Month: November 2023

La Brea Syndrome.

~ Taran ~ Leave a comment

I haven’t really written about Trinidad and Tobago and technology that much except lately with the data breach because it’s more frustrating than interesting.

When I wrote about Trinidad and Tobago breaking out of the economic tidal pool, the press was for diversifying the Trinidad and Tobago economy with what people in my circles tend to think is patently obvious: The information economy.

It’s 2023, and Trinidad and Tobago hasn’t even finished up a Data Protection Act. The Copyright Organization of Trinidad and Tobago still doesn’t care about software and protecting local developer rights, or local writers and their rights. It’s pretty much about music, and it’s a very strange organization even in that regard.

Meanwhile there is now a Ministry of Digital Transformation, where the Minister is the former CTO of the state controlled telecommunications company that recently had a data breach that internationally should be very embarrassing. Locally, people are powerless to do anything because the government hasn’t made the Data Protection Act law.

This is probably with good reason, the government might be liable for a lot more than we know. We only know about the data breaches that were made public. Did they pay off any ransom attacks? Did they have breaches that nobody even knew about because people didn’t announce themselves?

As the world now has AI manipulating information, Trinidad and Tobago is digitizing the Dewey Decimal System which is a shame because there is the capacity to do so much more. The inertia is as heavy as the combined age of Parliament and multiplied by the number of civil servants in a nation where the largest employer is, one way or the other, the Government of the Republic of Trinidad and Tobago.

This leads to those with skills to leave the technologically impaired to drink their own bathwater. Credentialism is the name of the game, followed by those that simply have more connections that capability.

I’ve said all of this for decades. I’ve written it so much I’m sick of writing about it, so unless something new develops locally I’ll just switch back to interesting stuff rather than discuss the tar pits of the information economy in Trinidad and Tobago.

I call it La Brea Syndrome.

Better Business, Privacy

~ Taran ~ Leave a comment

When I read, “Better Business TT launches app, website: Protecting customers from rip-off“, I laughed a bit. It’s not a bad idea, so let me explain.

The article, on the Internet, doesn’t link to the website or app.

It doesn’t really say much about the application other than it being a concept borrowed, with attribution, to successful Angi (formerly Angie’s List) online directory in the United States. That’s the way of these things because it really is dependent on community buy-in, and so the article and content related to this should be sticky. That article is not sticky. It was coated in butter and sent out the door.

The website name might make people with American exposure confused it with the Better Business Bureau, which it is not and not even near a local equivalent.

Having mastered the art of search engines long ago, even when people were still fighting with the blinking lights on VCRs, I found the BetterBusinessTT website. Again, pretty generic, and it could be early on and looking for an organic ‘boom’ to happen, but it needs more oomph in that regard.

And again, it’s not a bad idea. It’s a good idea, though with an estimated population of about 1.5 million with a lot of economic disparity, I don’t know that it will beat out personal recommendations. The security aspect, mentioned in the article, though, was very funny and the reason I wrote this.

Where in the context of lack of the Data Privacy Laws in Trinidad and Tobago, with recent data breaches, would anyone consider their data to be secure in this country? And why then can someone not just tamper with the website so that they can get sales for their services and products?

This is not against BetterBusinessTT. Not at all. It’s about knowing where the laws of liability land on information in Trinidad and Tobago.

Information has been the ‘new oil’ for over 20 years at this point, and it looks like WASA may be in charge of that these days.

Analyze This.

~ Taran ~ Leave a comment

When I read this article in the Trinidad Express, “Analyzing the TSTT Data Breach“, I shook my head a bit. It’s all much simpler than what was written down, citing Daniel Smith.

Protecting user information in a business is simple and doesn’t require couching in robust academic terms because it comes out smelling like something you might wish to put on a flower bed.

Keep. It. Simple.

It’s 6 very basic steps.

  1. Create a business list of what data you need in your system.
  2. Have a data policy as to who can access what (tiered).
  3. Inventory what you have in your systems.
  4. Get rid of what you don’t need.
  5. Lock and/or encrypt what you have.
  6. Have plans for dealing with any security incidents.

Any company dealing in user data should be doing these steps. They are not difficult, but people can make them complicated and those people are a large part of the problem.

TSTT Data Breach Context.

Step 1: In the context of the TSTT data breach, I have yet to hear any reason why TSTT needed scanned identifications, business registrations, and for all I know the latest DNA samples from Ancestry.com. I can go to a police station in Trinidad and Tobago and have a constable look at my driver’s permit, who then writes down the particulars, but somehow TSTT (and banks for that matter) need a constant deluge of copies of user identification?

I find it hard to believe that there’s a need for that in the systems that connect to anything other than a shredder and incinerator, but I could be wrong. I would like to know if I am and for what reasons, but I could be wrong.

Step 2: Who in TSTT needs access to documents, identification, etc? Which documents do they need to access? So you create the tiered access.

Step 3: What are you missing for your business requirements? Develop plans for that, and make sure it fits in with that tiered access level.

Step 4: You’re likely to find rubbish in all the data that has been needlessly stored over the years, particularly with steps (1) and (2) done. Destroy it. Shred it. Burn it with fire. You don’t want the liability, if a Data Protection Act ever surfaces. That Data Protection Act be something a Minister of Public Information and Digital Transformation could champion.

Step 5: Encrypt personal information of your customers if it must be accessible on any network. It’s not hard. Most content management systems can handle that pretty easily.

Step 6: With the above steps done, a bad actor would have to get past all those hurdles and that makes the company much more defensible should it happen. What’s more, since there’s no extraneous data, you should be able to point directly at why you needed the information stored on a network in the first place.

6 steps. That’s it.

Any CTO should be able to handle that. I’ve seen it properly done by high school graduates. I’ve seen it improperly done by college graduates. Once you care about your customer’s privacy, and once you are concerned about liability, things become extremely clear.

A Telecommunications Company Without A CTO?

~ Taran ~ 2 Comments

I’d moved on to other things after writing about the TSTT data breach, and while it seemed that most of the breaches in Trinidad and Tobago that we do know about could have been because organizations didn’t keep their content management systems up to date, there was something very weird to me about the whole TSTT debacle aside from the response(s) they had.

When the CEO, Lisa Agard, was removed, Kent Western replaced her. It’s on the TSTT leadership team page. Of course, Agard’s LinkedIn page hasn’t been updated with what she’s doing now, but she’s not really the story here.

What is interesting is that TSTT, the Telecommunications Services of Trinidad and Tobago, with majority control held by the Government of Trinidad and Tobago… has no Chief Technology Officer listed. Through the previous CTO’s LinkedIn Profile still has him listed as the CTO of TSTT. This is likely an oversight, easily explained and remedied.

The Honourable Senator and Minister of Public Information and Digital Transformation, Hassel Bacchus, former CTO of TSTT, did in fact leave as CTO a few years ago. In fact, it was a little controversial because there were claims he got ‘special payments’ which were refuted by TSTT. That article is about 2 years old, so one has to wonder…

In 2 years, TSTT couldn’t find a CTO? A data breach would have fell into a CTO’s wheelhouse, as would avoiding it. If there’s anyone that should fall on their sword because of a data breach, it would be the CTO, not a CEO. Sure, the CEO is ultimately responsible, but the CTO is the technology officer.

I found this leading to larger questions beyond the data breach. Why would a company that deals almost if not completely in technology not have a Chief Technology Officer? Why don’t they have one yet? Where are TSTT’s Board of Directors on making such appointment?

That I missed this on the first evolution of the data breach speaks to my own mindset. I immediately honed in on the technology and privacy issues and didn’t look at the structure of TSTT.

It boggles the mind that a telecommunications service company doesn’t have a CTO, and hasn’t had one for years. Of course, maybe no one wanted the job.

Maybe we know why.

And as it happens, with all these data breaches, I suppose it’s good to have a Minister of Public Information and Digital Transformation. Information, as some say, wants to be free, and in such cases it makes it to the public.

Strategic Deception, AI, and Investors.

~ Taran ~ 4 Comments
Technical Report: Large Language Models can
Strategically Deceive their Users when Put Under
Pressure (Nov 2023), Jérémy Scheurer, Mikita Balesni , Marius Hobbhahn, Apollo Research

‘Strategic deception’ in large language models is indeed a thing. It should be unsurprising. After all, people do it all the time when trying to give the answer that is wanted by the person asking the question.

Large Language Models are designed to… give the answer wanted by the person asking the question.

That there had to be a report on this is a little disturbing. It’s the nature of the Large Language Model algorithms.

Strategic deception is at the very least one form of AI Hallucination, which potentially reinforces biases that we might to think twice about. Like Arthur Juliani, I believe the term ‘hallucinate’ is misleading, and I believe we’re seeing a shift away from that. Good.

It’s also something I simply summarize as ‘bullshitting’. It is, after all, just statistics, but it’s statistics toward an end, which makes the statistics pliable enough for strategic deception.

It’s sort of like AI investors claiming ‘Fair Use’ when not paying for copyrighted materials in the large language models. If they truly believe that, it’s a strategic deception on themselves. If they wanted to find a way, they could, and they still may.

“Business In The Street”

~ Taran ~ 1 Comment

That’s a Trinidad and Tobago colloquialism much like dirty laundry, but with it embedded in the street networks of information. Gigabytes, terabytes, or even bytes – it didn’t matter the amount of bytes, just the weight of the bytes.

A juicy tidbit of gossip didn’t need much. In fact, you could consider it decompressing in a different way each time it was re-told.

In a world built largely on trust, on integrity, the wrong information could ruin someone. The right information might get you elected to political office, for those with such aspirations.

Some say these were simpler times. Some think they were better times, when people would discuss what they read in a borrowed newspaper over some puncheon rum. I don’t know. It was different, and it’s hard to say progress has been made.

I write that after reading Mark Lyndersay’s, “TSTT’s dark night of the soul“.

TSTT’s data breach was shouted from the rooftops. On social media, people became more and more daring about showing the sorts of information available from the breach. To say that TSTT was not frank about the breach of their information security is an understatement.

There was outcry, enough that the TSTT CEO was replaced, but… it seemed like most people didn’t talk much about it. I’m not sure what replacing the CEO does anyway. That’s like changing the steering wheel when you have an oil leak.

There was no real reason for me to go outside and do anything today, but I wandered into a few places and talked to a few people. Some of them had heard about it but didn’t know what the breach had in it. One person hadn’t heard about the TSTT data breach while he worked across from a bMobile (subsidiary of TSTT) store.

Then I realized something. It wasn’t that it wasn’t written about, on television (I assume), on social media, and what have you. It was. It was there for people to find.

There’s the algorithm problem, where they might not normally watch technology related news, but someone along the way would probably have spoken to someone in person about it.

People just weren’t as interested as I had thought they would be. They have much lower expectations than myself about safeguarding of personal information. They didn’t see the threat of having their information compromised… or as someone pointed out today, “There’s just nothing I can do anyway”.

And oddly, that’s why Mark was writing about the Data Protection Act.

Meanwhile, TSTT customers have their business in the street.

Why So Many Breaches in Trinidad and Tobago?

~ Taran ~ 5 Comments

People continue to ask why there are so many data breaches happening in Trinidad and Tobago. I’m not someone who would call himself a security expert by a stretch, but it’s an intriguing enough question that I decided to look into it.

Commonalities in Website Technology?

First, I checked the websites of those that had been breached, which might reveal some commonalities. Bear in mind, it’s possible that the websites weren’t how the information was accessed.

TSTT, which had the most noteworthy breach, runs Wix – which was quite a surprise if only because of the vendor lock-in associated with it. I was expecting a more commonly used content management system but instead, Wix.

The Office of the Attorney General’s website, attacked earlier this year and probably the 2nd most important breach overall since it paralyzed the Judiciary is using WordPress. It also is actually not the first time; a teen was charged in 2007 for hacking into the Attorney General’s Office.

MassyStorestt.com also runs WordPress, but is substantially behind in upgrades. Pricesmart.com runs mostly BloomReach and a bit of Drupal. Their breach was reported yesterday.

It’s apparent that this isn’t an issue of common platforms being compromised. Yet there is a hint in here. MassyStoresTT.com being substantially behind in WordPress updates.

Maintenance.

When I was heavily into developing CMS websites, I tried doing that locally in Trinidad and Tobago and found that people thought they could just buy a website and it would simply be done and they could go about their business without maintenance contracts. It simply doesn’t work that way.

Maybe even after years, that hasn’t changed. Maybe these websites aren’t being maintained and kept up to date with technology, which includes patching for exploits that allow their data to be breached or otherwise attacked. Maybe.

Personally, with my experience in dealing with local companies and government offices, I don’t see them seeing maintenance as a priority. In fact, I didn’t do business with companies in Trinidad and Tobago for that same reason because… I didn’t want my name associated with poorly maintained sites.

Is this the only conclusion? Definitely not.

Who Has Access Anyway?

Everyone talks about the breaches, but the public always assumes that the people with access to the information had a reason to access the information. In the TSTT data breach, scanned copies of people’s identification were found and I have to wonder what TSTT’s information policy is. Who needs access to that level of information, and why?

I’d be surprised if it were available through the website because that would be just asking for trouble.

Assuming they themselves can be trusted with your personal information, there’s social engineering, which the video below explains.

We forget at times that the people with access to information themselves are open to attack to get to something bigger. Maybe their own computer systems they use to access the data are compromised, maybe they’ve been compromised.

Conclusions

Again, I’m no security expert. Some of the information available from these breaches and the way attacks happened on some websites was clearly associated with the websites themselves. TSTT’s data breach seems different in that regard because no sane company would have that information accessible through their website.

Altogether, it seems like a lack of maintenance for most of these breaches – and maybe there were deeper issues with all of them, but in particular the TSTT data breach.

What is most disturbing is that these are the breaches we’re worried about, which could be a fraction of the number of breaches that happened. The announced breaches we found out about because either someone showed evidence or it created an issue that impacted products and services.

The insidious breaches, the ones where people simply mine the information and don’t get caught or brag, we don’t know about. That’s what concerns me most.

We should be worried.

Confirmed Breach: Courts and PriceSmart.

~ Taran ~ Leave a comment

The data breach has been confirmed independently. There is a much better article on the data breach of Courts and Pricesmart available at TechNewsTT.com, and I’ll refer people to go read that article.

The original article (below) was written when it was just alleged.

In what looks to be a data breach of ShopCourts.com, this data breach seems benign. If it is as the image describes, it would expose the following information:

Unverified information in image from a plausible Facebook account whose interests include the National Security of Trinidad and Tobago.
  • Email addresses,
  • Names,
  • Gender,
  • Dates of Purchase,
  • Billing Addresses and Shipping Addresses,
  • Payment Method (which in common practice does not include credit card information).

It is altogether pretty benign. However, the ability to access the data potentially permits the ability to change the data.

It would seem someone wanted to make a point, wanted some sort of bragging rights, or quite possibly is looking for a job.

Given that Courts is in various countries, this could impact the following countries:

  • Antigua,
  • Barbados,
  • Belize,
  • Curacao,
  • Dominica,
  • Grenada,
  • Guyana,
  • Jamaica,
  • St. Kitts and Nevis,
  • St. Lucia,
  • St. Vincent and
  • Trinidad and Tobago.

Breach Ho!

~ Taran ~ 8 Comments
Image by Gerd Altmann from Pixabay

As everyone in Trinidad and Tobago knows, Telecommunications Services of Trinidad and Tobago (TSTT) had a horrible data breach that leaked quite a bit of personal information of customers, from scanned identification to credit card numbers.

I sat back for most of it. It was pretty clear to me from the onset that there was no putting the genie back in the bottle. As mentioned in the mainstream media, the story from TSTT changed quite a bit.

If there was a checklist of every bad way to handle a data breach of customer personal information, I think they at least hit the high notes. They were as unprepared for their information security being compromised as they were unprepared to have their information security put to the test.

TechNewsTT.com seemed to have the best coverage. I sat back and watched as details of scanned copies of identification, credit card numbers, a suspected password file and more began surfacing even as TSTT denied that they lost that information. When I searched for my information in the data dump, I found 2 occurrences. A few days later, I checked again and I was up to 37. This disturbed me not just because of the amount of times I showed up but because of one very interesting detail.

I’m not a TSTT customer. I am a customer of their subsidiary, Amplia. While I have heard but not met a namesake in Trinidad and Tobago, I strongly suspect that there are not 37 of us with the same name. Of course, that search doesn’t tell you what sort of documents and information was leaked. Why is my name in a data dump when I’m not a direct customer? Peculiar, suspicious, and enough to make one wonder a little bit about whether TSTT is co-mingling it’s information across subsidiaries.

Even more disturbing has been how many people misunderstand the data breach in their own personal context. The fact that a telecommunications provider, with a majority share owned by the government of the Republic of Trinidad and Tobago, mishandled this from information security to being honest with their customers should boggle any sane person.

Unfortunately, this is not the first data breach in Trinidad and Tobago. There have been some announced, such as when the Judiciary got locked out of their system and no cases could continue their slow moonwalk toward progress. These are the obvious breaches, the advertised breaches.

It’s the silent breaches we should be worried about.

There’s so many questions that people need to be asking that it’s hard to write just one article about it.