-border payments, the PayNow-DuitNow linkage will be a game-changer resulting in faster, cheaper, and more accessible payment services for the people of both countries. Not only would this initiative further strengthen the economic ties between Singapore and Malaysia, it would also serve as a key enabler to support post-pandemic economic growth.”Singapore earlier this month said it was linking PayNow with India’s real-time payment system, Unified Payments Interface (UPI). Targeted for completion by July 2022, the connectivity would enable residents in both countries to make real-time, low-cost fund transfers directly between their respective local bank account, both countries said.Singapore in April 2021 inked a similar pact with Thailand to enable users in both nations to transfer funds using the recipient’s mobile number. The collaboration tapped the respective country’s peer-to-peer payment systems, PayNow and Thailand’s PromptPay, and was part of a regional payment initiative to ease cross-border payments. Singapore earlier this month also announced it was working with the central banks of Australia, Malaysia, and South Africa to develop and test a common platform on which to process cross-border digital payments. The initiative to pilot the use of central bank digital currencies (CBDCs) for international transactions aimed to bypass the need for intermediaries and, hence, slash the time and cost of such transactions. RELATED COVERAGE More

Image: Glenn Carstens Peters via Unsplash
This is a sensitive topic. Owners of entertainment content go to great lengths to control the distribution of their wares, especially when it comes to international markets for movies and TV, and even local regions for black-out sporting events. By contrast, VPN vendors go to great lengths making the case that you can use their services to bypass all those restrictions.  But there are times where, legally, you might want to use a VPN to watch a movie or video. If you’re traveling, you can VPN back to your home country and use your home streaming service account to watch your favorite show. That said, it is, at best, a legally gray area. VPNs and set-top boxes and streaming sticks don’t all work together well. The exception to this is the Amazon Fire TVs and Fire TV Sticks, and any Android TV box. The XGIMI Halo projector I recently spotlighted in an outdoor theatre project is one such device. But, if you’re using a Roku, and Apple TV box, or any smart TV not running Android TV, you’re forced to jump through a bunch of hoops, connecting your router up as a VPN, or connecting your TV as a client to your Mac or PC and using that machine’s VPN-protected network. Honestly, if you want to watch streaming TV through a VPN, just get a Fire TV stick and be done with it. It’s the easiest and least expensive path.

Excellent documentation, even for streamers without native apps

Native Streaming Apps: Fire TV, Android TV, Nvidia Shield TVSimultaneous Connections: 5 or unlimited with the router appKill Switch: YesPlatforms: A whole lot (see the full list here)Logging: No browsing logs, some connection logsCountries: 94Locations: 160Trial/MBG: 30 daysExpressVPN has been burning up the headlines with not the best news. We’ve chosen to leave ExpressVPN in this recommendation, and I wouldn’t necessarily dismiss ExpressVPN out of hand because of these reports, but it’s up to you to gauge your risk level. The best way to do that is read our in-depth analysis:ExpressVPN is one of the most popular VPN providers out there, offering a wide range of platforms and protocols. What we like about ExpressVPN is how it documents setting up VPN services for virtually all the most popular set-top boxes, even those that don’t natively support VPN. For each device, ExpressVPN has a guide walking you through the process.Must read:With 160 server locations in 94 countries, ExpressVPN has a considerable VPN network across the internet. In CNET’s review of the service, staff writer Rae Hodge reported that ExpressVPN lost less than 2% of performance with the VPN enabled and using the OpenVPN protocol vs. a direct connection.While the company does not log browsing history or traffic destinations, it does log dates connected to the VPN service, amount transferred, and VPN server location. We do want to give ExpressVPN kudos for making this information very clear and easily accessible. Exclusive offer: Get 3 extra months free.

Native support for Fire TV and Android TV

Native Streaming Apps: Fire TV, Android TV, Nvidia Shield TVSimultaneous Connections: UnlimitedKill Switch: YesPlatforms: Windows, Mac, Linux, iOS, Android, Fire TV, Firefox, ChromeLogging: None, except billing dataTrial/MBG: 30 dayAt two bucks a month for a two-year plan (billed in one chunk), Surfshark offers a good price for a solid offering. In CNET’s testing, no leaks were found (and given that much bigger names leaked connection information, that’s a big win). The company seems to have a very strong security focus, offering AES-256-GCM, RSA-2048, and Perfect Forward Secrecy encryption. To prevent WebRTC leaks, Surfshark offers a special purpose browser plugin designed specifically to combat those leaks.Must read:Surfshark also offers a multihop option that allows you to route connections through two VPN servers across the Surfshark private network. We also like that the company offers some inexpensive add-on features, including ad-blocking, anti-tracking, access to a non-logging search engine, and a tool that tracks your email address against data breach lists.

If you love Kodi, this is your VPN

Native Streaming Apps: Fire TVSimultaneous Connections: UnlimitedKill Switch: YesPlatforms: Windows, Mac, iOS, Android, Linux, Chrome, plus routers, Fire Stick, and KodiLogging: None, except billing dataServers: 1,500 Locations: 75Trial/MBG: 30 dayFor those folks who love the Kodi media player (and I’m one of them), IPVanish is the VPN for you. IPVanish has full, detailed setup guides for using Kodi with many of the more popular streaming set-top devices. Of course, you don’t have to use Kodi, but if you haven’t spent any time looking into this awesome open source home theatre system, you should.IPVanish is a deep and highly configurable product that presents itself as a click-and-go solution. I think the company is selling itself short doing this. A quick visit to its website shows a relatively generic VPN service, but that’s not the whole truth.Also: My in-depth review of IPVanishIts UI provides a wide range of server selection options, including some great performance graphics. It also has a wide variety of protocols, so no matter what you’re connecting to, you can know what to expect. The company also provides an excellent server list with good current status information. There’s also a raft of configuration options for the app itself.In terms of performance, connection speed was crazy fast. Overall transfer performance was good. However, from a security perspective, it wasn’t able to hide that I was connecting via a VPN — although the data transferred was secure. Overall, a solid product with a good user experience that’s fine for home connections as long as you’re not trying to hide the fact that you’re on a VPN.The company also has a partnership with SugarSync and provides 250GB of encrypted cloud storage with each plan.

Solid performance, but not a big entertainment focus

Native Streaming Apps: Fire TV, Android TVSimultaneous Connections: 6Kill Switch: YesPlatforms: Windows, Mac, iOS, Android, Linux, Android TV, Chrome, FirefoxLogging: None, except billing dataCountries: 59Servers: 5517Trial/MBG: 30 dayAlso: How does NordVPN work? Plus how to set it up and use itPerformance testing was adequate, although ping speeds were slow enough that I wouldn’t want to play a twitch video game over the VPN. To be fair, most VPNs have pretty terrible ping speeds, so this isn’t a weakness unique to Nord. It’s more than fast enough in most countries to stream your favorite movie or video. Also: My in-depth review of NordVPNIn our review, we liked that it offered capabilities beyond basic VPN, including support of P2P sharing, a service it calls Double VPN that does a second layer of encryption, Onion over VPN which allows for TOR capabilities over its VPN, and even a dedicated IP if you’re trying to run a VPN that also doubles as a server. It supports all the usual platforms and a bunch of home network platforms as well. Also: My interview with NordVPN management on how they run their serviceThe company also offers NordVPN Teams, which provides centralized management and billing for a mobile workforce. Overall, a solid choice, and with a 30-day money-back guarantee, worth a try.

How does the router thing work?

You first install your VPN onto your router. This depends on the VPN provider and the router, so you’ll need to do some digging. But if your VPN and router are willing to play nicely with each other, then because all traffic on your network travels across your router, it will also be able to use the router’s VPN connection. It’s a bit crude, but not as crude as the next on our list…

Wait, so I’m supposed to use my PC as as router?

Yeah, if you don’t have a compatible set-top box or a compatible router, the idea is you connect your TV to your PC or Mac as a network client, use that computer’s VPN client, and then go out over the network. It’s janky as heck, but the VPN vendors have generally clear enough guidelines. But, by the time you’re doing all that, just buy a $39 Fire TV Stick and be done with it.

So some set-top devices have native apps?

Basically, Android TV is a version of Android. That means that most apps in the Google Play store will run reasonably well on Android TV — including VPN clients. Most VPN vendors slightly recoded their Android handheld apps to have a wide-screen UI for the TV and pushed those apps into the Play Store. Since Amazon’s Fire TV is basically a skinned version of Android TV using Amazon’s app store, VPN vendors didn’t have to do too much technically to make it work — and Amazon is, of course, a huge market. So you just go to the app store and install the app. Easy peasy.

But not Apple TV or Roku?

Nope. You’re doing the router or PC network client hoop jump game. And before you ask, if you want to use Xbox, Playstation, or Switch to stream your entertainment, you’re also going to need to run your streaming movies through a router or a PC network sub-LAN.

But, if Android TV works, surely Chromecast does?

Nope. No it doesn’t. Same as the Roku or the consoles. Because Android giveth and Chromecast taketh away.

You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV. More

Image: Pixabay user dokumol
I have long advocated keeping machines up to date. When machines become too old to update, I’ve bitten the bullet and dumped them, even if they were still fully functional.

With all the malware and ransomware, not to mention simple flaws that could cause a system to crash, it’s become necessary to keep machines up to date, regularly updating both operating system and applications software. When that software can no longer be updated, it’s time to toss the machine. But should it be? I just finished upgrading my small fleet of older Macs. I pulled one iMac and four Mac minis out of service. The iMac went to a friend who’s tech savvy enough and responsible enough to manage his own security. But those four Mac minis are now sitting on a shelf. I’d like to donate them to a local school or library. But because they can’t be upgraded to the latest versions of MacOS (and can’t have the latest security fixes), I won’t give them to unsuspecting muggles, no matter how deserving they might be.  Making donations of woefully out-of-date machines that can’t get security updates isn’t an act of charity, it’s creating potential victims. But here’s the thing. Even though those Mac minis are eight and nine years old, they are perfectly functional. Given Apple’s build quality, there is no reason they wouldn’t keep chugging along for another eight or nine years. The modern tech lifecycle

Most IT folk understand and probably even agree with the modern tech lifecycle. Put simply, as newer releases of computers and operating systems come out, older software and hardware become obsoleted. Vendors don’t want to continue to support systems that are quite old. Developers don’t want to test against numerous generations of older machines. The cost to maintain and update the dregs of old gear is impractical. It’s also impractical, because features that run like the wind on new hardware can be dog slow on older hardware. Some features (for example Face ID on iOS devices) simply won’t run on older hardware because of intrinsic limits on that older hardware (like not having fast enough processing power, the right GPU, or the necessary lenses). As an independent developer, I can’t support and test versions of code for users running very out-of-date software or hardware. I barely have the time to support and test the more current releases. So, as a developer, I concur with the idea that tech becomes obsolete over time, and it’s regularly necessary to move on. A paradigm shift But as I looked at those four perfectly functional Mac minis sitting in a stack on a shelf, never to process bits ever again, I found myself getting upset. It’s one thing for an independent developer to set a baseline for version or operating system support. It’s another for Apple, the world’s most valuable company, with a valuation in the trillions of dollars. It’s not like Apple can’t afford to make sure even its oldest machines stay safe year after year. What would that cost? The salary of a hundred engineers would be, roughly — in Silicon Valley dollars — about $20 million. Let’s say facilities and gear for those hundred engineers is another $20 million. Does anyone seriously think Apple can’t afford $40 million a year to keep software up to date? In its second quarter, Apple posted revenues of $89.6 billion (up 54 percent year over year). $40 million isn’t even 0.05% of Apple’s quarterly revenue. Heck, $40 million is only 15% of Tim Cook’s $265 million 2020 compensation package. He could pay to keep all installed Macs up to date and it would cost him the equivalent compensation percentage of what putting a fence up would cost to us normal folk.

There are some natural constraints to this “keep everything updated” plan I seem to be advocating. First, developers can’t all be expected to keep all their software compatible with ancient machines. Yes, sure, Microsoft and Adobe could, but it’s beyond the scope of all the little indy developers out there. Second, performance will undoubtedly be pretty poor on the oldest machines. Not all the advanced features will run on them. But even with these restrictions, Apple could certainly establish a baseline. All the applications that ship with the machines could be kept up to date. On Macs, that would provide a nice suite of tools for users of older machines. And updating and hardening Safari would provide a solid, safe baseline for users of older machines. The state of Apple support Apple doesn’t explicitly state its end-of-life policy for devices. When a new OS is released, it will list devices supported. You can derive from the supported list a secondary list of those devices left behind. Apple does maintain an information page detailing Apple security updates. As of today (end of September, 2021), Apple is still issuing security updates for MacOS Catalina. That means that three of the four machines I took out of service can still be updated — but they don’t run Big Sur or Monterey, and Apple won’t say when Catalina security updates will stop. My fourth newly out-of-service machine, the 2011 Mac mini, can’t be updated beyond High Sierra. Apple’s last High Sierra security patch was in 2020, and the company gives no indication whether (a) there are any known but unpatched security flaws in High Sierra, and (b) whether it ever intends to issue future patches. In fact, this lack of transparency is policy. On that same Security Updates page, Apple says, “For the protection of our customers, Apple doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are generally available.” That’s… helpful. NOT. Especially for users of older machines. But this isn’t just about my four computers. I took a quick look on eBay and found a lot of older machines for sale. This one is just one example: As you can see, it’s an old 2008 MacBook Pro. While it might not be something the typical ZDNet reader is likely to buy, someone on a limited budget in need of a computer might well decide to spend $66 plus $17.14 shipping to land a MacBook Pro. This low-cost machine already has 12 bids and as of the time I took the screenshot, it had two days left to go. But, according to the site Apple History, the 2008 MacBook Pro maxes out at 10.10.4. That’s OS X Yosemite, an operating system that came out in October 2014 and received its last major update in August 2015. According to Apple’s Security Updates page, the last security update for Yosemite was in 2017 — four years ago. The last time Safari was updated for Yosemite was also four years ago. This is what I’m talking about. There is no reason that Apple, a company that brought in nearly $90 billion (with a B) in revenue last quarter, couldn’t keep churning out security updates for these older machines. Time for the big vendors to step up Those machines are out there, people are using them, and it’s well within Apple’s power to keep those people safe. So why don’t they? Or a better question would be, Apple, when will you step up? This article has been mostly focused on Macs, but phones need the same attention. I also call on companies like Samsung to keep older devices up to date.

Samsung also had a record quarter last quarter, pulling in KRW 63.67 trillion ($54B USD) in sales and KRW 12.57 trillion ($10B USD) in operating profit. With $10 billion in operating profit for just one quarter, do we seriously think Samsung can’t issue updates for all those old Android phones it sold? But it doesn’t. Many of those phones haven’t gotten updates since after just a year or two after they were sold. Android is a cesspool for malware, which Samsung is essentially enabling by its inaction in providing security updates. As I said before, there is a line somewhere between the individual developer like me, and companies like Apple and Samsung who are rolling in billions of dollars in profits. I don’t expect boutique developers to handle the load of back-facing security updates. But the big players? Not doing so is irresponsible. There are millions of those machines out there, still in use. All those machines are actively vulnerable to malware and other security threats. Worse, those machines can become patient zero devices, spreading malware to other machines on their networks. So it’s not just about updating old machines to keep their users safe. It’s about updating old machines to keep us all safe. So, the next time you see Apple give a long song and dance about how enviromentally responsible they are, how much they’re moving towards sustainability, and how many robots they’ve built that can disassemble their old electronics, keep in mind that a minor investment could have kept millions of old computers and phones out of landfills, and made them available to lower-income users who need them.
What about you? Do you have a stack of old gear you can’t give responsibly give away, but also don’t want to toss out? Do you think Apple and Samsung have been dropping the ball in not taking responsibility for older security updates? Let us know in the comments below.

You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV. More